Sign in to follow this  

Javascript string to standard function

This topic is 1113 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I'm trying to call a standard javascript function document.write off of a string read from a cookie.

 

The web page sets a cookie like so:

document.cookie="document.write('Charles'); expires=Thu, 18 Dec 2014 12:00:00 UTC; path=/";

 

It then retrieves the cookie like so:

var x = document.cookie;

 

After this is done the string contained by x=:

 "document.write('Charles')"

 

So there now is the document.write(str) function in the variable x, however the function does not write "Charles" to the web page.

 

How can I change this so that when the web page reads the cookie, it automatically outputs "Charles" to the body of the web page through the document.write funcion.

 

Any help or pointers to the answer would be most appreciated.

Share this post


Link to post
Share on other sites

I don't know how well it works or how's the support in browsers, but with a quick google search I found that you can create Functions with new Function();

 

http://stackoverflow.com/questions/2573548/given-a-string-describing-a-javascript-function-convert-it-to-a-javascript-func

 

Look here: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function

 

Also, eval() should work too, but from the same quick search it looks like it's not the best method in some cases.

Share this post


Link to post
Share on other sites

The key is that you can't write any code, since this is going to execute on a third party website.

 

All you can count on is that the third party site will read the first part of the cookie up untill the first semi colon, and that that read will take place in a <script> tag. Something that you do within that string

had got to effect the way the third party web page displaye its page

Share this post


Link to post
Share on other sites

I don't think that's possible, you need to convert that text into a function, so you need to write more code. Also, cookies are not meant to be used as code, what you're trying to do sounds bad.

Share this post


Link to post
Share on other sites

Seconding what's being suggested above, this was probably meant to be mangled using eval(). It is generally avoided due to its extreme risk of malicious code injection.

As far as I can understand document.write was supposed to be dropped years ago; before dynamic DOM was standard. It is just easier to build the DOM yourself.

 

The bad news is, if you have no control on the remote page and somehow plug in your logic... then you're in for pain. Try eval(). That said, this stuff doesn't make any sense to me.

Share this post


Link to post
Share on other sites

There is no automatic way to cause a cookie's value to be interpreted as Javascript. If the site is poorly written, it might be possible to inject content or code into the site, but that is a security bug in the site and should be reported so it can be fixed.

Share this post


Link to post
Share on other sites

This topic is 1113 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this