-1

I added a setTimeout function to the following jQuery script to give page elements time to load before I ultimately change them.

 setTimeout(function () {
    //♪dolla sign dolla sign dolla dolla dolla sign♪
    $('span.profile_text:eq(1)').text('Who Knows?');
    $('span.profile_text:eq(3)').text('Probably a dude...');

    //this last one is different because Chatango formatting is stupid formatting
    $('span.profile_text:eq(5)').html('Somewhere in the universe... <br> <br>');
}, 2500);

(this replaces my age, gender, and location usertext on Chatango in case you were wondering)

Now anyways, my problem is that the website alters the JavaScript so that the setTimeout function is replaced with three dots followed by it's parameters.

(just imagine ...(function () { and then the rest of the JavaScript under it)

I need to find some way to work around it so that I can get the script to run on a delay, either by using a different function to accomplish the same task, or possibly by adding more functions or characters to just sort of jam it in there even though Chatango clearly does not want it..
Sorta like an XSS job, but with a website where you're actually supposed to be allowed to put in whatever you want and have it run as verbatim HTML.

If anyone has any suggestions, I would really appreciate them. I really want to go somewhere with this, but I'm going to have to get it to walk on its own before I can start putting on bells and whistles.

Seth Mitchell
  • 11
  • 1
  • does it allow `eval`? – Fabricator Jun 09 '15 at 01:13
  • Please show the code that changes your script to the dots. Without that, your question is unanswerable. – Bergi Jun 09 '15 at 01:25
  • Rather hook on the load event for that content instead of using a timeout. – Bergi Jun 09 '15 at 01:27
  • It's going to be specific to the implementation of filtering the site is using. I suspect `setTimeout` is blocked due to security concerns, and trying to hack it might violate their usage agreement. – Krease Jun 09 '15 at 01:29
  • It doesn't matter to the question, but are these changes actually visible to other people? – Evan Davis Jun 09 '15 at 02:04
  • @Fabricator No, it does not allow evaluation. – Seth Mitchell Jun 09 '15 at 18:33
  • @Chris It's actually not a violation. Their tos is actually rather short, and makes no mention of such behavior. User content is practically unregulated besides a prohibition on pornographic material. – Seth Mitchell Jun 10 '15 at 18:23
  • @Mathletics Yes they are! if you feel like it's worth your time, my page currently has a rather awkward implementation that changes my usertext, and replaces the element that runs the script with a swf embed. I kept the function separate from the removed element as well, so you shouldn't have too much trouble finding it in the html. – Seth Mitchell Jun 10 '15 at 18:29

1 Answers1

2

setTimeout() is an evaluated statement and can cause insecurity as it can inject code at runtime:

See this for more details(same issue with eval): When is JavaScript's eval() not evil?

Where you cannot use setTimeout, use promises or callbacks - it doesn't look like you actually need the event to be time based.

Community
  • 1
  • 1
John
  • 2,410
  • 1
  • 19
  • 33