Flaw in Twitter Widget code - Note to Twitter Developers!
10 views
Skip to first unread message
BuffLaser2000
Mar 19, 2011, 5:36:40 PM3/19/11
to Twitter Development Talk
In this code:
http://twitter.com/javascripts/widgets/widget.js
You are using document.write() to create the widget element. Bad bad
bad. Any AJAX site that tries to init the widget after the page loads
will have the entire page overwritten by the widget.
W3C even has this to say about document.write():
"Note: Try to avoid using document.write() in real life JavaScript
code. The entire HTML page will be overwritten if document.write() is
used inside a function, or after the page is loaded. However,
document.write() is an easy way to demonstrate JavaScript output in a
tutorial."
So, I downloaded the JS file and modified TWTR.Widget to take a
container element name as part of the options object. If
set, .innerHTML is used on the container element instead of
document.write.
This simple fix will make your widgets compatible with Web 2.0 sites.
Thanks for listening.
http://twitter.com/javascripts/widgets/widget.js
You are using document.write() to create the widget element. Bad bad
bad. Any AJAX site that tries to init the widget after the page loads
will have the entire page overwritten by the widget.
W3C even has this to say about document.write():
"Note: Try to avoid using document.write() in real life JavaScript
code. The entire HTML page will be overwritten if document.write() is
used inside a function, or after the page is loaded. However,
document.write() is an easy way to demonstrate JavaScript output in a
tutorial."
So, I downloaded the JS file and modified TWTR.Widget to take a
container element name as part of the options object. If
set, .innerHTML is used on the container element instead of
document.write.
This simple fix will make your widgets compatible with Web 2.0 sites.
Thanks for listening.
npwhiteley
Mar 22, 2011, 9:39:39 AM3/22/11
to Twitter Development Talk
I think it's also worth noting that the document.write call in the
current script also prevents any containing page from being delivered
as application/xhtml+xml.
I also modified the code to use the script's "src" attribute to get a
reference to it's parent container and then used appendChild in place
of the document.write call. Not the most elegent solution but it shows
that there are a number of alternatives to document.write in this
case.
current script also prevents any containing page from being delivered
as application/xhtml+xml.
I also modified the code to use the script's "src" attribute to get a
reference to it's parent container and then used appendChild in place
of the document.write call. Not the most elegent solution but it shows
that there are a number of alternatives to document.write in this
case.
Reply all
Reply to author
Forward
0 new messages