Make WordPress Core

Opened 7 years ago

Closed 5 years ago

#38434 closed defect (bug) (worksforme)

Un-escaped character in svg-painter.js results in JavaScript errors with some CDN services

Reported by: georgemandis's profile georgemandis Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.6.1
Component: Administration Keywords:
Focuses: javascript, administration Cc:


Line 16 of wp-admin/js/svg-painter.js has an unescaped # symbol that can create errors with some popular CDNs that automatically minify JavaScript on the server. This breaks the "Generate Password" functionality in the admin area.

The line checks for SVG support in the browser:

if(document.implementation.hasFeature('','1.1') ) {

In my testing the error appeared on most pages, but the only functionality that was affected was generating new passwords for existing users from their profile pages in the admin area.

Specifically this bug appeared when using [SiteLock's]( CDN and minification services. It is a free/common add-on for those hosting with Bluehost. The JavaScript minifier was interpreting the # as a comment and commenting out a large chunk of the code after that point, creating the error.

Technically this should be considered a bug with whatever minifier SiteLock is using, as not all minifiers seem to behave this way in my testing. However:

  • I don't know what they're using
  • The Bluehost+SiteLock combination is popular enough that it seems like this bug could be present for many but unnoticed if they never use the password generator feature.
  • The fix is very simple:

if(document.implementation.hasFeature('\#Image','1.1') ) {

This fix results in correctly minified JavaScript and does not break any functionality.

Planning on submitting a patch shortly. Curious if this is considered something that should/could be fixed.

Attachments (1)

38434.patch (639 bytes) - added by georgemandis 7 years ago.
Patch for escaping character in svg-painter.js

Download all attachments as: .zip

Change History (5)

7 years ago

Patch for escaping character in svg-painter.js

#1 @lukecavanagh
7 years ago


Was this causing an issue with the CDN side minification of CloudFlare?

#2 @georgemandis
7 years ago


Not Cloudflare but the CDN side of Incapsula, which I guess is what SiteLock uses. Haven't tested on Cloudflare.

Last edited 7 years ago by georgemandis (previous) (diff)

#3 @desrosj
5 years ago

  • Focuses administration added
  • Milestone Awaiting Review deleted

Hey @georgemandis,

Thanks for opening this!

I have done a bunch of testing on my Bluehost test sites using the Incapsula CDN through Sitelock, and I have been unable to reproduce this. I also spoke with a member of the Sitelock team and they confirmed. If I had to guess, this was patched upstream pretty quickly by Incapsula.

As to why only the password functionality was broken, my speculation is that all JavaScript prior to svg-painter.js loaded correctly, and everything after was affected by the error. zxcvbn.js and zxcvbn-async.js are two files that control the password fields.

If you are still experiencing this issue, please open a support request with Bluehost or Sitelock. While the character causing the issue is in Core, this is more of a request to direct at the service that is incorrectly processing the files.

#4 @SergeyBiryukov
5 years ago

  • Component changed from General to Administration
  • Resolution set to worksforme
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.