0

My js code runs on a client websites which contains code that overrides "window.eval" with a blank function, I'm able to retrieve a new copy from an iframe but for some reason i can't call the eval on the main window like that:

RealEval.call(window.top,"somecode");

It's just evaluating the string on the iframe window. Any ideas ?

avi dahan
  • 539
  • 3
  • 19
  • 1
    Can you append a ` – CertainPerformance Dec 25 '18 at 08:41
  • @CertainPerformance Yes i probably can , there is no way to use eval like i described? – avi dahan Dec 25 '18 at 08:42
  • Don't think so, just like any function defined in window A can't be called in window B unless you literally copy the source code of the function and then insert it into B – CertainPerformance Dec 25 '18 at 08:44
  • Can you avoid using eval if that doesn't work for whatever reason and use the function object instead? Ideas in: https://stackoverflow.com/questions/7650071/is-there-a-way-to-create-a-function-from-a-string-with-javascript – Zim84 Dec 25 '18 at 08:46
  • @Zim84 Thanks , and yeah i can avoid eval but i would really like to get an explanation why i can't call eval like i described but other methods can be called like that (for example : document.open, addeventlistener, xhr .....) – avi dahan Dec 25 '18 at 08:49
  • What you wanna do is copy the reference from eval to the new context. This would require the ability to copy references, which doesn't seem possible. – Chris Rollins Dec 25 '18 at 09:07
  • 1
    @avidahan Becaue `eval` is not a *method*, it is a builtin function (like `Object`, `Array` etc) and closes over its realm (frame environment). – Bergi Dec 25 '18 at 12:13
  • @Bergi thanks Bergi , I would like to understand this better , can you please reference some info – avi dahan Dec 25 '18 at 17:07
  • 1
    @avidahan I could only reference the spec, but that's unlikely to be helpful. For understanding: `eval` doesn't use the `this` keyword (like a method would) to determine the receiver. `.call()`ing it doesn't change anything. – Bergi Dec 25 '18 at 17:55
  • @Bergi how can I tell if a method or a property behaves that way? Because there are a lot of methods that acts exactly as I described – avi dahan Dec 25 '18 at 17:58
  • @avidahan Many DOM functions will because they are described as methods, but to tell you'd need to look in the spec (ECMAScript or HTML5, depending on which one you're looking for). But even that might not help, as browser engines might have implemented it differently. So you will have to try and test (cross-browser). – Bergi Dec 25 '18 at 18:24
  • @Bergi great Thanks a lot! – avi dahan Dec 25 '18 at 18:25

0 Answers0