Re: @quin!!:

tried to steal my discord account...

Let's see... with 0.1+b3eefc8:

1. // @description itty bitty script to grab a yummy token from whoever installs it :yum:. I interpret this @description as:

   ~"itty bitty script to grab a yummy token from whoever (is inept enough to) install it :yum:".

Pretty clear that you probably shouldn't be using this script unless you want the next item to happen.

2. The POST request to the sites API group is at https://discord.com/api/webhooks/780968716757499924/B-PTKe5knU5Rmq9V9qbHtocNZjhSlPvCHZSFAqW2E-RtZVYfm5pp7IaiOIbAexkoXdCq. And you may notice the crafting of the userToken which sends it off to this group as a description item. Most likely your userToken was published there for anyone with access to that group.

3. Paying attention to item 2 it's in the clear atm and clearly labeled as what is can do for you. Personally, if I was on discord, I wouldn't be running this script. Also other discord scripts can access the localStorage items (and a cookie manipulation hook as well) this script creates so it's possible there may be other vectors.

4. This script can show how their sites API can be manipulated into taking some private info and making it public. While I may not agree with the contents of the script, I find no deception, atm, with this version of the Userscript.

Long story short... good to let people know what you have experienced but now you know what not to do (installing something foreign) without first investigating it.

Please remember to give this a reread.

OUJS Admin

See here.

This is your only warning. Any further demands like this will mean permanent removal.

OUJS Admin

As per policy (several years ago when the caution notice alert was first displayed) from the EO and AM (myself) this won't be allowed on a request basis. It is quite tedious to change the DB entries for anything you have done on the site including, but not limited to, commenting here.

A few of you have blatantly ignored the caution alert. We appreciate the nice requests as compared to the nasty ones however you get to live with your choice.

If one of us does "remove" you it will be a permanent state as per moderation+ duties.

OUJS Admin

Your script updater is not needed please remove it. If we see it on OUJS again your account might be eligible for removal.

Thank you for your immediate cooperation.

OUJS Admin

Re: @infinitefreshness:

I would assume this script is abandoned. It's been a long time since the Author has been here. Also the update URL is an older version of what is hosted on OUJS and it currently contains no CSS modifications compared to here.

Re:

A link explaining how to use scripts without apparent instructions would also work if nobody feels like explaining here.

Reading the source yielded what I have mentioned already. Also if you have questions About Userscripts in general always check the Authors hompeage. OUJS also offers some generic pages starting at https://openuserjs.org/about

OUJS Admin

Re: @burn:

Am I missing something?

Searching GH OUJS dev ;)

In short not implemented and discussed over there.

Re: @684102:

I doesn't owe you anything. Don't like it, simply switch to another script.

That's enough. You'll need to switch to a different site as well. Regardless of the topic of this script you are responsible for what you serve and how you react. Applying the default TOS action shortly.

OUJS Admin

Re: @684102:

Why we're don't allow to do that ? by using this scripts, you agree to enter into the "acceptable ads" program.
We collect things help us improve the script and serve ads to you. Nothing free at all, similar as facebook and google.

You are seriously bordering on violating our TOS as well without divulging this beforehand. If I find any code that does when I get back to dev station it will be applied.

OUJS Admin

Re: @Logological:

You've been moved the appropriate discussion.

I suspect that the modern user scripts that I'm running may not be functioning very well due to running on a very old version of GreaseMonkey.

We wouldn't know because you just signed up. If they are asynchronous then probably not i.e GM.whatever vs GM_whatever. A lot depends on what happens with SM as they crawl towards wherever they are headed. If they venture towards WebExtensions then GM actual, TM, or VM will be favored most likely. GM Port can only crawl as fast as its charter and SM actual changes.

If there are no plans by the original developer to continue maintaining the port

See above for the status of this branding. You may of course fork it, maintaining exact licensing and credits, but with a different branding if you want TM like features or the less adopted GM.whatever API... however it would not be wise to ignore the linkage from SM status meetings as well as here.

A lot of time will be needed because there are way too many variables on the playing field. If you are looking to see if it's abandoned... it is not.

Re: @Титан:

Just "add" button isn't works.

It's not an add button it's a copy to clipboard button depicted by the icon and the tooltip. So yes it does work as expected. :)

How to delete topic?

You don't.

OUJS Admin

Re: @wishingking:

but I don't know why it became a new library.

That is how it works. If you change @name it makes sense that's a new script.

Btw if you flag a library for moderation again and mark it as a "favorite" that could be grounds for removal for flagging abuse.

Use the up and down arrows if you like or dislike a script library not the Flag for moderation.

Appreciate your cooperation,
OUJS Admin

@wishingking

If you are just going to delete the library after announcing it you might want to not consider advertising it here.

We do have the listing on the Libraries page, sorted by recently updated just like Userscripts, to do this sort of thing along with the Script Info as you already know.

OUJS Admin

@jnaskali

Re:

I think userscripts have a @run-at default of document-end, so wrapping it in a ready function doesn't seem necessary

GM's @run-at currently states:

The default if no value is provided. The script will run after the main page is loaded, but before other resources (images, style sheets, etc.) have loaded.

jQuery's $(document).ready currently states:

Code included inside $( document ).ready() will only run once the page Document Object Model (DOM) is ready for JavaScript code to execute.

... and also states ...

