Opened 8 years ago
Closed 6 years ago
#38434 closed defect (bug) (worksforme)
Un-escaped character in svg-painter.js results in JavaScript errors with some CDN services
Reported by: | georgemandis | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.6.1 |
Component: | Administration | Keywords: | |
Focuses: | javascript, administration | Cc: |
Description
Line 16 of wp-admin/js/svg-painter.js
has an unescaped #
symbol that can create errors with some popular CDNs that automatically minify JavaScript on the server. This breaks the "Generate Password" functionality in the admin area.
The line checks for SVG support in the browser:
if(document.implementation.hasFeature('http://www.w3.org/TR/SVG11/feature#Image','1.1') ) {
In my testing the error appeared on most pages, but the only functionality that was affected was generating new passwords for existing users from their profile pages in the admin area.
Specifically this bug appeared when using [SiteLock's](http://sitelock.com) CDN and minification services. It is a free/common add-on for those hosting with Bluehost. The JavaScript minifier was interpreting the #
as a comment and commenting out a large chunk of the code after that point, creating the error.
Technically this should be considered a bug with whatever minifier SiteLock is using, as not all minifiers seem to behave this way in my testing. However:
- I don't know what they're using
- The Bluehost+SiteLock combination is popular enough that it seems like this bug could be present for many but unnoticed if they never use the password generator feature.
- The fix is very simple:
if(document.implementation.hasFeature('http://www.w3.org/TR/SVG11/feature\#Image','1.1') ) {
This fix results in correctly minified JavaScript and does not break any functionality.
Planning on submitting a patch shortly. Curious if this is considered something that should/could be fixed.
Attachments (1)
Change History (5)
#1
@
8 years ago
@georgemandis
Was this causing an issue with the CDN side minification of CloudFlare?
#2
@
8 years ago
@lukecavanagh
Not Cloudflare but the CDN side of Incapsula, which I guess is what SiteLock uses. Haven't tested on Cloudflare.
#3
@
6 years ago
- Focuses administration added
- Milestone Awaiting Review deleted
Hey @georgemandis,
Thanks for opening this!
I have done a bunch of testing on my Bluehost test sites using the Incapsula CDN through Sitelock, and I have been unable to reproduce this. I also spoke with a member of the Sitelock team and they confirmed. If I had to guess, this was patched upstream pretty quickly by Incapsula.
As to why only the password functionality was broken, my speculation is that all JavaScript prior to svg-painter.js
loaded correctly, and everything after was affected by the error. zxcvbn.js
and zxcvbn-async.js
are two files that control the password fields.
If you are still experiencing this issue, please open a support request with Bluehost or Sitelock. While the character causing the issue is in Core, this is more of a request to direct at the service that is incorrectly processing the files.
Patch for escaping character in svg-painter.js