[development] jQuery 1.2 is released

Jeff Eaton jeff at viapositiva.net
Thu Sep 13 17:23:11 UTC 2007


Larry's summary explains it. automatic downloading of jquery plugins  
is only useful if those files are automatically included in the  
output to clients. Which means that your web site has just become a  
one-stop reflector for JS-based exploits.


On Sep 13, 2007, at 11:24 AM, Larry Garfield wrote:

> It doesn't matter where they live on the server.  They're useless  
> unless they get sent to the browser, where they are useless unless  
> they execute.  That means one PHP security hole, in any PHP script  
> anywhere on the server, and a n'er-do-well can write to a  
> Javascript file that will get sent to every visitor's browser,  
> where it will open a new hidden browser window to youreh4x3d.com,  
> which will download a malicious program to that visitor's computer  
> that begins vocally espousing the wonders of Viagra to a few  
> million email addresses.

More information about the development mailing list