Oh wow, code injection is fun. Especially in the Encyclopedia Britannica!
Look at this for a hyperlink URL: [link].
If you just look at the first part, you see http://www.britannica.com/. Great, fine, dandy, everybody feels safe following a link to the Encyclopedia Britannica site.
Uh-uh. Nope. It’s actually abusing the Britannica search page to inject JavaScript code into the search results page. The moment you land on the Britannica site, you’ll be wooshed off to some dodgy pharmaceuticals vendor!
I hadn’t seen this kind of shenanigans before. It reminds me of a few years ago, when every two out of three sites running SQL databases would succumb to ‘SQL injection’ attacks. Those were cooler, because they injected code into the server and could earn the attacker money, while the present method just annoys people.
But then think about a website like Lifehacker. When you post links in the comments section on one of their articles, the link is abbreviated to just the website name. So, the link above would be shortened to www.britannica.com. Most folks wouldn’t know they were visiting some dodgy third party site until it was already happening!
EDIT: This blog has ‘Snapshots’ enabled, so when you hover your mouse over a hyperlink, it gives an image preview of the site you will visit next. When you mouseover the magic link above, Snapshots still shows you Encyclopedia Britannica. Yet when a human actually clicks on it…
Compare this behaviour to what happens when you search on Wikipedia: [link]. Wikipedia just turns around and says, “ask a silly question, get a silly answer”. No redirection for you.
It just goes to show that the Encyclopedia Britannica is poor by comparison to Wikipedia.
