JeremyRand
commented
10 years ago Wouldn't this code allow Tumblr's servers to inject arbitrary Javascript into our website?
Open indolering opened 10 years ago
JeremyRand
commented
10 years ago Wouldn't this code allow Tumblr's servers to inject arbitrary Javascript into our website?
indolering
commented
10 years ago @JeremyRand they could also just insert fake blog posts and mess with those links as well. Just add a layer of tinfoil, it will be alright : )
JeremyRand
commented
10 years ago @indolering Inserting fake blog posts is a different threat than directly modifying download links on the main site, which is what Javascript injection would do. I strongly recommend not loading Javascript from servers we don't control, unless it's sandboxed.
indolering
commented
10 years ago @indolering Inserting fake blog posts is a different threat than directly modifying download links on the main site, which is what Javascript injection would do. I strongly recommend not loading Javascript from servers we don't control, unless it's sandboxed.
Ahhh, right, because I'm including a script, not just fetching the JSON feed. Yes, this should be implemented using PHP + the RSS feed. I'll change the ticket.
I wrote some JS for this, but I figured you (shobute) might prefer PHP.Their JSON feed is a weird script, use raw RSS instead.