onfocus

Great news, Bloglines addressed the "onfocus/nofocus" problem and the Greasemonkey script I wrote isn't needed anymore. I got an email from Paul at Bloglines letting me know that, "Our anti-XSS code was being too aggresive and attempting to filter attribute values, in addition to attribute keys." Thanks, Paul! I'm very happy they took time out to address the problem because I think it's a great service and I didn't want to move to another reader. If you installed the Greasemonkey script, you can get rid of it. I deleted it from my server.

In January I posted about a peculiar problem between this site and Bloglines: Bloglines filtering. Basically, Bloglines filters out the word "onfocus" from links to avoid cross-site scripting (XSS) attacks. The filter isn't smart enough to realize that "onfocus.com" is perfectly ok, and not a threat. This means that anytime someone links to my site, or I link to images on my site, the Bloglines filter changes the domain from onfocus.com to nofocus.com. When people click on a link to my site within Bloglines, they get a 404 error page at nofocus.com. (System administrators over at nofocus.com must wonder why they get some strange 404 errors showing up in their logs.)

Anyway, I've emailed Bloglines about the problem several times and now I'm getting silence. I don't blame them, this is an obscure issue that only affects one of the millions of sites that flow through their system. But it still bugs me, so I wrote a quick Greasemonkey script to solve the problem. If you use Bloglines and Firefox and Greasemonkey, I encourage you to install this script: fix-bloglines-onfocus.user.js. (Of course, if you're reading this from within Bloglines, you'll need to visit onfocus.com directly to get the script.) The script changes any instance of "nofocus.com" to "onfocus.com". This script is as blunt as Bloglines' XSS filter, but it's my attempt to fix the issue from this end.

Many thanks to Mark Pilgrim for his Greasemonkey Patterns—it's a great resource for building scripts.

Update: Bloglines fixed their XSS filter.

If you subscribe to any of my RSS feeds in Bloglines you might be wondering why images aren't appearing in my posts there. Well, onfocus is a common JavaScript function and Bloglines changes any instances of onfocus appearing in a link tag to nofocus to prevent cross-site scripting attacks. Unfortunately, that means all of my image URLs are pointing to nofocus.com at Bloglines, and of course my images aren't at that domain. I knew choosing a geeky domain name would eventually come back to haunt me. ;)

I sent an email to Bloglines support explaining the issue, and hopefully they'll be able to make an exception for my feeds.

Update: Bloglines asked me to find a workaround, and they say they're still looking into it. I guess I could host all of my images at another domain, but that kind of defeats the purpose of having a domain. oh well, I suppose this is an odd problem for them.