[development] jQuery 1.2 is released

Jeff Eaton jeff at viapositiva.net
Fri Sep 14 12:32:53 UTC 2007

This is very true. The concern that sparked this discussion revolved  
around *automatically downloading* javascript files from a *remote  
server* and automatically including them in Drupal's output to end- 
users. Compromising remote servers in that scenario (as happened with  
Wordpress) could easily result in jillions of Drupal sites auto- 
downloading a compromised version of a js file and 'reflecting' it  
out to all of their users.


On Sep 14, 2007, at 7:25 AM, Frando wrote:

> JavaScript is different, though. For someone to exploit a Drupal  
> site by
> saving a modified, malicious JavaScript file at a path where it gets
> included in every request, he needs a major security hole in the  
> site (one
> that allows him to save random files at random paths). Given that  
> security
> hole, he most likely has already other ways to add random, malicious
> JavaScript to every page request (He could e.g. add a PHP block  
> with no
> title and text to each page which then includes the malicious  
> JavaScript. He
> could also add the JavaScript to the aggregated CSS file, which  
> also lives
> in the writeable file directory. JavaScript in CSS files gets  
> executed by
> most modern browsers.).

More information about the development mailing list