Copypasted from a submission from a while ago, there might be some errors:
While trawling the net to find that one really good but elusive album, I came upon this gem of a music store. Searching for anything at all causes the server to dump a 120+ KB html file with embedded javascript onto the client. Since the site is otherwise exceedingly spartan, I examined the source of the frame, and found the attached abomination.
Now, at first glance it's just the 1247 array assignments that stick out, one for each product in the store. A second glance shows that the search is an iteration over this array, comparing with the search string. The operative expression is:
if (search_items[i].name.toLowerCase().indexOf(parent.parent.parent.extra.core.searchPhrase) != -1) {
Some nice cross-frame scripting there. The search page is basically built with javascript entirely on the client, using data sent to the client embedded in javascript.
The store is at http://www.cd-kauppa.fi/ but isn't the real perpetrator, since they're just using a webstore package from Shopfactory. Some googling reveals another site using that package and having the same flaw. This does appear to be an older version of the software, though.
Unfortunately, the newer versions I found are starting to have a quite enterprisey feel to their frame/javascript complexity. For instance the page at http://www.ninisfavorites.com/ (uses version 6), looking at toc.html in the left frame, I count at least 11 separate script tag blocks. Towards the end of the file is this one, that causes the search box to be displayed:
<input class="SearchTextField" type="text" name="phrase" size="12" maxlength="40" value="lds" onfocus="javascript:if(this.value==\''+ld('LD_SEARCHPHRASE')+'\')this.value=\'\';" onblur="javascript:if(this.value==\'\')this.value=\''+ld('LD_SEARCHPHRASE')+'\';">
The dw() function is simply this:
function dw(s){document.write(s);}
In fact, this function is used all over the place. The ld() function on the other hand fetches a string from the top document in the frameset stack, probably for I18N purposes, but with its obfuscation and eval() calls, I'm getting headaches by now. I'm almost suspecting that the whole thing is some kind of client-side dynamic web site...
Speaking of frameset stack, the journey continues: using the DOM inspector, I count 7 different framesets with a max nesting level of 5, while tables come in at 10, nesting level 3. Total amount of script tags: 58.
I found a version 7 lite laying around in the usual shady repositories for software and installed it, and it offered some improvement: just one frameset and 54 script tags from the main page. As browser punishment, it introduces 34 iframes instead, and I didn't even put in any content yet.
I attempted to download a trial version just for kicks, but they wanted an email address, with the explicit intention to put it on their mailing list with no opt-out and an alleged unsubscribe, so I passed on that. The price seems to be 319 / 639 euro for pro/gold version respectively.
Unfortunately, (or fortunately), the music store ultimately didn't have the CD I was looking for.