views:

2740

answers:

5

I've got a site that provides blog-friendly widgets via JavaScript. These work fine in most circumstances, including self-hosted Wordpress blogs. With blogs hosted at Wordpress.com, however, JavaScript isn't allowed in sidebar text modules. Has anyone seen a workaround for this limitation?

+1  A: 

you could always petition wp to add your widget to their 'approved' list, but who knows how long that would take. you're talking about a way to circumvent the rules they have in place about posting arbitrary script. myspace javascript exploits in particular have increased awareness of the possibility of such workarounds, so you might have a tough time getting around the restrictions - however, here's a classic ones to try:

put the javascript in a weird place, like anywhere that executes a URL. for instance:

<div style="background:url('javascript:alert(this);');" />

sometimes the word 'javascript' gets cut out, but occasionally you can sneak it through as java\nscript, or something similar.

sometimes quotes get stripped out - try String.fromCharCode(34) to get around that. Also, in general, using eval("codepart1" + "codepart2") to get around restricted words or characters.

sneaking in javascript is a tricky business, mostly utilizing unorthodox (possibly un-documented) browser behavior in order to execute arbitrary javascript on a page. Welcome to hacking.

matt lohkamp
Messy, I don't like it.
Ben Shelock
Oh definitely, but come on, is there a 'clean' way to sneak javascript into a area where it's supposedly not allowed?
matt lohkamp
see other XSS techniques. follow the link in my answer. (and btw - style hack isn't cross-browser)
naugtur
+4  A: 

From the official Wordpress.com FAQ:

Javascript can be used for malicious purposes and while what you want to do is okay it does not mean all javascript will be okay.

It goes on to remind the reader that both MySpace and LiveJournal had been affected by malicious Javascript and, therefore, will not be permitted (as it may be exploited by users with poor intentions). They can't risk it with amazingly large sites (think I Can Has Cheezburger, Anderson Cooper 360, Fox, etc.).

If you think you have Javascript that would benefit Wordpress.com you can contact them directly.

Devin Reams
+2  A: 

There is not work around for it. Wordpress does not currently support Javascript. Sorry.

MLCWO
And further, if you do find a way, you should report it to WordPress so that they can block it.
Douglas
A: 

i believe it's against wordpress.com policy. I think what they decide on this particular topic is a right one. Can you imagine what happen when automatic (wordpress company) allow such feature. Wordpress.com will end up like blogspot.

Ok, this is only my personal opinion. But i think blogspot has too many spamblog.

justjoe
A: 

Just find a good site about XSS if You really need that js to work. But if it works for You it works for anybody, and You post a tutorian on how to do an XSS attack on Your page with posts or comments.

reference: http://ha.ckers.org/xss.html

naugtur