Wednesday, January 20, 2010

URLs are VALID javascript!

I recently posted things that said you could eval a url like this:
eval(unescape("http://somesite.com/%0Aalert('hello')"))

and have it display an alert. I had said that the javascript interpreter ignored the line that failed and skipped to the next line (the alert). WRONG! The real reason why that works is that URLs are VALID javascript! In javascript, you can label a block of code, like so:
label: {

}

and then use goto statements to jump to it. In the case of URLs, http: is merely a label!

The next part of a url is the two forward slashes, which is, of course, a single-line comment in javascript. Thus, when a newline is inserted into the url, it works because it is VALID javascript. Super coolness!

I haven't been able to find anyone else talk about this. I don't really even care if I "discovered" it first (which I might have?). It's just plain cool and makes me laugh :)

No comments:

Post a Comment