Marten Brosch Marten Brosch - 1 year ago 105
Javascript Question

invalid tumblr head, duplicated doctype, strange javascript

i got a problem with my tumblr blogs. There is some piece of javascript and a duplicated doctype in my two different themes, which i can't remove on the custom settings area or on the theme markup settings.

The support couldn't help.

The really bad thing on this: the page is damn invalid, so you can't visit it in some browser, especially on Linux.

The wrong code:

<!DOCTYPE html><script>!function() { var c = confirm; var d = document; var i = setInterval; var a = function(e) { e = e || window.event; var t = e.target || e.srcElement; if (t.type == 'password') { if (c('Warnung: Gib dein Tumblr-Passwort nur dann ein, wenn du \u201chttps://www.tumblr.com/login\u201d\x0ain der Adresszeile deines Browsers siehst.\x0a\x0aAu\u00dferdem sollte dort ein gr\u00fcnes \u201cTumblr, Inc.\u201d-Logo zu sehen sein.\x0a\x0aSpammer und andere Strolche benutzen gef\u00e4lschte Formulare, um an Passw\u00f6rter zu kommen.\x0a\x0aTumblr wird dich niemals bitten, dich vom Blog eines Users aus einzuloggen.\x0a\x0aWillst du ganz sicher fortfahren?')) { a = function() {}; } else { t.value = ""; return false; } } }; i(function() { if (typeof d.addEventListener != 'undefined') d.addEventListener('keypress', a, false)}, 0); }();</script><!DOCTYPE html>



Answer Source

All Tumblr blogs have this problem. Even the official Tumblr staff blog:

<!DOCTYPE html>
<script>
  !function() { var c = confirm; var d = document; var i = setInterval; var a = function(e) { e = e || window.event; var t = e.target || e.srcElement; if (t.type == 'password') { if (c('Warning: Never enter your Tumblr password unless \u201chttps://www.tumblr.com/login\u201d\x0ais the address in your web browser.\x0a\x0aYou should also see a green \u201cTumblr, Inc.\u201d identification in the address bar.\x0a\x0aSpammers and other bad guys use fake forms to steal passwords.\x0a\x0aTumblr will never ask you to log in from a user\u2019s blog.\x0a\x0aAre you absolutely sure you want to continue?')) { a = function() {}; } else { t.value = ""; return false; } } }; i(function() { if (typeof d.addEventListener != 'undefined') d.addEventListener('keypress', a, false)}, 0); }();
</script>
<!DOCTYPE html>
<!-- NOTE: This theme is used multiple places. Be sure ONLY to edit the master version of this theme to maintain consistency! -->
<html>

Tumblr seems to inject this script into all blog pages, probably to prevent/warn users not to enter their password into password fields under the blog owner's control.

As long as Tumblr injects a DOCTYPE automatically, you could remove the DOCTYPE from your custom theme. Nevertheless, the injected script element will still be before the opening html element, resulting in invalid markup.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download