- Feature Articles
-
CodeSOD
- Most Recent Articles
- Crossly Joined
- My Identification
- Mr Number
- intint
- Empty Reasoning
- Zero Competence
- One Month
- A Little Extra Padding
-
Error'd
- Most Recent Articles
- Not Impossible
- Monkeys
- Killing Time
- Hypersensitive
- Infallabella
- Doubled Daniel
- It Figures
- Three Little Nyms
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Frist!
ETA: Frist frosted for the first fucking fime.
How's that for alliteration?
ETA: Read the article.
First of all, @Yamikuronue, an awesome piece this one is!
Secondly, I love JS more with each passing day. Or should I say:
Admin
Holy f**k
Admin
I think you meant
Admin
ah! I was wondering who would get to write up the JSF**K article....
Admin
Good, but not front page good, more of "Bad ideas" good.
Admin
We need a link to the Wat talk…
Admin
No, that's a hot sauce (not extremely hot, but very tasty).
My own reaction was "Je$u$ f**k!"
Admin
Admin
Heard about this on the SecurityNow! podcast... it's amazing how far people will go to break something... and how deep in the sand a company can be...
Admin
Isn't this a bit old news?
To @Yamikuronue's credit, it's not her fault. It's been sitting in the queue for effing eithgt effing days.
Admin
I have a few horrendous one liners like this using operators to type juggle as needed that I keep in the codebase to tease new starters with. They funny enough and actually save quite a substantial number of LOC but have been a pain to debug on occasion when the programmer passes the wrong data.
Admin
Anyway, I would really like to know what went through the head of that special snowflake who implemented the scrubbing and instead of taking the easy, proven and trustworthy method of escaping any
<
followed by anything except the few whitelisted tags took the trouble of discarding just the alphanumerics. Somehow I have trouble believing this was mere incompetence.Admin
Yup :) We're not a news site; I'd imagine several of the WTFs we post are years if not decades old tales, remembered and submitted. I found this one and figured it belongs here
Admin
Someone decided to get “smart”.
Admin
Except it really looks too contrived to be just “smart”. I could take deleting the content between
<script>
tags instead of the<script>
tags themselves as being smart, but deleting just something is more work than deleting everything, so that bit really suggests some ulterior motive.Admin
E_NOREPRO for 2/4
Admin
Rule 1: Never remind the reader of a better-written work :laughing:
Admin
That poll is missing the TDEMSYR option...
Admin
I have to link this just because of Truthiness:
http://stackoverflow.com/a/2803576/15880
Admin
Us strong-typing proponents have always told you weak typing is bad. Really bad. Utterly terrible, as it turns out...
Admin
No, I was first. I literally posted about this back on Feb. 4th. Get on the :trolleybus:
Admin
I work on a JavaScript interpreter as part of my job (don't ask) and this isn't even that bad. JavaScript allows UTF8 characters as identifiers so you can write something like this:
(Source: http://utf-8.jp/public/aaencode.html )
Stuff like that is proof that JavaScript was a practical joke played on web developers that they still haven't realized.
Admin
I wonder if it breaks if you include carriage returns for readability...
Admin
If you only include carriage returns, doesn't that only help when viewing from Mac Classic?
Admin
Doesn't your editor automatically adapt?
Admin
Presumably if you put them near one of the + or - operators it'd be fine. JavaScript is also pretty flexible when it comes to whitespace. Haven't tried. I value my sanity enough that I don't want to think too deeply about it.
Admin
I imagine someone cleverly coding something up and doing an emoticon-based story with it.
Shirley this has been done before, no?
Admin
Carriage returns... Hmmm...
Wonder if we can get some semicolons into our strings by abusing ASI?
Admin
A workmate said his previous company uses something like ƒ as their JavaScript "namespace". We jokingly suggested we should use 正 but even the Chinese guys decided it was too hard to type.
Admin
I don't knowif it has been said before, but: The language 'C' is an improvement on many languages, before or since. Javascript certainly falls into this category.
Of course, there are languages that work with a 48 character character set, they have been going strong for over 59 years!
Admin
Wow, APLScript! :heart_eyes:
Admin
Ok.
Someone her has WAY too much time on their hands..... :grinning:
On a side not, Although i may be able to copy pasta and run that, I'm afraid that if I do I may end up in some Lovecraftian senario.....
Admin
Almost any language does, including Python3 (but not 2), Java, C#, Go, Rust… The saner ones follow Unicode Annex #31 and allow only letters. The insane ones also allow 💩. JavaScript even belongs to the first group.
:wtf:
I wonder if that would pass through the Ebay “sanitization” though. Depends on how it defined “alphanumerics”.
