Quote:
Originally Posted by Matth
|
I'm reliably informed thusly:
What it does very cleverly is dissect individual letters from the
runtime string constants like "object", "false" and "true", then
concatenate them back together to make a string representation of the
code it wants to execute, which it can do because javascript is a
dynamic language ...
All that demo code does is build the equivalent of
window["alert"](1)
but without containing any alphanumerics itself, with similar techniques
and by making use of additional string constants (you could get hold of
"null", "number", "string", "undefined" and "array" easily) you could
grab 18 out of the 26 letters to play with
abcdefg_ij_lmno__rstu___y_
with suitable cunning, you could start to patch together a sizeable
fraction of whatever code you really wanted to inject, all without
looking like recognisable code.
Or something..