How Emoji Saved Your Site’s Hide

Source: Anatomy of a Critical Software Bug – YouTube

Andy Nacin gave this talk today at LoopConf in Vegas. In one sense, it is in the same vein as my Emoji, WordPress, and You post.

There were plenty of vocal critics about adding emoji support natively to Core and some still are, with the twemoji JS loader being enqueued on the front end of all sites starting with 4.2 unless a plugin is added.

Emoji was just a front for adding support for four-byte characters—emoji, Han (Chinese/Japanese/Korean) characters, and so on. Plenty of people would only see this as an improvement for emoji, but for a large amount of the world, it would lower the language barrier—literally the ability to better handle their native language—to using WordPress.

Nacin drops the other piece of this. Emoji was a front for four-byte characters which, for all of the good that it does in and of itself, was a front for an incredible fix for an incredible security bug.

Even if you don’t understand every word, Nacin does a good job explaining the problem in the video and worth the 35-minute watch time.

tl;dr: This bug was 💩. It would set the 🌍 on 🔥. All better now.

Major props to the Core Security Team who fought with this for years in an effort to squash the bug dead. 🐛



, ,




Leave a Reply