How Emoji Saved Your Site’s Hide

Source: Anatomy of a Critical Software Bug – YouTube

Andy Nacin gave this talk today at LoopConf in Vegas. In one sense, it is in the same vein as my Emoji, WordPress, and You post.

There were plenty of vocal critics about adding emoji support natively to Core and some still are, with the twemoji JS loader being enqueued on the front end of all sites starting with 4.2 unless a plugin is added.

Emoji was just a front for adding support for four-byte characters—emoji, Han (Chinese/Japanese/Korean) characters, and so on. Plenty of people would only see this as an improvement for emoji, but for a large amount of the world, it would lower the language barrier—literally the ability to better handle their native language—to using WordPress.

Nacin drops the other piece of this. Emoji was a front for four-byte characters which, for all of the good that it does in and of itself, was a front for an incredible fix for an incredible security bug.

Even if you don’t understand every word, Nacin does a good job explaining the problem in the video and worth the 35-minute watch time.

tl;dr: This bug was 💩. It would set the 🌍 on 🔥. All better now.

Major props to the Core Security Team who fought with this for years in an effort to squash the bug dead. 🐛

The Oddest Bug

I learned on Twitter last night that one bug in 3.9 is the inability to drag text into the WordPress Editor. That’s right, apparently, you could (at least on a Mac) drag text from another program right into a WP post.

Go ahead. Fire up a 3.8 instance and try it.

3.9 allows direct file drag and dropping into the editor (skipping the “Add Media” step), which breaks the ability to drag text into the editor.

I’ve never known this was possible before, so I don’t have a dog in getting it fixed, but the oddity of it is keeping me interested.

Follow along with me on Trac