possible security issue using non https disqus loader in the template code

[menkhus]

Hi,

I am still testing and learning Flask-Blogging v1.0.1. (much less web app coding!) I pip installed flask-blogging, and setup a test blog. I experienced a possible security problem:

While at a coffee shop, I was attacked with an injected script, some sort of ad for an antivirus... The blog page was overwritten, with "you are infected and need my antivirus..." I was puzzled how this could happen, so i googled, it seems this could be rooted in using http to get disqus javascript code - injecting into javascript code accessed for disqus via http instead of https. Note, this is a guess, I was not able to reproduce this problem more than once.

Suggested solution: So, I patched my instance of the disqus.html template file - I just modified the url that is used to access the disqus, to use https, and it seems to still function, not sure if this is a complete fix. The code from disqus seems to be a little newer than what is in the disqus.html template. My modification: (function() { var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true; dsq.src = 'https://' + disqus_shortname + '.disqus.com/embed.js';

Latest discus code ref: https://disqus.com/admin/universalcode/

Thanks, Mark Menkhus

[gouthambs]

@menkhus Yes the disqus script probably needs an upgrade. Will look into changing it. Thanks for the pointer.

[gouthambs]

@menkhus

Thanks for the suggestion. I have updated the master with your suggestions. Will incorporate into next release (v1.0.3).