Replace Window Or Document Objects With Javascript Object
Solution 1:
You can do the following, but you would have to eval the external script within your function's scope:
functiona(window, document){
/// in here window and document should be numericsalert(window);
alert(document);
}
a(123,456);
Or if you had a server-side proxy you could rewrite their code with a wrappered anon function that then called in your proxy document and window object.
;(function(window, document){
/// the unknown external code here.
})(windowProxy, documentProxy);
There would still be ways around this however, as they might be able to use the following depending on the JS environment:
var win = (function(){returnthis;})();
You may also have to include the other collections to make sure they are not accessible:
;(function(window, document, all, images, ...){ ... }
But, they would also be able to access the original document
through any dom elements you allowed them access to as well...
With regards to UPD6
Just in case it's useful you may also want to plug the following holes:
- setTimeout
- setInterval
Both the above can be used to evaluate code.
setTimeout('(function(){alert('+'th'+'is'+');})()');
Plus as you are exposing document.write
this would also be feasible:
document.write(
'<img src="data:image/gif;base64,ERROR" '+
'onerror="alert(th'+'is.ownerDocument);" />'
);
And you should block access to SafeThis
and rewrite any mention of it in the target code, otherwise it can be overriden:
SafeThis = function(that){return that;}
Other than that though it seems quite secure. I'm sure there will be other ways round it—if you try hard enough—but it really depends on how determined you think your possible attackers might be ;)
Solution 2:
The "document"
global property is non-writable, and non-configurable, so no, you cannot.
// try this in global codeObject.getOwnPropertyDescriptor( this, 'document' ).writable// false
Solution 3:
You can only reassign writable properties, so document
and window
are off the table.
Post a Comment for "Replace Window Or Document Objects With Javascript Object"