Function is the new window

Friday, 10 September 2010

I discovered while reading some Firefox code that E4X allows you to call standard functions by using the special namespace. This is cool! We can now define setters etc on the XML prototype and call functions on E4X objects. It looks like this:-

<></>.function::toString();

Would Firefox be crazy enough to include this special namespace on all objects? Well they made the decision to include E4X methods on every object so I guess there’s no reason that it wouldn’t be included on window, it is the global object after all that means…..

function::['alert'](1)//mario discovered this 🙂

Yes that is why “function” is the new window. But it doesn’t finish here oh no it gets even better Yosuke Hasegawa found some “magic strings”. That means accessing the namespace once will be persisted throughout the browser session. Just reading a property is enough to trigger a magic string. The following syntax is perfectly valid in Firefox you crazy cats.

<></>.function::['x'];//required once in a browser session
$="@mozilla.org/js/function";_="alert";$::[_](1)

I’d like to thank my fellow crazy JavaScript slackers:- Yosuke Hasegawa, Jonas Magazinius and Mario Heiderich for making Firefox appear nuts.

* Disclaimer if your sandbox breaks with the above code consider writing a better sandbox.

The entry 'Function is the new window' was posted on September 10th, 2010 at 12:40 pm and is filed under javascript, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

3 Responses to “Function is the new window”

  1. Eli Grey writes:
    No. 1 — September 10th, 2010 at 7:38 pm

    I’ve been using the function namespace for quite a while to extend the XML prototype methods, such as in my e4x.js library that implements ECMA-357 Annex A, which Mozilla and Adobe completely ignored. Please note that there are no security implications to using the function namespace, as there are quite a few (un-preventable without source code analysis) ways to reference the global object.

    One neat thing about the function namespace is that you can use it in combination with eval to reference invalid formal parameters, as such:

    function foo({bar: var}) {
    return eval("function::var");
}
foo({bar: "baz"}) // returns "baz"

    Though a better solution would to just “return \u0076\u0061\u0072” (no string), which references var.

  2. Gareth Heyes writes:
    No. 2 — September 10th, 2010 at 8:03 pm

    @Eli

    Neat thanks that’s pretty useful

  3. Eli Grey writes:
    No. 3 — September 10th, 2010 at 8:13 pm

    Actually I just noticed a code typo. It was supposed to be function foo({var}) and foo({var:"bar"}). I forgot that invalid formal parameters only work when they are part of the destructured properties.

«
»