Possible problems of loading noscript contents as text when lazy loading images
Closed, ResolvedPublic
Actions

Description

In https://gerrit.wikimedia.org/r/#/c/268185/16/resources/mobile.startup/Skin.js @Krinkle mentioned:

Related to $image = $( $noscript.text() ),

This is wrong. The html is not html-escaped from the server (and shouldn't since otherwise it won't work as html for noscript clients). Which means this should be read as html, not text. Otherwise this allows freeform text to become arbitrary html. Aside from a security issue, it will also break some urls containing special characters by wrongly unescaping them.

@Jhernandez response:

Are you suggesting that using $().text will bring problems?
Using .html() to read the contents of the <noscript/> tag returns the html string escaped: "<img alt="Alicante en medi..." which won't build the DOM nodes in $.parseHTML, just give back a text node (which I would have to get the textContent of too.
It would look something like this:
$image = $( $.parseHTML( $.parseHTML( $noscript.html() )[0].textContent ) ),
Which looks like a nightmare and would have to be bounds checked.

What are the problems of getting the noscript contents with .text()? Should we use .html()?

Details

	Subject	Repo	Branch	Lines +/-
	Use the src attribute Luke	mediawiki/extensions/MobileFrontend	master	+15 -5

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Open	Release	None	T84936 Release VisualEditor-MediaWiki as "1.0"
Open		None	T50429 [Epic] Support editing parts of a page in VisualEditor-MediaWiki
Open		None	T54365 Explore performance gains from progressive (JIT?) de-alienation in VisualEditor
Open		None	T174303 Copy-pasting linked ISBN numbers from view mode HTML into VisualEditor inserts wikitext links to Special:BookSources (it should turn them into magic links?)
Open	Feature	None	T54091 The read HTML should have hinting to allow full DOM copying (as opposed to just rich copying) from read mode into VE surfaces
Open		None	T55784 [EPIC] Use Parsoid HTML for all page views
Resolved		dr0ptp4kt	T114542 Next Generation Content Loading and Routing, in Practice
Duplicate		• Jhernandez	T104432 [EPIC]: Improve mobile site performance
Duplicate		dr0ptp4kt	T120341 [GOAL] Make Wikipedia more accessible to all connections with new fast API-driven web experience in mobile web beta
Declined		None	T125920 [EPIC] Future exciting reading web performance endeavours
Resolved		Jdlrobson	T113066 [GOAL] Make Wikipedia more accessible to 2G connections
Resolved		Jdlrobson	T124390 [GOAL] Load images with care
Declined		BBlack	T127883 Enable lazy loaded images for 50% of users in production
Resolved		Jdlrobson	T126590 Deploy lazy images to Mobile web beta
Resolved		phuedx	T126592 Remove magic number timeout if possible when lazy loading images
Resolved		Jdlrobson	T126593 Possible problems of loading noscript contents as text when lazy loading images
Resolved		Jdlrobson	T126791 Certain images do not load when wgLazyLoadedImages is true
Resolved		• Jhernandez	T126591 Refreshing page with lazy loading images enabled causes images to not load on load.
Resolved		• Jhernandez	T127128 Images above the fold should not be lazily loaded
Declined		BBlack	T135762 A/B Testing solid framework
Resolved		• Nuria	T143694 Preliminary Design document for A/B testing

Event Timeline

• Jhernandez created this task.Feb 11 2016, 10:33 AM

• Jhernandez raised the priority of this task from to Needs Triage.

• Jhernandez updated the task description. (Show Details)

• Jhernandez added a project: MobileFrontend.

• Jhernandez added subscribers: Aklapper, StudiesWorld, • Jhernandez, Krinkle.

Jdlrobson triaged this task as Medium priority.Feb 11 2016, 4:56 PM

Jdlrobson subscribed.

Jdlrobson moved this task from Backlog to Team:Growth on the MobileFrontend board.Feb 18 2016, 6:25 PM

I don't see why one would need to read the <noscript> element at all. Any relevant information should already be readily available in the DOM to read normally from the surrounding or wrapping element.

Compare to existing lazy-load implementations, both open-source and proprietary. I've never seen it done this way and don't see why we would.

Krinkle added a parent task: T124390: [GOAL] Load images with care.Feb 23 2016, 4:00 PM

Jdlrobson added a project: Reading-Web-Sprint-67-If, Then, Else...?.Feb 23 2016, 10:03 PM

Jdlrobson renamed this task from Spike: Possible problems of loading noscript contents as text when lazy loading images to Possible problems of loading noscript contents as text when lazy loading images.Feb 29 2016, 5:27 PM

Jdlrobson moved this task from Needs Analysis to To Do on the Reading-Web-Sprint-67-If, Then, Else...? board.

Jdlrobson claimed this task.Mar 7 2016, 8:55 PM

Jdlrobson moved this task from To Do to Doing on the Reading-Web-Sprint-67-If, Then, Else...? board.

Jdlrobson moved this task from Doing to Code Review on the Reading-Web-Sprint-67-If, Then, Else...? board.Mar 7 2016, 9:35 PM

Change 275670 had a related patch set uploaded (by Jdlrobson):
Use the src attribute Luke

https://gerrit.wikimedia.org/r/275670

gerritbot added a project: Patch-For-Review.Mar 7 2016, 9:35 PM

• bmansurov moved this task from Code Review to Ready for Signoff on the Reading-Web-Sprint-67-If, Then, Else...? board.Mar 10 2016, 5:49 PM

Change 275670 merged by jenkins-bot:
Use the src attribute Luke

https://gerrit.wikimedia.org/r/275670

Jdlrobson closed this task as Resolved.Mar 10 2016, 6:40 PM

dr0ptp4kt moved this task from Ready for Signoff to Done on the Reading-Web-Sprint-67-If, Then, Else...? board.Mar 10 2016, 11:20 PM