Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pull news from blog #68

Open
indolering opened this issue Sep 12, 2014 · 4 comments
Open

Pull news from blog #68

indolering opened this issue Sep 12, 2014 · 4 comments

Comments

@indolering
Copy link

I wrote some JS for this, but I figured you (shobute) might prefer PHP.

Their JSON feed is a weird script, use raw RSS instead.
@JeremyRand
Copy link
Member

Wouldn't this code allow Tumblr's servers to inject arbitrary Javascript into our website?

@indolering
Copy link
Author

@JeremyRand they could also just insert fake blog posts and mess with those links as well. Just add a layer of tinfoil, it will be alright : )

@JeremyRand
Copy link
Member

@indolering Inserting fake blog posts is a different threat than directly modifying download links on the main site, which is what Javascript injection would do. I strongly recommend not loading Javascript from servers we don't control, unless it's sandboxed.

@indolering
Copy link
Author

@indolering Inserting fake blog posts is a different threat than directly modifying download links on the main site, which is what Javascript injection would do. I strongly recommend not loading Javascript from servers we don't control, unless it's sandboxed.

Ahhh, right, because I'm including a script, not just fetching the JSON feed. Yes, this should be implemented using PHP + the RSS feed. I'll change the ticket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@indolering @JeremyRand