What does Object.constructor.constructor('alert(1)')() actually do in javascript?

Asked Mar 23 '21 at 08:47

Active Mar 23 '21 at 09:05

Viewed 1,603 times

I am involved in Application security and often times I've used

 {{constructor.constructor('alert(1)')()}}

blindly in AngularJS applications to escape the sandbox in older versions. Recently I've been trying to understand what this really means and how it works. I tried reading about object constructors and understand that an object constructor points to the object type. so for example.

var a = new String;
console.log(a.constructor);

will print out String and if I do a.constructor.constructor this will print out {}

Now my question is how does object.constructor.constructor('ANY FUNCTION HERE')() lead to that function being executed in javascript

edited Mar 23 '21 at 08:52

asked Mar 23 '21 at 08:47

iLoveAppSec

`Object.constructor.constructor === Function` – VLAZ Mar 23 '21 at 08:50
[Object.constructor===Object.constructor.constructor // why?](https://stackoverflow.com/q/5963547) – VLAZ Mar 23 '21 at 08:52
Also related: [Decode this strange Javascript](https://stackoverflow.com/q/9045701) | [Is there a way to jail in Javascript, so that the DOM isn't visible](https://stackoverflow.com/q/2673695) | [Securing JavaScript eval function](https://stackoverflow.com/q/26482268) | [Esprima detect global scope access](https://stackoverflow.com/q/48748584) – VLAZ Mar 23 '21 at 09:06

What does Object.constructor.constructor('alert(1)')() actually do in javascript?

0 Answers0