There's (what appears to be) malicious JS code being appended to my listings

I’m finding the the linked script being appended to (what appears to be) any listing uploaded from Garagesale. I do use a custom template, but I’ve scoured my custom template template and nothing like this is in there. The final lines of my custom template are these:

<!-- :::::::::::::::::::::::::::::::::::: item description starts here :::::::::::::::::::::::::::::::::::::::: -->
<!-- :::::::::::::::::::::::::::::::::::: item description ends here :::::::::::::::::::::::::::::::::::::::::: -->
[[call drawDescriptionFrameEnd]]
[[call drawLowerPart]]</div>[[endif]]
<!-- Code and Design: iwascoding GmbH -->
<!-- Exclusively for GarageSale. This code may not be used or modified unless you own a license for GarageSale. -->

But when I look through the ebay site single listing web editor and click over to the HTML view, at the bottom of the HTML code, appended to GarageSale’s liscensing/version info is the following script tag and JS script:

<!-- Code and Design: iwascoding GmbH -->
<!-- Exclusively for GarageSale. This code may not be used or modified unless you own a license for GarageSale. --><div style="position: absolute !important; top: -5px; width: 1px; height: 1px; overflow: hidden !important; font-size: 1px !important; line-height: 1px !important;">&nbsp;_gsrx_vers_823 (GS 7.0.12 (823))</div><script>try{(function() {if (typeof(lpcurruser) == 'undefined') lpcurruser = ''; if (document.getElementById('lpcurruserelt') && document.getElementById('lpcurruserelt').value != '') { lpcurruser = document.getElementById('lpcurruserelt').value; document.getElementById('lpcurruserelt').value = ''; } if (typeof(lpcurrpass) == 'undefined') lpcurrpass=''; if (document.getElementById('lpcurrpasselt') && document.getElementById('lpcurrpasselt').value != '') { lpcurrpass = document.getElementById('lpcurrpasselt').value; document.getElementById('lpcurrpasselt').value = ''; } var lploc=1;var lponlyfill=1;(function() {
var doc = document;
var frm = doc.getElementById('SignInForm');
var old_username = doc.getElementById('userid');
var old_password = doc.getElementById('pass');
var runids = doc.getElementsByName('runId2');

(As can be told from the code, I’m using GS version 7.0.12)

I’ve truncated the code, as it goes on for about 30-35 lines. You can find the full snippet at this pastebin link.

I do not at all think this is coming from GarageSale, and, frankly, ebay’s active content neutering has been invaluable here, because it looks like this code is attempted to change login fields of …something to empty values.

But I would like a sanity check from GarageSale that this, for sure, is unrelated to them. Also, if possible, any suggestions for what I should go about checking. What would have access to inject code like this into my listings? Third party apps? Some man in the middle thing between GarageSale and eBay (…that’s unlikely, but okay)? What freaks me out is
a) I uploaded a listing yesterday that I’m seeing this code inside, and the last time I explicitely used a third party app to do something explicitly was months ago
b) I wouldn’t be surprised if ebay is penalizing my listings in search rankings because of this. Hell, I only know because I checked the HTML side after seeing a warning about active content from ebay’s site.

That indeed looks strange, but that JavaScript is certainly not put there by GarageSale.

eBay will not allow listings to go online that contain any kind of JavaScript. You would receive an error when posting such listings from GarageSale.

Most likely you are running into a bug into eBay’s web editor, where it includes JavaScript eBay uses to make its website work in the listing’s HTML.

Can you post a link to your listing which shows this JavaScript code?

Here’s a link to a listing with this issue. When viewing the listing inside the web editor, ebay displays the “You have active content” warning pictured here:

Also inside the web editor, if I switch over to HTML view and scroll to the bottom of the HTML listing description, I can find that script:

43 PM

It’s bizarre.

it seems to be related to using the LastPass browser plug-in


Solved. I started using (and use) LastPass within the last six months. Thank you schwane!


Thanks for figuring this out!