Making strings out of nothing is hard, but how did they managed to execute that ...

tptacek · on Feb 26, 2010

By deriving an eval-equivalent and indexing [] (read the comments).

est · on Feb 26, 2010

Yes, I know how to make "eval", but how could it convert "eval" to eval() ?

Edit: by using []["sort"]["call"]()["eval"]

lisper · on Feb 26, 2010

Yes, but why does that work? I don't get:

+[]

or

[]['sort']

or

[]['eval']

for that matter, why does []['sort']['call'] work but []['call'] doesn't.

All of these look like they should be syntax errors to me. What am I missing?

aston · on Feb 26, 2010

Here's the breakdown:

  []["sort"]["call"]()["eval"]

is the same in javascript as

  ([].sort.call()).eval

The part in parentheses calls Array.sort with an undefined this object, defaulting it to window. Array.sort returns this after it's done. Global functions like eval are stored on window, so you end up with window.eval.

lisper · on Feb 26, 2010

Ah. Thanks!

tptacek · on Feb 26, 2010

Because [] doesn't have a 'call' attribute, but does have 'sort' attribute (remember that Javascript has a funky object notation, which is why people have to do elaborate dances to iterate over objects), and because the 'sort' attribute of [] itself is an object with a 'call' attribute.