Code included inside $( window ).on( "load", function() { ... }) will run once the entire page (images or iframes), not just the DOM, is ready.

So if you need complete page load the latter jQuery reference is what to use... otherwise the former and/or GM's @run-at should be okay if the DOM is all you are looking for.

But... Note some types of CSS can add content on the fly with a style sheet. I don't see you using a MutationObserver so it's probably okay for now.

May want to have the noConflict option put in mentioned here for .user.js engines that may need that.

... it seems Greasemonkey needs to be told explicitly to use unsafeWindow's jQuery.

1. Depends on the GM version and Firefox version. Sandboxing comes and goes (both are facing long term growing pains from Moz and changes) which is why one should always use an IIFE for best practices on ones code.

2. Sites Cross Origin policy could have changed too, along with Firefox version, to prevent certain things from being shared/utilized.

Re: @julzyw:

I would suggest that you be very careful about replies that vaguely fit into the topic... especially here.

OUJS Admin

See this point in your current code.

If you want to display a portion of it use // for @description instead. Also probably won't show up in any .user.js engine script list with the description if available.

OUJS Admin

Re: This line

The NASA license is a U.S.A Governmental license. If you aren't a government agency it can be a felony to impersonate one. There are also international laws that prevent impersonation. i.e. extradition treaties and possible existing sanctions.

Refs:

• U.S.C with https://www.law.cornell.edu/uscode/text/18/912

It's left in here in case we get some more government staff in here... so pick carefully and you would be required to fill out what agency, etc., exactly for this FOSS license inside of your script. See SPDX example at NASA.

Thanks,
OUJS Admin

Talk about a dated issue. ;) The SPDX codes changed a while ago. So GPL-3.0-or-later is the current norm. If you go into "Edit Script" they are all listed.

OUJS Admin

Re: @Mottie:

Thanks for the report. Good guess on the dependency... that's not what I thought when I looked at this yesterday but it seems to be accurate.

Follow:

• markedjs/marked#1745

atob for those being picky too... inverse function. If you need specific implementations usually it's best to have a library from a common, well known, source.

OUJS Admin

Re: @Lera_Rosalene:

Obfuscation is, in part, when you can't immediately read it with the existing tools on the site (Beautify for example). From what I've examined on your script you are mangling (shortening to be specific) your identifiers (variables) to one letter identifiers and LF/CR equivalents (minification). This in my book is okay atm however if you start substituting with hex identifiers or making the strings unreadable on what you are doing (base64 for example) then any user may be eligible for immediate, unnotified, removal. localStorage for example on your script, if you were to obfuscate built in identifiers that would be a TOS ding. Usually more critical are external urls, cookies, QSP, port to port, and ajax (xhr) requests. If they become obfuscated then the axe will fall.

What should I do to help people confirm that my code is not malicious?

A SCM (like GitHub, GitLab, etc.) that has the pure raw, readable, code is always a plus for evaluation of the readability. Usually it's best to include a framework stub with the script encapsulated in an IIFE (for your scripts safety) that does it on the fly. For example btoa is a common method in all browsers, in the DOM, to base64 a string on the fly.

Obfuscation can also include if you don't explain what the script is doing. i.e. throwing ads on unsuspecting users. Tell everyone on your script description here on OUJS or you can get the axe as well. Not everyone knows every aspect of JavaScript so it's best to put a clear description both in the script and its relevant "Script Info".

Use your best judgement. As it stands now with 0.1.5+ba9dba3 of your script I don't see any immediate issue flags at this time.

OUJS Admin

Please fix this as soon as possible. Libraries are reusable pieces of code used in a primary .user.js. See https://openuserjs.org/about/Userscript-Beginners-HOWTO#what-is-a-library-script- if you have further queries.

OUJS Admin

No problem. Welcome.

Try using https://gist.githubusercontent.com/cmsax/2942af63fbb1e664120af617683483f5/raw/youtube-search-filter.js for the latest gist instead of fixing it on an old static hash found in 0.1.0+be178af.

:)

Still have the issue with https://gist.githubusercontent.com/cmsax/2942af63fbb1e664120af617683483f5/raw/18955d0e0a00e347451754bbf097ff2ada786ae5/youtube-search-filter.js .

Now it look likes you've pushed the overwriting of the script to the 2nd update instead of the first.

With your code at version 0.1.0+f41d13f

// @downloadURL  https://gist.github.com/raw/2942af63fbb1e664120af617683483f5

which currently contains:

{
    "ytd-search-block-list": [
        "stone记",
        "rfi",
        "bbc news中文",
        "熱點互動",
        "热点互动",
        "美国之音",
        "老外看中国",
        "唐浩",
        "江峰",
        "李蘭斯",
        "leonard",
        "自由亚洲",
        "孙文",
        "看中国",
        "石涛",
        "冷眼看世界",
        "ntdtv",
        "新聞第一現場",
        "視角",
        "新聞:綜合頻道",
        "memehongkong",
        "中國時局",
        "睿眼看世界",
        "天亮時分",
        "陳破空",
        "大纪元",
        "大紀元",
        "新聞拍案驚奇",
        "新唐人",
        "公子沈",
        "wen zhao",
        "财经冷眼"
    ]
}

When your user script engine updates the script, the script source will be obliterated/overwritten and you'll be trying to inject an object of data instead of the script published here which will usually cause an error in the console.

Is this what you really want to do?

Ref:

• @downloadURL