Admin
https://what.thedailywtf.com/t/the-bad-ideas-thread/254/99?u=pjh
[image]Admin
You should go with💲(U+1F4B2: Heavy Dollar Sign) for the lolz.
More likely to collide with some other wiseasses, though.
Admin
Ummm...no. Even APL isn't that
unreadableobfuscated.Admin
WAT
Admin
I get the same results as @asdf using v0.10.25.
Also, TRWTF is running node as root.
Admin
The Chrome console gives me this:
Admin
But that's outside the BMP which has "problems".
Though I wonder how well everything would support combining characters?
Admin
It's partly because
{}
is ambiguous: some places it is an empty hash, others it's an empty expression. To force hash (object) you can surround it in brackets like({})
Admin
JavaScript does not accept that. It only accepts letters, digits, combining marks and joiners, but not symbols, which is what the emoji are.
Admin
TRWTF would have been not using docker to run it :wink:
Admin
TRWTF is that the article is wrong:
JavaScript has function scope and not block scope when something is defined using the var keyword. You can define things using the let to give you block scope but that is ES6 only.
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/let
In fact the whole idea of single var pattern is based on the fact that all var declarations are hoisted to the top of its enclosing function.
Admin
you never clicked through any of those links, did you?
because the correct information is behind those links, therby raising the "incorrect" information to an informal literary device whereby the information stated is illustrative of how JavaScript appears familiar to many developers who have not spent the time to understand what a glorious monster of a language it really is, which in turn leads those developers to implement javascript "security" features that can be so thoroughly defeated, and further leads them to fail to recognize that their security has been defeated.
but no, let's focus on a "error" that was made as a illustrative point and included its own explanatory correction for anyone not too lazy to click through and learn something.
Admin
There where IDs in those CSS files.
Admin
[] + []
IIRC, the
+
operator first tries to convert both sides to primitives (i.e. anything that's not an object: undefined, null, boolean, string, or number). Then if either value is a string, it does concatenation; otherwise, it further converts both sides to numbers and then adds.So how to convert
[image][]
to a primitive? First it tries to usevalueOf
...That's not a primitive, so it doesn't work. Next, it uses
[image]toString
:Hey look! A primitive.
Note:
toString
, despite its name, does not always return a string. It can return anything you want it to return!So how do I know that it uses
[image]valueOf
beforetoString
? Boy, am I glad you asked...Since the default
valueOf
an object is that object, which isn't a primitive, it proceeds to try usingtoString
. But ifvalueOf
does return a primitive, then it uses that, nottoString
. And note that the primitive, despite being returned bytoString
, was a number, so+
added it to0
instead of concatenating them.If neither of them return a primitive, well, then Javascript just throws up its hands and quits. The whole thing fails with an error:
[image]Anyway, in
[] + []
,toString
is used on both arrays.[].toString()
is an empty string,""
. Then it concatenates:"" + ""
. The result is""
.Now...
[] + {}
.toString
is used on both again.{}.toString()
is"[object Object]"
. Then it concatenates:"" + "[object Object]"
. The result is"[object Object]"
.And here's the gimmick...
{} + []
. This actually isn't addition. It's the unary+
operator. Why? Because{}
is an empty code block! To the Javascript parser, it looks like this:The
[image]{}
basically just does nothing. The unary+
operator in+[]
, in case you were wondering, works in mostly the same way as the+
operator did before: first it converts[]
to a primitive, which we've already seen is""
. Then, it goes a step beyond and converts that primitive to a number...So you end up with
+0
, or just0
.Note that you can force it to treat
[image]{}
as an object if you enclose it in parentheses. Then the result is"[object Object]"
, which is probably what you expected:And finally,
[image]{} + {}
. Node is being inconsistent there, because both Firefox and Chrome (thanks @hungrier) are still treating the first{}
as an empty code block, unless you use parentheses to force it not to:Again, you have the first
{}
being parsed as an empty code block, which leaves+{}
as the expression to actually evaluate.toString
converting{}
to"[object Object]"
works just like it did before. You end up with+"[object Object]"
.As I said, the unary
[image]+
operator goes a step farther than the binary+
operator does: it can't concatenate, so it has to end up with a number:So you end up with
+NaN
, which isNaN
.edit: note
()=>[]
, which are fat-arrow functions that return empty arrays. However,()=>{}
isn't a fat-arrow function that returns an object; it's a fat-arrow function with an empty codeblock, and it returnsundefined
(which is a primitive, by the way).()=>({})
is a fat-arrow function that returns an object.Admin
No because they didn't look like fucking clickable links.
Admin
E_NO_REPRO:
[image]Admin
Fair enough they have the hand if you mouse over them, but I was on a phone.