
Hide this in your coworkers' JavaScript code tomorrow - cfj
https://gist.github.com/cfj/9857886
======
madeofpalk
On a related note, I got a pleasent surprise when I opened the Developer
Console on Facebook.com: they present you with a giant red warningp[1] and
block any code execution in it until you explicitly 'allow [your] account to
be hijacked if I paste malicious Javascript'[2]

[1]: [http://i.imgur.com/6UVaTen.png](http://i.imgur.com/6UVaTen.png)

[2]: [https://www.facebook.com/selfxss](https://www.facebook.com/selfxss)

~~~
hashx
Facebook blocks the console as it is supposedly used for " exploitation by
people to post spam and even used to "hack" accounts"

[http://stackoverflow.com/questions/21692646/how-does-
faceboo...](http://stackoverflow.com/questions/21692646/how-does-facebook-
disable-the-browsers-integrated-developer-tools)

~~~
danielweber
When you consider Facebook's target audience, it's probably okay to make
people like us jump through a hoop in order to stop Grandma from being
completely p0wned by typing in some JavaScript.

Yes, maybe people should know that running arbitrary JavaScript is dangerous,
but they don't.

------
dang
By the way, we're going to penalize April Fools' jokes tomorrow so that they
fall off the front page quickly. This isn't new, but we're going to be more
systematic about it. The April 1 tech thing has become stale. If you guys see
April Fools stories that we miss, flag them unless they're really particularly
good.

People complain about HN's humorlessness, and they're right to a point. The
trouble is that with a culture of humor comes a flood of lame humor. HN wants
to optimize for intellectual curiosity, which wants higher signal/noise ratio.
It's not that we're killjoys—we like jokes and laughing—it's that the
signal/noise problem is hard.

------
chewxy
One of my favourite ways to punish JavaScript developers who don't use `var`
is to randomly hide a

    
    
        if (false) {
          var GLOBALVAR;
        }
    

somewhere in the code.

It's fun (in a harmless fun kinda way, but you can also use some really dirty
tricks to really hamper someone's work) to fuck up people's code - that's why
I wrote Underhanded JavaScript. :P

EDIT:

Another fun one is to add `return`s to constructor functions.

~~~
danielweber
I haven't had my morning coffee; can you explain what this breaks? I know
JavaScript's scoping rules are unusual.

~~~
chewxy
Imagine you have inexperienced coders who do this:

    
    
        function foo() { 
            bar = function(){}; //define bar
        }
    
        function baz() {
            bar(); // use bar
        }
    

Note that both foo() and baz() could themselves, be inside another function.
Doesn't really matter. Now `bar` is a defined as a a property of the global
object.

If you add

    
    
        if (false) {
            var bar;
        }
    

in baz(), most developers, as I had noticed, will ignore it - afterall, it's a
false condition, the code will never enter that branch. But because variables
are "hoisted", you have now declared `bar`, it's lexically scoped as a new
variable under `baz()`, with the value `undefined`.

So, when `bar()` gets called, it becomes an error, because `undefined` is not
a function definition.

...

and yes, dear JavaScript developers, despite all the good efforts of people
like Nicholas Zakas, Douglas Crockford, Addy Osmani and the like, bad
JavaScript still exists in the wild. And I feel, in greater numbers than ever,
and I am not optimistic that the amount of bad JavaScript will be ever
reduced. This depresses me. Can't be helped, I guess.

~~~
mr_tophat
If this is the inexperienced way of doing this, what would be the correct way?

------
mathias
For more, see the evil.js project:
[https://github.com/kitcambridge/evil.js](https://github.com/kitcambridge/evil.js)

Also note that `string.split('').reverse().join('')` is not a very good way to
reverse a string in JavaScript. See [http://mathiasbynens.be/notes/javascript-
unicode#reversing-s...](http://mathiasbynens.be/notes/javascript-
unicode#reversing-strings)

~~~
cfj
Evil.js looks like a lot of fun. Love that whole article, by the way. Very
thorough.

