Bingo. Larry's summary explains it. automatic downloading of jquery plugins is only useful if those files are automatically included in the output to clients. Which means that your web site has just become a one-stop reflector for JS-based exploits. --Jeff On Sep 13, 2007, at 11:24 AM, Larry Garfield wrote:
It doesn't matter where they live on the server. They're useless unless they get sent to the browser, where they are useless unless they execute. That means one PHP security hole, in any PHP script anywhere on the server, and a n'er-do-well can write to a Javascript file that will get sent to every visitor's browser, where it will open a new hidden browser window to youreh4x3d.com, which will download a malicious program to that visitor's computer that begins vocally espousing the wonders of Viagra to a few million email addresses.