Back to your regularly scheduled fraxblog. Sorry for that wave of click-source-related posts.
To those of you who followed me because of that post (good christ there are 80 of you): I will post furries and gay stuff occasionally and there’s nothing you can do to stop me. B)
mashiankrekku replied to your post:
actually I don’t think it works like that. :c
Oh. :(
mashiankrekku replied to your post:
also it seems they only fixed it on the dashboard. some blog styles don’t have clickable source links, but the script still works on my blog. (i hope this doesn’t replace my first reply, knowing how tumblr works.)
Yeah, I noticed that too… but people can put whatever JavaScript they want on their own blogs anyway, since they’re under different subdomains, so I guess they’re not as concerned about that.
EDIT: In case anyone’s curious, JavaScript in a picture click-through URL doesn’t show up (the picture isn’t clickable), and any JavaScript in text post URLS (these things) just gets prefixed with “denied:”.
mashiankrekku asked:
HEY I'M TOO RETARDED TO READ YOUR BLOG WEHHHHHHHH WHY DOESN'T THE SOURCE THING WORK ANYMORE WEEEEHHHHHHHHH
It looks like I can replace the image, so I think I’ll do that to tell people it won’t work anymore.
Actually…
On second thought, this opens up a huge realm of possibilities. I can put anything I want on tens of thousands of Tumblr blogs… What should I do?
Good for them, I guess, but there’s pretty much no way my inbox isn’t going to be flooded with inquiries as to why it doesn’t work in a moment.
drapemeinlace started following you
asdfawefawe started following you
benludwin started following you
finallyfamousmufuckaa started following you
darkness-and-magic started following you
Hello, five of the 40-ish followers I’ve recently gained. I’m singling you guys out for one reason:
Don’t have music automatically play on your blog.
You may think it’s really cool, but it’s not. At all. It’s a terrible and annoying practice that should have died off with MySpace and Xanga. Even Tumblr itself agrees that it’s “incredibly tacky”. So please, for the sanity of all those who happen to look at your blog - don’t automatically play music.
it demonstrates an XSS attack, and can run arbitrary code. who knows what it can do with your tumblr.
you have been warned
While OP IS somewhat correct (it DOES open itself up to being a huge security risk if used maliciously), in this specific case it is a harmless prank.
javascript:d=document;s=d.createElement(‘style’);s.type=’text/css’;s.innerHTML=”.post{-webkit-transition: all 5s ease-in-out; -moz-transition: all 5s ease-in-out; -o-transition: all 5s ease-in-out;}.post:hover{-webkit-transform: rotate(1800deg) scale(1); -moz-transform: rotate(1800deg) scale(1); -o-transform: rotate(1800deg) scale(1);}”;d.getElementsByTagName(‘head’)[0].appendChild(s);
All this Javascript is doing, is adding a CSS3 animated transition to the page.
.post {
-webkit-transition: all 5s ease-in-out;
-moz-transition: all 5s ease-in-out;
-o-transition: all 5s ease-in-out;
}.post:hover {
-webkit-transform: rotate(1800deg) scale(1);
-moz-transform: rotate(1800deg) scale(1);
-o-transform: rotate(1800deg) scale(1);
}There is nothing inherently bad about this particular script. If you clicked it, you should have nothing to worry about — At least not this time around.
That said, it IS possible that someone could edit the Javascript in the Content Source to do something malicious. Always take care in what you click.
Hello there! I’m the guy who created this post.
soul-is-over: you are correct, it is an XSS vulnerability, and generally speaking I myself will advise people not to click on such things without knowing beforehand what they do. However, I can also assure you that the code I wrote is completely safe. All it does is inject a stylesheet that does some funky proprietary CSS effects to each post box; nothing more happens.
Basically, what Oceanmaster said.
roxorfoxor asked:
I think you officially won at tumblr.
I’m just glad this message wasn’t yet another person telling me that the script doesn’t work for them!
WHAT IS THIS SORCERY.
jesus FUCK
fuck noOOoNONFD
i don’t get it i don’t see a source
is that the joke
OH GOD
DEVIL.
WHO PUT THE DEVIL ON MY TUMBLR.
Ohhhohoh, this is juicy. Don’t expect this to work for too long, though. It’s a HUGE oversight in Tumblr’s coding.
Also it doesn’t seem to work too well in Firefox BUT I SEE IT.
GOOD GOD THIS GOT POPULAR FAST!!
10,000 NOTES IN UNDER HALF AN HOUR OWWWWWwwww
That’s a pretty huge security hole and I’m surprised nobody bothered to take advantage of it yet.
Tumblr devs, if you’re reading this: I meant no harm by publicizing this vulnerability. I just wanted to amuse some people with spinning boxes, honestly. :)