------
clux
Alternatively, put this in your code tomorrow to pre-empt all the April 1st
bastards:

    
    
        Object.freeze(console)
    
    

Or safe JS up entirely:
[https://gist.github.com/clux/3823024](https://gist.github.com/clux/3823024)

------
blinry
I did something similar in high school. You dropped a file named "System.java"
into a Java project, which then intercepted all calls to System.out.println()
and, for example, printed the text backwards, _very_ slowly, or googled the
text in Firefox:

[https://github.com/blinry/fake-java-println](https://github.com/blinry/fake-
java-println)

------
ijk
A silly prank, but it makes me wonder: has anyone implemented an
antivirus/anti-problem scanner for open source code? i.e. scan the source code
on a git repository and report any suspicious code that matches known
malicious patterns? Lint, but targeted at detecting likely security flaws and
code injections.

~~~
wavefunction
Sounds incredibly resource intensive. First, the sheer number of "open-source"
projects which grow whenever someone has a new idea or some frustration with
an existing solution. I guess you could try to limit the tool to a list of
established projects but that of course limits the effectiveness of what
you're trying to do. Established projects may be more attractive as a delivery
vector due to widespread adoption, but there's also more eyes looking at the
code giving a potentially higher chance of discovery of any exploits. And new
projects have less-deployment and potentially more active contributors who
might more easily catch some exploit slipped in.

Then there's the problem that you've got how many languages you need to scan
against? And no quick way to determine what language a project is implemented
in? Sure, you could add some sort of language detection in there but then
you're adding to the overhead.

Finally, if the project has any sort of real complexity, some of the best
areas to exploit would be in the integrations between two technology surfaces.
Writing a tool to look for problems in a single contained module is one thing,
writing a tool that can find problems in the interfaces between modules is
quite a bit more complicated.

I think your "anti-problem" scanning tool would be the best avenue to pursue
though. Maybe some sort of tool that would run on "checkin/pull-request" and
look for issues like introduced buffer-overflow potential and things like
that.

I think it's just easier to rely on solid projects with "known" contributors
to police themselves and hope for the best, as bad as that may sound. Still,
if you could create such a tool you'd make a fortune and improve the world
immensely, so don't let my nay-saying stop you.

~~~
eropple
_> Sounds incredibly resource intensive. First, the sheer number of "open-
source" projects which grow whenever someone has a new idea or some
frustration with an existing solution._

You should totally tell that to TravisCI, I bet they'd like to know. =)

------
tootie
Tomorrow, 8 people will commit this to our repo with zero net effect.

------
Trufa
This is pretty hilarious, would drive me nuts.

I once did a similarly annoying chrome extension just for fun:
[https://chrome.google.com/webstore/detail/annoying-typo-
gene...](https://chrome.google.com/webstore/detail/annoying-typo-
generator/mblbeacchfoblmckinmgeedilgncpfok)

Randomly generates typo in inputs and text boxes.

Side note: Mihai, since I know you will be reading this, watch out if your
arrays in LRTF are upside down ;)

------
sz4kerto
There's the old C prank: #define true false

.. but in reality, I had a serious issue with Qt once: #ifndef TRUE #define
TRUE true #define FALSE false #endif

Now this screwed up some other library's similar definitions...

~~~
luch
Logic inversion should normally be caught rather easily, flow control
misdirections not so much : #define if while .

My favorite (C++) : #define private public

~~~
twoodfin
_My favorite (C++) : #define private public_

Unless I'm mistaken, C++ was (deliberately) specified in such a way that such
a redefinition does not affect the behavior of (most) already valid code.
Access control doesn't affect overload resolution, for example.

I had to add the (most) qualifier because I bet dynamic_cast<> and other RTTI
mechanisms would achieve different runtime results against some classes if
private inheritance became public.

Also, I believe that C++ forbids preprocess munging of keywords under penalty
of undefined behavior _if_ you include any standard headers, so anything could
happen in most modules.

~~~
npsimons
_Unless I 'm mistaken, C++ was (deliberately) specified in such a way that
such a redefinition does not affect the behavior of (most) already valid
code._

Perhaps it doesn't change the _implementation_ , but I know I've used the
above trick to get access to private functions for unit testing (yes, yes, I
know you "should" only test interfaces, or make internal tests; spare me and
realize it's useful: [http://mrzechonek.github.io/tut-framework/faq.html#can-
we-te...](http://mrzechonek.github.io/tut-framework/faq.html#can-we-test-
private-methods))

------
ceedan
["-webkit-", "-moz-", "-ms-", "-o-", ""].forEach(function(prefix) {
document.body.style[prefix+"transform"] = "rotate(180deg)"; });

------
mholt
#define while if

(C, obviously)

------
ultimatedelman
To anyone on my team reading this: DON'T YOU DARE :)

------
rquantz
This makes me glad I set up the workflow I did at our company. Nothing gets
into the central code base without a pull request.

------
yukichan
Yes kill your coworker's productivity by making her or him even more miserable
when dealing with a bug. If you did this and I was your manager, at worst
you'd end up on a PIP. If you want conduct a prank do something that doesn't
frustrate the work they're paid to do.

~~~
TomSawyer
Making the text print out in reverse is cute because they should be expected
to have a "WTF?" second and then move on. I would expect that messing with the
printed order of elements would backfire badly.

------
lscott3
Ha, this is pretty cool.

