Can all mozilla people look away now please

Wednesday, 9 June 2010

Custom setters syntax are being removed from Firefox in the next version.. boo I here you say well at least some of you. If you don’t know Firefox decided it would create it’s own setter syntax (I love it when you do that you know) ages ago and it looked something like this:-

a setter=alert,a=1//calls alert(1)

Whacky indeed. They decided to remove it. So I was messing with JavaScript like I do near enough every day and I stumbled upon this:-

Object.prototype.__noSuchMethod__=function(s){ alert(s); };
1..*(1)

What was surprising was that “alert” returned “*” not 1 as you would expect. The crazyness then continued:-

Object.prototype.__noSuchMethod__=function(s){ eval(s); };1.['alert(1)']()

Not looking at MDC and still not understanding why this was happening Mario pointed out “oh it’s sending the name of the function via the noSuchMethod” then big doh moment oh yeah. But then that means…..we have a new setter syntax!!!!

//existing code
function x(s) {
  eval(s);
}
//our evil injection
Object.prototype.__noSuchMethod__=x;new/a/['alert(1)']

If you work at Mozilla please look away now because I like this crazy syntax so don’t fix it.

The entry 'Can all mozilla people look away now please' was posted on June 9th, 2010 at 1:36 pm and is filed under Firefox, javascript, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

4 Responses to “Can all mozilla people look away now please”

  1. Brendan Eich writes:
    No. 1 — June 9th, 2010 at 3:57 pm

    “Firefox decided” is all wrong.

    “Ages ago” is right — this is the original getter/setter syntax, which I came up with in 1999 for JS1.5.

    Ok, these are nit-picks. I’m glad you like this crazy syntax, but it never made it into the ECMA-262 standard, so it’s gone from Firefox nightly builds.

    The other extensions you’re using include a standard one, E4X (ECMA-357), specifically the * (anyname) identifier; and of course __noSuchMethod__, which is superceded in the standard by the righteous Proxy proposal (http://wiki.ecmascript.org/doku.php?id=harmony:proxies).

    /be

  2. Gareth Heyes writes:
    No. 2 — June 9th, 2010 at 4:59 pm

    @Brendan

    Thanks sorry I thought it was originally from FF. Honoured you read my post 🙂

  3. Brendan Eich writes:
    No. 3 — June 10th, 2010 at 6:19 am

    No worries — I’m speaking this morning in London (Web Directions @media keynote), including a bit about JS history. Judging from the interest lately, I should write a book!

    /be

  4. David Lindsay writes:
    No. 4 — June 10th, 2010 at 4:19 pm

    I love the deprecated setter syntax! Will be sad to see it go. It was great for XSS filter bypasses. Your new syntax is pretty nice too, but much harder to squeeze past an XSS filter. I’m sure we’ll find some good uses for it still though 😀

    @Brandon Perhaps you could give some insights to some of the fun stuff posted here: http://sla.ckers.org/forum/read.php?24,33938,page=1 🙂

«
»