[development] jQuery 1.2 is released
Jeff Eaton
jeff at viapositiva.net
Thu Sep 13 17:23:11 UTC 2007
Bingo.
Larry's summary explains it. automatic downloading of jquery plugins
is only useful if those files are automatically included in the
output to clients. Which means that your web site has just become a
one-stop reflector for JS-based exploits.
--Jeff
On Sep 13, 2007, at 11:24 AM, Larry Garfield wrote:
> It doesn't matter where they live on the server. They're useless
> unless they get sent to the browser, where they are useless unless
> they execute. That means one PHP security hole, in any PHP script
> anywhere on the server, and a n'er-do-well can write to a
> Javascript file that will get sent to every visitor's browser,
> where it will open a new hidden browser window to youreh4x3d.com,
> which will download a malicious program to that visitor's computer
> that begins vocally espousing the wonders of Viagra to a few
> million email addresses.
More information about the development
mailing list