[development] jQuery 1.2 is released

Larry Garfield larry at garfieldtech.com
Thu Sep 13 16:24:16 UTC 2007


It doesn't matter where they live on the server.  They're useless unless they get sent to the browser, where they are useless unless they execute.  That means one PHP security hole, in any PHP script anywhere on the server, and a n'er-do-well can write to a Javascript file that will get sent to every visitor's browser, where it will open a new hidden browser window to youreh4x3d.com, which will download a malicious program to that visitor's computer that begins vocally espousing the wonders of Viagra to a few million email addresses.

My original proposal was that the admin would manually upload jquery.fancyplugin.js to sites/default/modules/jquery/plugins/, and it would then either:

1) Show up in an admin page at admin/build/plugins where they can be toggled on or off.

2) Be activated if any module that implements hook_jquery() returns array('fancyplugin');

Anything fancier than that (inter-plugin dependency, version control, etc.) would require some support from the jquery folks, which we'd need to talk to them about.

--Larry Garfield

On Thu, 13 Sep 2007 16:41:18 +0100, "Steven Jones" <darthsteven at gmail.com> wrote:
> But the javascript files were going in the /files directory, no?
> 
> On 13/09/2007, Jeff Eaton <jeff at viapositiva.net> wrote:
>> It would be writing files that would, under many circumstances, be
>> included in the browser's output to future visitors.
>>
>> --Jeff
>>
>>
>> On Sep 13, 2007, at 9:21 AM, Steven Jones wrote:
>>
>> > How would this module be different from uploading a .js file to the
>> > /files directory using upload module?
>> >
>> > On 13/09/2007, Jeff Eaton <jeff at viapositiva.net> wrote:
>> >> Please step back from your computer and wait while Rasmus roots your
>> >> machine. Thank you!
>> >>
>> >> ;)
>> >>
>> >> --Jeff
>> >>
>> >> On Sep 13, 2007, at 8:45 AM, Fernando Silva wrote:
>> >>
>> >>> It's not executable code. It's jQuery javascript files.
>> >>>
>> >>> On 9/13/07, Peter Wolanin <pwolanin at gmail.com> wrote:
>> >>>> Um, perhaps you all have not seen previous threads about the
>> >>>> hazards
>> >>>> of allowing executable code in a writeable directory?
>> >>
>> >>
>> >
>> >
>> > --
>> > Regards
>> > Steven Jones
>>
>>
> 
> 
> --
> Regards
> Steven Jones



More information about the development mailing list