[wp-trac] [WordPress Trac] #38434: Un-escaped character in svg-painter.js results in JavaScript errors with some CDN services

WordPress Trac noreply at wordpress.org
Fri Oct 21 16:49:03 UTC 2016 

#38434: Un-escaped character in svg-painter.js results in JavaScript errors with
some CDN services
--------------------------+-----------------------------
 Reporter:  georgemandis  |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  4.6.1
 Severity:  normal        |   Keywords:
  Focuses:  javascript    |
--------------------------+-----------------------------
 Line 16 of `wp-admin/js/svg-painter.js` has an unescaped `#` symbol that
 can create errors with some popular CDNs that automatically minify
 JavaScript on the server. This breaks the "Generate Password"
 functionality in the admin area.

 The line checks for SVG support in the browser:

 `if(document.implementation.hasFeature('http://www.w3.org/TR/SVG11/feature#Image','1.1')
 ) { `

 In my testing the error appeared on most pages, but the only functionality
 that was affected was generating new passwords for existing users from
 their profile pages in the admin area.

 Specifically this bug appeared when using
 [SiteLock's](http://sitelock.com) CDN and minification services. It is a
 free/common add-on for those hosting with Bluehost. The JavaScript
 minifier was interpreting the `#` as a comment and commenting out a large
 chunk of the code after that point, creating the error.

 Technically this should be considered a bug with whatever minifier
 SiteLock is using, as not all minifiers seem to behave this way in my
 testing. However:

 - I don't know what they're using
 - The Bluehost+SiteLock combination is popular enough that it seems like
 this bug could be present for many but unnoticed if they never use the
 password generator feature.
 - The fix is very simple:

 `if(document.implementation.hasFeature('http://www.w3.org/TR/SVG11/feature\#Image','1.1')
 ) { `

 This fix results in correctly minified JavaScript and does not break any
 functionality.

 Planning on submitting a patch shortly. Curious if this is considered
 something that should/could be fixed.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38434>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list