Last modified: 2013-04-03 23:08:33 UTC
Created attachment 12033 [details] Screenshot of problems. * Urls in the page are hardcoded http which means in modern browsers those requests are blocked when the page itself is accessed over HTTPS. > Use protocol relative urls. * There are scripts on the page embedded via <script> with no if(window.mw) guard. > Use a guard. > Better yet, put them in a module and load them that way instead of embedding it (better caching, easier to update) * There are references to global functions in eval() evaluated event handlers in html attributes: <input type="submit" value="Unsubscribe" onclick="$('#execute').attr('value',1);"> > Bind an event handler from a script instead of from html. Assuming this has been in place for years, this should never have passed review.
(In reply to comment #0) > * Urls in the page are hardcoded http which means in modern browsers those > requests are blocked when the page itself is accessed over HTTPS. > > Use protocol relative urls. This was actually due to wgServer having the full protocol in it. So server configuration error. > * There are scripts on the page embedded via <script> with no if(window.mw) > guard. The only scripts on the page that I added via the extension do not have have mediaWiki dependencies. If there are such scripts they are present in Vector and you should file bugs there; but on quick inspection I didn't find any. > * There are references to global functions in eval() evaluated event handlers > in html attributes: I could bind it in JS; but what's the point? All of this is encapsulated in one template file. > Assuming this has been in place for years, this should never have passed > review. That's a bit harsh. Not everyone has your experience with JS, and the one major flaw you found was a configuration issue unrelated to the code. I'll mark this as resolved as I fixed the configuration issue. But lets continue this discussion; either in new bugs, on list, or here.
