How do you add a JavaScript widget to a Wordpress hosted blog?

I've got a site that provides blog-friendly widgets via JavaScript. These work fine in most circumstances, including self-hosted Wordpress blogs. With blogs hosted at Wordpress, however, JavaScript isn't allowed in sidebar text modules. Has anyone seen a workaround for this limitation?

4 Answers

you could always petition wp to add your widget to their 'approved' list, but who knows how long that would take. you're talking about a way to circumvent the rules they have in place about posting arbitrary script. myspace javascript exploits in particular have increased awareness of the possibility of such workarounds, so you might have a tough time getting around the restrictions - however, here's a classic ones to try:

put the javascript in a weird place, like anywhere that executes a URL. for instance:

<div style="background:url('javascript:alert(this);');" />

sometimes the word 'javascript' gets cut out, but occasionally you can sneak it through as java\nscript, or something similar.

sometimes quotes get stripped out - try String.fromCharCode(34) to get around that. Also, in general, using eval("codepart1" + "codepart2") to get around restricted words or characters.

sneaking in javascript is a tricky business, mostly utilizing unorthodox (possibly un-documented) browser behavior in order to execute arbitrary javascript on a page.

Oh definitely, but come on, is there a 'clean' way to sneak javascript into a area where it's supposedly not allowed?

"clean" and "sneak" sounds like an oximóron

From the official WordPress FAQ:

Javascript can be used for malicious purposes and while what you want to do is okay it does not mean all javascript will be okay.

It goes on to remind the reader that both MySpace and LiveJournal had been affected by malicious Javascript and, therefore, will not be permitted (as it may be exploited by users with poor intentions). They can't risk it with amazingly large sites (think I Can Has Cheezburger, Anderson Cooper 360, Fox, etc.).

There is not work around for it. Wordpress does not currently support Javascript. Sorry.

And further, if you do find a way, you should report it to WordPress so that they can block it.

It does allow a way to execute simple javascript through the Text Widget.

Just find a good site about XSS if You really need that js to work. But if it works for You it works for anybody, and You post a tutorian on how to do an XSS attack on Your page with posts or comments.

Using Apache mod_rewrite to remove sub-directories from URL

I'm managing an instance of Wordpress where the URLs are in the following format: /example-category/blog-post-permalink/ The blog author did an inconsistent job of adding categories to posts, so while some of them had legitimate categories in their URLS, at least half are "uncategorised". I can easily change Wordpress to render the URL without the category name (e.g., /blog-post-permalink/), but I'd like to create a mod_rewrite rule to automatically redirect any requests for the previous format to the new, cleaner one. How can I use a mod_rewrite recipe to handle this, taking into account that I want to honor requests for the real WordPress directories that are in my webroot? 1 Answer Something as simple as: RewriteRule ^/[^/]+/([^/]+)/?$ /$2 [R] Perhaps would do it? That simple redirects /foo/bar/ to /bar That seems to work great with my testing…