Javascript Eval: A lesser Evil?

Wed, 14 Dec 2011 18:24:00 -0500

The evilness of window.eval has been beaten to death. I’ll save you a recap, but the biggest drawback is its potential for XSS. However, there are still valid (though limited) uses of eval—mostly to parse JSON when native methods are not available.

Futzing around, I noticed that it possible to execute javascript without eval.

var div = document.createElement("div");
div.innerHTML = "";
div.firstChild.onchange();

There isn’t much to gain from this. But if moved into an iframe and fire the onclick event rather than calling it directly, could it be possible to dereference the parent window? That might allow a more secure state for using our new “eval”.

The following does just this. The parent window is detached by first removing the iframe from the document. Afterward, window.top no longer references the parent window.

window.SECRET = "!"; // something to hide!
window.IFRAME = document.createElement("iframe");
document.lastChild.appendChild(IFRAME); 
var doc = IFRAME.contentWindow.document;
doc.open();
doc.write("");
doc.close();
var input = doc.getElementsByTagName("input")[0];
if (doc.createEvent) {
    var event = doc.createEvent("MouseEvent");
    event.initMouseEvent("click", true, true, window, 0, 0, 0, 0, 0, 
        false, false, false, false, 0, null);
    input.dispatchEvent(event);
} else if (doc.fireEvent) {
    input.fireEvent("onclick");
}

Prints:

Secret: 1
Secret: Whaa!

Example

I’ve mocked up a simple test using this concept. Enter javascript below and run. Note: you won’t have access to any of the usual functions (alert, console, etc.).

Tested in IE, Chrome, and Firefox. (working out some of the kinks of this demo - bare with me :)

Gah. So much wasted energy.

Sun, 28 Aug 2011 15:16:00 -0400

Perhaps you’ve noticed that my previous content is gone. If you didn’t, no worries, it wasn’t worth reading.

I’ve been struggling with my blog for the last couple months. I’ve wanted to post, but my shitty-themed wordpress laden with useless posts kept even its author away. After some fresh inspiration from a new job (at Monetate) and quitting serious gaming, I’ve finally gotten around to doing something about it.

I wanted to start over (or start, really). I prototyped a design, but I wasn’t sure how I was going to set it up. I considered updating my existing wordpress design, writing my own blog software, hosting on EC2, Rackspace Cloud, or MediaTemple’s (gs). But all this never made much sense. Writing my own blog wasn’t something I was passionate about. I was sick of Wordpress’s constant tugging to update. And paying for blog hosting wasn’t something I needed. I know plenty of awesome people who do host their own blog, and while there are good reasons to do so, I found there to be too much to leverage from managed hosting. At least, for now.

Tumblr

I chose to move to Tumblr for a couple reasons:

to customization
Clean admin and draft-to-publish workflow
Custom domain
Additional pages
Tumblr core & community (permalinks, short-urls, likes, followers, etc.)

Anyways, I’m happier now that I’m here. Maybe.

Spencer Creasey

Javascript Eval: A lesser Evil?

Example

Gah. So much wasted energy.

Tumblr