This was patched yesterday afternoon.


On Aug 25, 2009, at 11:38 PM, Costa Rica wrote:

Hello Twitter,
Any official word on this apparent vulnerability around the Source
parameter and cross site scripting?

On Aug 22, 9:46 am, Chad Etzel <> wrote:
Hi All,

We did not intend for the nofollow string to be included in API
results. It is on our list to fix. In the meantime you will need to
parse around it.


On Sat, Aug 22, 2009 at 11:20 AM, Costa Rica<> wrote:

Thanks to all for your suggestions on how to parse, remove nofollows
or extract the URL, but that's not the bottomline of my message. There are some source parameters that are posting automated crap constantly, and since I run a trending engine I continuously exclude these tweets. Yes I can parse and str replace and even base myself only on the URL, but the 2 side effects are that my processing time increase (a simple
string compare vs a regex) - which becomes significant as I increase
the volume I intend to process, and that the URL's themselves can
easily change to workaround these filters.
I will keep my simple compare - the sites are not that many and the
processing toll of regex'ing this does not merit it - but I would
appreciate some word from Twitter when the source parameter is being
changed, or else some sourceid that is stable.

On Aug 21, 10:17 pm, TCI <> wrote:
Recently you added nofollow's, and now you moved the nofollow after
the href. Some of us filter these out and you changing them is only
making it more complicated. Please make up your mind and stop changing

<a href="";>Fun140</a>

<a rel="nofollow" href="";>Fun140</a>

<a href=""; rel="nofollow">Fun140</a>

Reply via email to