apache - Commented-out JavaScript causing server 406 error

Question

Here's a strange one: I have this line of JavaScript in an HTML file:

    ctx.fillText(String.fromCharCode(172) + label, point_nc.x - 11, point_c.y - h - 10);

It causes a 406 (Not Acceptable) error from the server. If I change it to:

    ctx.fillText('-' + label, point_nc.x - 11, point_c.y - h - 10);

the code works, although, of course, the character displayed is not the same.

Here's the strange part: The 406 error occurs even when the line is commented out. It's almost as though either on the server (Apache) or in the browser, there is JavaScript processing of some sort even for commented-out lines.

The 406 error occurs even if JavaScript is disabled in the browser (Firefox).

Ideas? I can understand why an unacceptable character might cause a 406, but not from code that isn't executed.

ADDITIONAL THOUGHT: There is something on the server side (it's not my server) that's attempting to scan for code with security issues, and it's not doing a complete parse, which is why it blows through comments. Has anyone every heard of something like this? And, if this is the case, why should a particular character present a security problem?

Answer 1

OK, so now I have the answer. There is a security scanner on the shared server that uses regular expressions to scan for hacking attempts. In this case, I think it was a WordPress hack that used JavaScript injection. My code is an innocent victim of some very-rough scanning. The hosting company has confirmed this.

Of course, even more secure would be to not deliver any content at all, and just send off 406 messages for everything. But sarcasm doesn't actually help here, so I have changed my code.