GUYS DO NOT CLICK ON THE “CLICK SOURCE” POST
it demonstrates an XSS attack, and can run arbitrary code. who knows what it can do with your tumblr.
you have been warned
While OP IS somewhat correct (it DOES open itself up to being a huge security risk if used maliciously), in this specific case it is a harmless prank.
javascript:d=document;s=d.createElement(‘style’);s.type=’text/css’;s.innerHTML=”.post{-webkit-transition: all 5s ease-in-out; -moz-transition: all 5s ease-in-out; -o-transition: all 5s ease-in-out;}.post:hover{-webkit-transform: rotate(1800deg) scale(1); -moz-transform: rotate(1800deg) scale(1); -o-transform: rotate(1800deg) scale(1);}”;d.getElementsByTagName(‘head’)[0].appendChild(s);
All this Javascript is doing, is adding a CSS3 animated transition to the page.
.post {
-webkit-transition: all 5s ease-in-out;
-moz-transition: all 5s ease-in-out;
-o-transition: all 5s ease-in-out;
}.post:hover {
-webkit-transform: rotate(1800deg) scale(1);
-moz-transform: rotate(1800deg) scale(1);
-o-transform: rotate(1800deg) scale(1);
}There is nothing inherently bad about this particular script. If you clicked it, you should have nothing to worry about — At least not this time around.
That said, it IS possible that someone could edit the Javascript in the Content Source to do something malicious. Always take care in what you click.
Hello there! I’m the guy who created this post.
soul-is-over: you are correct, it is an XSS vulnerability, and generally speaking I myself will advise people not to click on such things without knowing beforehand what they do. However, I can also assure you that the code I wrote is completely safe. All it does is inject a stylesheet that does some funky proprietary CSS effects to each post box; nothing more happens.
Basically, what Oceanmaster said.
(Source: s0ul-is-over)
