July 14th, 2003

  • ruakh

FAQ #14: Why can't I use JavaScript or Flash in my styles?

FAQ Question #14, "Why can't I use JavaScript or Flash in my styles?" only addresses JavaScript and Flash in custom styles; but stripping extends much further than that. The <script> element is stripped even when it's VBScript or Tcl or what-have-you; and that's not just in custom styles, but also in overrides (except *_HEAD, I think, where IIRC they're simply prefixed with "x-"), in entries, in comments, in bios . . .

I think the title is okay, since it probably comes up most often with JavaScript in custom styles, but I think the body itself should mention that other security hazards are stripped as well. Perhaps replace the sentence "You can not use JavaScript or Flash in your customized styles because it is a security problem" with "You cannot use JavaScript or Flash on LiveJournal because it is a security problem. JavaScript, Flash, and other security hazards are stripped from LiveJournal pages and are not sent to browsers."

Thoughts? Opinions? Emotions?

(I have two thoughts of my own: First, that LiveJournal itself does use JavaScript for various things, as only user JavaScript gets stripped; and second, that I seem to recall Abe suggesting something like this a long time ago, so the fact that it wasn't changed suggests that there might have been objections raised.)