• bvs23bkv33 (unregistered)

    those 'i's have different scope

  • X (unregistered) in reply to bvs23bkv33

    And the outer i is always used.

  • DFYX (unregistered) in reply to bvs23bkv33

    In JavaScript, all vars are scoped to the function, not to individual blocks. That's why let was introduced in later versions.

  • Little Bobby Tables (unregistered)

    NaN thNaNnk Nan'm goNaNng to be sNaNck.

  • Pjrz (unregistered)

    It seems dumb that you are allowed to declare the i variable twice in the first place. But then, I'm not familiar with JavaScript.

  • Stupid Question (unregistered)

    Does it make sense to have a captcha in JavaScript? Someone attacking the website could read it from the DOM, can't he?

  • ray10k (unregistered) in reply to Pjrz

    "It seems dumb" does sum up JS pretty well :trolly:

  • someone (unregistered)

    It's interesting (though not surprising) that a='a'; a++; gives a=NaN, but a='a'; a+=1; gives a='a1'.

  • icon (unregistered)

    Obligatory reference to wat: https://www.destroyallsoftware.com/talks/wat

  • (nodebb)

    "download a network driver"? Is this from the 1980s?

  • scragar (unregistered) in reply to Pjrz

    var get's hoisted to the top of the function/scope, and to avoid something like

        function foo(bar){
            if (bar) {
                var baz = 'qux';
                return baz;
            } else {
                var baz = 'plugh';
                return baz;

    causing problems they made the really weird choice to just make it so multiple calls to var would be ignored.

    Unfortunately this falls into the "let's make a language really forgiving so it becomes really easy to make something that'll work in it" school of thought that gives us pretty much every abomination that in retrospect was a terrible idea(yes, anyone can write JS that'll do something, but that also makes it really hard to write good JS since it's near impossible to write safe code that's also clear and concise).

  • giammin (unregistered)

    the real DWTF is not the silly code generation but the code written in plain text in the html element

  • J. (unregistered)

    Wouldn't the code not also mean that there needs to be some URL which can actually be hotlinked? I mean, if the client completely validates the captcha, there is no prove whatsoover generated which could be checked by the server (maybe the referer header, but I doubt they checked it and you could just set it by hand if you would want to automatically download something from their server).

    Also if you google for parts of the code, you find it on stackoverflow and other sites like years ago already, at least at some points are people spreading this captcha implementation to other people. Although their iterations only got up to 6 instead of 20 and they also used fewer variables, so they did not actually overwrite i.

  • Andrew (unregistered) in reply to gordonjcp

    I don't think there was much downloading of network drivers in the 80's. Unless it was done on a BBS. My entry into IT/Computers was as a "back room" service tech at a local computer store in upstate NY around my junior/senior year of high school. This was before one bought computers from the "Big Boys" like Sears. Well, actually, it was around the time of transition from the "computer store" to national retailers and well before one simply, "bought online." The path to getting network drivers, NIC drivers really, was to install them from the 3.5"/5.25" floppy included in the box. Absent that: get the model #, serial # and MFG name from the PC board, call their 800 number and wait a week for the floppy to arrive in the mail. The year: 1991.

  • Returnary (unregistered) in reply to scragar

    Seems like a prime candidate for a ternary:

    function foo(bar) { return bar ? 'qux' : 'plugh'; }

    But yes, I'll have to agree that JS is a big pile of WTF

  • Anonymous') OR 1=1; DROP TABLE wtf; -- (unregistered)

    Obligatory: wat

  • (nodebb)

    TRWTF is that "i" is most certainly not NaN. It is Imaginary, but that's still a number. Just don't get me started on how easily most languages happily overload "i" to be some real number like say, a loop counter. There oughtta be a law. Or something.

  • Eric Gregory (github)

    TRWTF is how Javascript ignores errors. This code, at the very least, should cause your computer to implode.

  • Brian Boorman (google) in reply to gordonjcp

    Downloading network drivers? I did it just a couple months ago. Needed a driver for a USB/Ethernet dongle - didn't have the CD, and corporate group policy blocks Windows Update because IT manages deploying updates.

  • David (unregistered) in reply to someone

    JavaScript's type coercion. a++ tries to convert variable a to an integer so that it can be incremented: a = Number('a') + 1, which results in a = NaN. The second example is string concatenation. Because the variable a='a' (which is already a String), JavaScript will coerce the second value into a string and then concatenate. So, 1 becomes '1', and a = 'a1'.

  • robby the robot (unregistered)

    So the first few times he tried it without NaN and couldn't understand why it didn't work?

  • Fnord (unregistered) in reply to bvs23bkv33

    TRWTF is JavaScript happily assigning a loop variable to a numeric string, recognizing it as a number in the loop-exiting comparison, and yet still being unable to figure out how to increment it.

  • Charon (unregistered) in reply to gordonjcp

    Heh, seems Gregor visited the same site I did (I needed an audio-driver) - the persistent "NaN" at the of the "captcha" seemed weird to me too... This might also explain why their downloads oscillate between "421 - too many connections" and breathtaking ~10kb/s download speed...

  • Fedaykin (unregistered)

    A good example of why javascript is an horrific language. This should not execute without a fatal scoping error.

  • i (unregistered)

    well, maybe you're not a number

  • (nodebb) in reply to i

    But who is Number One?

  • JG (unregistered) in reply to Carl Witthoft

    i is only imaginary if you are a mathematician. If you are an engineer it is j

  • JG (unregistered) in reply to Watson

    You are, number 6

  • (nodebb)

    You should be embarrassed about languages where none of this generates a compile-time error or at least a run-time exception.

  • Decius (unregistered)

    How did this Java actually tell a human from a robot? Did it check on the browser side before allowing the human to click on the link? If the robot simply ignores the script, what happens?

  • (nodebb) in reply to bjolling

    Or at the very least causes a linter to point and snigger at you.

  • (nodebb) in reply to Andrew

    This was before one bought computers from the "Big Boys" like Sears

    The year: 1991

    The first PC I ever bought was in 1988. I bought it from Sears.)

  • (nodebb)

    Hey, somebody else wanted to download Realtek's drivers!

    (also, you can just copy & paste the "captcha" characters, spaces included)

  • David Mårtensson (unregistered) in reply to ender

    Still, its dumb enough that it would stop any modern bot, and thats probably enough.

    Its not like they expect it to stop any real human so its not a security feature (unless they are complete morons ;) )

  • Murray (unregistered)

    It's one of those captchas that rely on the site not being super important so that nobody will write a special robot for it. It's like "Type in the 5th word of the following" or "Type in 'ORANGE'".

  • Fernando (unregistered)

    It looks like you have to type two spaces between the second and third characters.

  • Clinton (unregistered)

    I'm surprised no one said "FrNaNst".

  • I dunno LOL ¯\(°_o)/¯ (unregistered) in reply to Pjrz

    Clearly TRWTF was that Javascript didn't output an error message to a window on the computer of whoever wrote this brillant example of code.

  • Not a Prisoner at all (unregistered) in reply to JG

    i am not a number! I'm a free NaN!

  • (nodebb) in reply to I dunno LOL ¯\(°_o)/¯

    In the dim and distant past I think Firefox used to have an option "Enable strict JavaScript warnings" (not to be confused with ES6 'use strict') which reported things like this, but this particular warning has since been removed.

  • (nodebb)

    I'm guessing they started off with no more than 8 characters in the captcha, got that working well enough, and then when they decided to extend it to 10 characters, just chucked a couple more variables into the loop without re-checking the output.

Leave a comment on “Caught Up in the Captcha”

Log In or post as a guest

Replying to comment #:

« Return to Article