OK thx, I was less concerned about whether I had caught an infection, vs how I should advise students to interact with Snap next school year. It sounds like to me this is much security ado about very little (which is to say, the appropriate amount of ado)
Solution: a d s
(Not popup just use google ads maybe add them on the side of the forums page or side of the main site page)
I'm honored that you read my old articles! :~) And, yeah, that.
The scope of the problem was very different then, though. There was no Internet. (There was the Arpanet, but random high schools weren't on it.) So the good guys and the bad guys were all in the same room, and nobody really wanted to hurt anybody; they just wanted to show off.)
Many ads use Google, which is known for contradicting its motto and being evil with trackers
New update long comments:(
So is this right? To say that?
Also, are libraries using JS exempt from this?
(quote unrelated to above text)
Two words
hash collision
Ugh. No.
You make a lot of money from advertising if you're Google or Facebook and you provide the infrastructure that allows targeted advertising. If you're a little web site with only a few users, maybe you make enough money to feed your Diet Coke with Splenda habit.
And, kids and parents and teachers trust us because we don't exploit kids to make money. If we were ever going to change that, I'd vote to charge you $5/month or something, rather than run advertising whose content we don't control.
Sure.
What if a moderator was to work for free? Like they didn't want to get paid they just wanted to moderate?
As Shoshana Zuboff pointed out, Google quietly retired that slogan as soon as they started tracking user preferences to sell targeted ads.
Yes, I was referring to before it was retired, and the fact that it was there in the first place.
The plan for libraries is that we'll include their essential JS functions in Snap! itself, and have a CALL HIDDEN PRIMITIVE block (probably with a shorter name) that has a dropdown input with a list of those functions plus a variadic input for whatever inputs the primitive needs. So, no, libraries can't run unconstrained JS code either.
We'll have to make sure these functions don't have stupid buffer overrun bugs and that sort of thing, of course, but it's still a finite set of functions to worry about.
Gotta go, y'all, I have a meeting...
Whitelisted hashes of JS body will be a one evening exercise but the whole rewrite may be harder than it looks. Control structures libraries are probably sensitive to booth JS and Snap! execution context.
If I understand correctly, in a project that contains 30 sprites with multiple blocks, I will have to search all the blocks, one by one, to find the blocks that contain javascript, and evaluate the code to see if this code is malicious?
Even the blocks in the libraries contain javascript!
ooh the possibilities! 10% of say or ask blocks present branded content instead -- bh and Jens will be rollin in the scratch! <-- lol unintended pun I swear
Wait there is no way that's true lol. Isn't that against policy?
I'm not saying what is, I'm joking what could be 
Not after we implement the hidden primitive thing.
No, because if we saved that in the project, the bad guy could just enable it for you!