It doesn't matter where they live on the server. They're useless unless they get sent to the browser, where they are useless unless they execute. That means one PHP security hole, in any PHP script anywhere on the server, and a n'er-do-well can write to a Javascript file that will get sent to every visitor's browser, where it will open a new hidden browser window to youreh4x3d.com, which will download a malicious program to that visitor's computer that begins vocally espousing the wonders of Viagra to a few million email addresses. My original proposal was that the admin would manually upload jquery.fancyplugin.js to sites/default/modules/jquery/plugins/, and it would then either: 1) Show up in an admin page at admin/build/plugins where they can be toggled on or off. 2) Be activated if any module that implements hook_jquery() returns array('fancyplugin'); Anything fancier than that (inter-plugin dependency, version control, etc.) would require some support from the jquery folks, which we'd need to talk to them about. --Larry Garfield On Thu, 13 Sep 2007 16:41:18 +0100, "Steven Jones" <darthsteven@gmail.com> wrote:
But the javascript files were going in the /files directory, no?
On 13/09/2007, Jeff Eaton <jeff@viapositiva.net> wrote:
It would be writing files that would, under many circumstances, be included in the browser's output to future visitors.
--Jeff
On Sep 13, 2007, at 9:21 AM, Steven Jones wrote:
How would this module be different from uploading a .js file to the /files directory using upload module?
On 13/09/2007, Jeff Eaton <jeff@viapositiva.net> wrote:
Please step back from your computer and wait while Rasmus roots your machine. Thank you!
;)
--Jeff
On Sep 13, 2007, at 8:45 AM, Fernando Silva wrote:
It's not executable code. It's jQuery javascript files.
On 9/13/07, Peter Wolanin <pwolanin@gmail.com> wrote:
Um, perhaps you all have not seen previous threads about the hazards of allowing executable code in a writeable directory?
-- Regards Steven Jones
-- Regards Steven Jones