Can all mozilla people look away now please
Wednesday, 9 June 2010
Custom setters syntax are being removed from Firefox in the next version.. boo I here you say well at least some of you. If you don’t know Firefox decided it would create it’s own setter syntax (I love it when you do that you know) ages ago and it looked something like this:-
a setter=alert,a=1//calls alert(1)
Whacky indeed. They decided to remove it. So I was messing with JavaScript like I do near enough every day and I stumbled upon this:-
Object.prototype.__noSuchMethod__=function(s){ alert(s); };
1..*(1)
What was surprising was that “alert” returned “*” not 1 as you would expect. The crazyness then continued:-
Object.prototype.__noSuchMethod__=function(s){ eval(s); };1.['alert(1)']()
Not looking at MDC and still not understanding why this was happening Mario pointed out “oh it’s sending the name of the function via the noSuchMethod” then big doh moment oh yeah. But then that means…..we have a new setter syntax!!!!
//existing code
function x(s) {
eval(s);
}
//our evil injection
Object.prototype.__noSuchMethod__=x;new/a/['alert(1)']
If you work at Mozilla please look away now because I like this crazy syntax so don’t fix it.
No. 1 — June 9th, 2010 at 3:57 pm
“Firefox decided” is all wrong.
“Ages ago” is right — this is the original getter/setter syntax, which I came up with in 1999 for JS1.5.
Ok, these are nit-picks. I’m glad you like this crazy syntax, but it never made it into the ECMA-262 standard, so it’s gone from Firefox nightly builds.
The other extensions you’re using include a standard one, E4X (ECMA-357), specifically the * (anyname) identifier; and of course __noSuchMethod__, which is superceded in the standard by the righteous Proxy proposal (http://wiki.ecmascript.org/doku.php?id=harmony:proxies).
/be
No. 2 — June 9th, 2010 at 4:59 pm
@Brendan
Thanks sorry I thought it was originally from FF. Honoured you read my post 🙂
No. 3 — June 10th, 2010 at 6:19 am
No worries — I’m speaking this morning in London (Web Directions @media keynote), including a bit about JS history. Judging from the interest lately, I should write a book!
/be
No. 4 — June 10th, 2010 at 4:19 pm
I love the deprecated setter syntax! Will be sad to see it go. It was great for XSS filter bypasses. Your new syntax is pretty nice too, but much harder to squeeze past an XSS filter. I’m sure we’ll find some good uses for it still though 😀
@Brandon Perhaps you could give some insights to some of the fun stuff posted here: http://sla.ckers.org/forum/read.php?24,33938,page=1 🙂