javascript output trigger is flawed and can break page views #129

Closed
ucavus opened this Issue Mar 31, 2011 · 5 comments

2 participants

@ucavus

SimplePie::javascript should default to false to prevent general get params on a page conflicting with simplepie, and
if (isset($_GET[$this->javascript]))
{
SimplePie_Misc::output_javascript();
exit;
}
should be
if ($this->javascript && isset($_GET[$this->javascript]))
{
SimplePie_Misc::output_javascript();
exit;
}

@rmccue
SimplePie member

Fixed the latter in simplepie/simplepie@545b862

As for the former, I'm not sure it's needed.

@ucavus

Thanks. I think the former is needed, imagine if I visit somesite.com/some/page.lang?foo=bar&js=anythingatall where the js parameter has nothing to do with SimplePie. If any feed is fetched by simplepie pie during that page load It kills the page. Average Joe could have a hard time tracking the cause down. Personally, I think if you can't write $feed->set_javascript('spjs');, then you're not going to be able to use the embed feature anyway, so why have potentially conflicting get parameters on by default?

@rmccue
SimplePie member

True, however it is an API compatibility. I think it's definitely more beneficial to remove it though, so I'll do that.

@rmccue
SimplePie member
@rmccue rmccue closed this Apr 1, 2011
@rmccue
SimplePie member

On second thoughts, remove it completely: simplepie/simplepie@100c6ab

There's no real point including this in init, when it's much easier for a script that's using it to work it out itself.

@skyzyx skyzyx pushed a commit to skyzyx/simplepie that referenced this issue Aug 12, 2012
@rmccue rmccue Change set_javascript to default to false. Fixes #129 bc2455d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment