

Security issue in Google Website Optimizer - aresant
http://conversionvoodoo.com/blog/2010/12/security-issue-in-website-optimizer/

======
patio11
My quick read is that the code they gave you earlier allows anyone capable of
writing a cookie to execute arbitrary JS code against anyone who loads a page
with the affected Javascript on it. It is 3 AM, though, so don't trust me on
that read.

This class of mistake is very easy to make any time you have a paradigm which
revolves around using eval(), and document.writeln() is eval() for all intents
and purposes.

I kind of prefer doing my A/B testing server side, where I have the usual
guarantee about the safety of all code I choose to execute. This isn't the
best reason to abandon GWO -- not by a long shot -- but it is an added bonus.

------
mattsx
Thanks for the update. Your readers may be interested in a simple Google
Optimizer Code checker at

<http://www.observepoint.com/optimizer-test.php>

You just enter the URL of the page in question, and it will tell you whether
the google website optimizer code is up-to-date, and if it needs to be edited,
it will tell you what to change and where to change it.

