Hacker News new | comments | show | ask | jobs | submit login

"(x=[].reverse)() === window // true"

Didn't understand this one at first, but I guess it is easy: first x becomes the reverse function of arrays, then it is called with this === window. So it amounts to window.reverse(). Just looked it up, and reverse() works in place, so window.reverse() === window - although it is potentially different from before.




No, it amonts to Array.prototype.reverse.call(window) - window doesn't have a reverse method AFAIK, so window.reverse() will raise a TypeError (since you can't call something "undefined").


are you sure? i thought in js functions are not really tied to "their" object, instead they receive an implicit this argument. wouldn't x belong to window here? that is, window doesn't have reverse, but now it has x


I smell a potential DOM injection XSS here.


How? The only reaon this works is that 'this' in a function that is not called on an object will default to the global object (window for browser js).

So just saying 'this' in an arbitrary function has the same effect.


but `this` is filtered by most js clean up libs.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: