Published 15 years 2 months ago • Last updated March 22, 2025 • ⏱️ 2 min read
Whilst writing my own parser I found weird things in Opera's JavaScript parser. I was testing what the various browsers allowed with unicode escapes and it turns out Opera seems more lax than others. My discovery began with the following code:
<code language="javascript"> try {eval("\\u0066\\u0061\\u006c\\u0073\\u0065");} catch(e) {alert(e);} </code>What do you expect the undefined variable to be? It's a unicode encoded "false" hehe so we can have a variable called "false" if we use unicode escapes on Firefox but what about Opera? Well it's actually looking for a variable called "false5". Why? Because the JavaScript parser seems to be off by one when using eval with unicode escapes so it thinks the \u006 is actually \u0065 and thus the "5" is added onto the string.
Pretty cool, so what else can we do? Well, Opera seems a bit more lax than the other browsers when it comes to unicode escapes, for example this is perfectly legal: <code language="javascript"> \u=alert,u(1) </code>
Pretty nuts right? You can use an incorrect unicode escape and the backslash gets ignored. Another example: <code language="javascript"> \u000x=alert;u000x(1) </code>
And finally I leave you with this, you can make \u become uu when inside an eval statement: <code language="javascript"> window.defineGetter("uu",function() { alert(1) });eval("\u"); </code>