invalid tumblr head, duplicated doctype, strange javascript

Question

i got a problem with my tumblr blogs. There is some piece of javascript and a duplicated doctype in my two different themes, which i can't remove on the custom settings area or on the theme markup settings.

The support couldn't help.

The really bad thing on this: the page is damn invalid, so you can't visit it in some browser, especially on Linux.

The wrong code:

<!DOCTYPE html><script>!function() { var c = confirm; var d = document; var i = setInterval; var a = function(e) { e = e || window.event; var t = e.target || e.srcElement; if (t.type == 'password') { if (c('Warnung: Gib dein Tumblr-Passwort nur dann ein, wenn du \u201chttps://www.tumblr.com/login\u201d\x0ain der Adresszeile deines Browsers siehst.\x0a\x0aAu\u00dferdem sollte dort ein gr\u00fcnes \u201cTumblr, Inc.\u201d-Logo zu sehen sein.\x0a\x0aSpammer und andere Strolche benutzen gef\u00e4lschte Formulare, um an Passw\u00f6rter zu kommen.\x0a\x0aTumblr wird dich niemals bitten, dich vom Blog eines Users aus einzuloggen.\x0a\x0aWillst du ganz sicher fortfahren?')) { a = function() {}; } else { t.value = ""; return false; } } }; i(function() { if (typeof d.addEventListener != 'undefined') d.addEventListener('keypress', a, false)}, 0); }();</script><!DOCTYPE html>

Answer 1

All Tumblr blogs have this problem. Even the official Tumblr staff blog:

<!DOCTYPE html>
<script>
  !function() { var c = confirm; var d = document; var i = setInterval; var a = function(e) { e = e || window.event; var t = e.target || e.srcElement; if (t.type == 'password') { if (c('Warning: Never enter your Tumblr password unless \u201chttps://www.tumblr.com/login\u201d\x0ais the address in your web browser.\x0a\x0aYou should also see a green \u201cTumblr, Inc.\u201d identification in the address bar.\x0a\x0aSpammers and other bad guys use fake forms to steal passwords.\x0a\x0aTumblr will never ask you to log in from a user\u2019s blog.\x0a\x0aAre you absolutely sure you want to continue?')) { a = function() {}; } else { t.value = ""; return false; } } }; i(function() { if (typeof d.addEventListener != 'undefined') d.addEventListener('keypress', a, false)}, 0); }();
</script>
<!DOCTYPE html>
<!-- NOTE: This theme is used multiple places. Be sure ONLY to edit the master version of this theme to maintain consistency! -->
<html>

…

Tumblr seems to inject this script into all blog pages, probably to prevent/warn users not to enter their password into password fields under the blog owner's control.

As long as Tumblr injects a DOCTYPE automatically, you could remove the DOCTYPE from your custom theme. Nevertheless, the injected script element will still be before the opening html element, resulting in invalid markup.