Deobfuscating the Facebook Spam Script

Here is the proper deobfuscated code:<p><a href="http://pastebin.com/nkBx8GbH" rel="nofollow">http://pastebin.com/nkBx8GbH</a><p>reddit disusses it nicely:<p><a href="http://www.reddit.com/r/netsec/comments/h9ke3/facebook_being_hit_by_an_xss/" rel="nofollow">http://www.reddit.com/r/netsec/comments/h9ke3/facebook_being...</a>

Wouldn't it be possible to deny any scripts that looked like that? I know that it must obviously be legal Javascript, but if it's formatted like one blob of text, deny. This might be a too naive approach to work, I'm mostly raising the question out of curiosity, is it possible to spot obfuscation programmatically.

I was drawn to security for a while mostly because javascript like that must be so much fun to write and encrypt. Although it's almost as much fun to decrypt. Until I get some more free time I guess I'll settle for reading about it.<p>Also, I love the first comment on this article: "Didn’t you just violate DMCA?"

I'm no user of Facebook, and when I see this material, I highly doubt I will ever try it. Why is Facebook unleashing this kind of stuff on its members? It shows the traits of malicious JavaScript that shady sites use to exploit security vulnerabilities in browsers. Why aren't Facebook members not allowed to know what they're made to run? Does Facebook have something nasty to hide?