If you use the advagg_mod-setting "Put a wrapper around inline JS if it was added in the content section incorrectly", then this also affects script-tags that are not scripts, for instance underscore-templates such as
<script type="text/underscore-template" id="wereldatlas-template-country-comparison">
<div class="popup-close">X</div>
<h2><%= country %></h2>
<div id="comparison-label"><%= label %></div>
<svg id="comparison-svg"></svg>
</script>
This results in advagg_mod JS-code being used as the template-code (and usually becoming visible).
As seen, the underscore-template uses a script-tag with a non-standard type-attribute, to prevent evaluation by browsers. The advagg_mod inline-wrapper code should skip such scripts. Possibly this filtering should happen elsewhere in the advagg-code as well.
Comment | File | Size | Author |
---|---|---|---|
#6 | advagg-2500203-only-wrap-type-js-scripts.patch | 1.58 KB | mikeytown2 |
#2 | advagg-2500203-1-ignore-script-template.patch | 1.59 KB | mikeytown2 |
Comments
Comment #2
mikeytown2 CreditAttribution: mikeytown2 commentedFixed it if using xpath. Patches are welcome for the regex
'/<script((?:(?!src=).)*?)>(.*?)<\/script>/smix'
Comment #3
Marco Vervoort CreditAttribution: Marco Vervoort commentedWouldn't it be better to white-list the type-attribute-values containing 'javascript' (such as the official values 'text/javascript' and 'application/javascript') instead of blacklisting type-attribute-values containing 'template'?
Scripts without a type-attribute also need to be accepted. Unfortunately, I don't know xpath syntax, so don't know how to do 'OR'.
I think the corresponding regex would be something like
/<script(?![^<>]*src=)(?:(?![^<>]*type=)|(?=[^<>]*type="?[^<>"]*javascript))(.*?)>(.*?)<\/script>/smix
Comment #4
mikeytown2 CreditAttribution: mikeytown2 commentedA whitelist would be better. Wasn't sure exactly how to create one using xpath. I'll give the regex a spin; thanks for working in it :)
Comment #6
mikeytown2 CreditAttribution: mikeytown2 commented