We try very hard to make something reliable, and without fail we manage to crack every single code we wrote.
I gave up but since then every now and then I recall that days in which we enjoyed this "windmill war".
Since when I gave up I had an idea, I just tried to see if that I can work out something to make that idea work.
What IDEA?
Basically since we cannot know if a function is real I thought to make the browser fail if I try to eval some code, make the eval code call himself in an infinite loops.
<script type="text/javascript">
eval = function(str){
eval(str);
}
eval("alert('hello, proof');"); //too much recursion on FF, stack overflow on IE ;)
</script>
Basically if I extend this logic to all the string evaluating function
(Function object, eval, Object.eval, setTimeout, setInterval) made them using only one function It should work.
example:
eval = function(){
return function(code){
(new Function(""+code))();
}
};
in this way if I try to use eval to rewrite Function I just can't because Function is called inside eval for the same principle of the first snippet I posted.
So why a windmill war?
Caching.
Function caching to be precise,
in javascript I can write this code:
var f = eval
eval = function(str){
alert("I' m an evil functions! bwahahaha!");
f(str);
}
So I don't need to use Function anymore to rewrote eval, I just Spoof the code,
I can send The spoofed code around using http request (for example a src in images...).
To recap, bear this in mind:
Javascript is so powerful in the way it leaves you modify its behaviour that is totally unreliable.