[penguat]

Who said anything about including the word "eval"? Javascript is really rather bad for allowing surprising things: eval is possible in just 6 innocuous-looking characters - see http://www.jsfuck.com

[alkonaut]

Wth is that? How does it work? How does the token become 'eval'? Could this sonehow be blocked in browsers?

[detaro]

Weird type conversion rules in JS, see the examples at the bottom of the page and the linked source.

[alkonaut]

Yeah I saw them but didn't quite understand the ones at the bottom e.g."eval". I get the weird type conversions at the top, not how they magically become function calls at the bottom.

Edit: Wikipedia article explains - you can call functions by name with that "filter" thing.

This should be pretty easily blockable though - if you block "eval" then just block most of the obscure jsfuck constructs too.

[ninju]

the jsfuck.js parses the obfuscated string to generate valid javascript code. One one the patterns that jsfuck.js supports is "run the followin as eval()" https://github.com/aemkei/jsfuck/blob/master/jsfuck.js line 282