[development] jQuery 1.2 is released

Fernando Silva fsilva.pt at gmail.com
Fri Sep 14 13:01:07 UTC 2007

Finally you had time to be clear about that. You should had do that 18
responses before.

Anyway and going back to the point itself, lets do another resume:
1. allowing jquery plugins to be installed by the user through Drupal,
would have the same problems that we have today, allowing the user to
upload anything he wants through Drupal.

2. allowing javascript to be installed at *install time* (in any some
folder) by the administrator has the same problems that we have today
when he installs Drupal.

3. automatically downloading a file ****at user/admin request**** (and
ALWAYS with user/admin knowledge) from a *remote server* has the same
problems has the user going to the remote server and
downloading/installing the file itself.

4. already discussed was the option to create valid/authentic
packages. With the upcoming functionality "update/version status", if
Drupal server is compromised, you think it's a different situation
from the one you are trying to create? So, it's time to start thinking
about "signing" of Drupal core/contrib/(eventually)plugins packages!


On 9/14/07, Jeff Eaton <jeff at viapositiva.net> wrote:
> This is very true. The concern that sparked this discussion revolved
> around *automatically downloading* javascript files from a *remote
> server* and automatically including them in Drupal's output to end-
> users. Compromising remote servers in that scenario (as happened with
> Wordpress) could easily result in jillions of Drupal sites auto-
> downloading a compromised version of a js file and 'reflecting' it
> out to all of their users.

More information about the development mailing list