Merchands of Crap

I just dug around the brandspanking new website of our local merchands’ association (see this Link) and unearthed a true beauty:


</head>

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-4673859-2");
pageTracker._trackPageview();
} catch(err) {}</script>

<body>

One would have thought that even the retarded Joomla community had by now sussed HTML’s nesting rules. Well, it seems they haven’t.

Be scared!

My opinion of the Joomla community is low enough so as not to have expected any better. However, from the guys and dolls at Mozilla I had expected more than that:

Firefox reads and executes those scripts despite the fact that they are placed outside of the document tree.

Now this script is just the usual Google Analytics bull, but it could also have been a badly injected piece of malware.

When any script will be executed, even if it ends up in the nirvana between nodes, then we have a real security hazard – being introduced by browsers’ overdone tolerance for crappy markup.

Speak your mind. Leave a comment.

Advertisements

About dozykraut

Proud member of Hillbilly's on Linux, promoting open source redneckism in remote parts of the Milky Way.
This entry was posted in Web and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s