How can '+myVar;' be a valid syntax [duplicate] - javascript

This question already has answers here:
Explain +var and -var unary operator in javascript
(7 answers)
Closed 6 years ago.
I just got a bug that took some of my time to spot my searching filters weren't working because of the following code :
queryObject.search='valid==true';+searchQuery;
The good syntax is to mive the ';' in the string :
queryObject.search='valid==true;'+searchQuery;
The reasn why i didn't spot that is because the earlier line of code didn't triggered any javascript console error. So it seems it's a valid syntax.
So here is my question, how can this be a valid syntax ?

+something is an expression using the plus unary operator.
Its general purpose is to convert a value, for example a string, to a number.

+ is unary operator, which tries to get numeric value from variable.
There is a thread about it.

Related

What exactly is (alert(1),"") in javascript [duplicate]

This question already has answers here:
What does the comma operator do in JavaScript?
(5 answers)
Closed 2 years ago.
I tried doing google gruyeres XSS challenges (http://google-gruyere.appspot.com/part2), and at the stored AJAX XSS challenge they have the following code part for the JSON response:
all <span style=display:none>"
+ (alert(1),"")
+ "</span>your base
The interesting part is: (alert(1),"")
According to the solution provided, the empty string gets returned. According to my testing, the alert(1) still gets exectued.
Is this some sort of function shorthand, or what would this be called in JS?
Why does it execute the alert, but then return the empty string?
Thank you very much for any help!
Best regards,
Rolf
This is the comma operator. The code executes alert(1), discards its return value, then evaluates "". Since this is the last item in the expression, its value is returned, which is empty string.
The tutorial I linked describes it as follows:
The comma operator in JavaScript evaluates each of its operands. It returns the value of the last operand. Add multiple expressions using the comma operator.

Why is (date1, date2) a valid expression in javascript? [duplicate]

This question already has answers here:
What does the comma operator do in JavaScript?
(5 answers)
Closed 4 years ago.
I know, weird question. I accidentally pasted an expression in the the Chrome developer tools console but copied it without the function call so instead of:
dayDiff(date1, date2)
I just ran
(date1, date2)
with the variables in parenthesis separated by a comma, which simply returns the value of date2. I'm trying to understand what the engine is interpreting this expression as. I would've expected this to be a syntax error.
It is comma operator. It simply evaluates both arguments and returns the RHS value.

Why ++var++ is not a legal Javascript expression? [duplicate]

This question already has an answer here:
Increment a number by prefix and postfix operator
(1 answer)
Closed 5 years ago.
I was reading about Javascript operators precedence over here and got curious why I can't write something like this:
let num = 1;
++num++;
Which gets Uncaught ReferenceError: Invalid left-hand side expression in prefix operation error. But why is that? :)
It evaluates as
++(num++)
so, the expression
num++
returns a number, not the variable, because it is a primitive value. The added plusses, throws an exception, because a primitive value is not a variable and an assigment is not possible.

SyntaxError: Number.toString() in Javascript [duplicate]

This question already has answers here:
Calling member function of number literal
(3 answers)
Closed 6 years ago.
Why do I get an error on this, in Javascript:
10000000.toString();
You can see an example in here:
http://jsbin.com/kagijayecu/1/edit?js,console
It's because the JS parser is expecting more digits after the "." rather than a method name, e.g. 1000000.0, and in fact 1000000.0.toString() will work as expected.
wrap it inside () like this (10000000).toString()
When JS parse meets dot after digit it expects floating-point literal, e.g. 1000000.0

How to deobfuscate this JavaScript code? [duplicate]

This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Decode obfuscated JavaScript
Question:
I have the following javascript code:
var _0xe91d=["\x28\x35\x28\x24\x29\x7B\x24\x2E\x32\x77\x2E
...
x5F\x63\x6F\x6E\x74\x5F\x64\x75\x72\x7C\x76\x5F\x74\x61\x62\x73\x5F\x61\x6C\x69\x67\x6E\x7C\x76\x5F\x74\x61\x62\x73\x5F\x64\x75\x72\x7C\x76\x5F\x73\x63\x72\x6F\x6C\x6C\x7C\x63\x6F\x6E\x74\x5F\x61\x6E\x69\x6D\x7C\x63\x6F\x6E\x74\x5F\x66\x78\x7C\x74\x61\x62\x5F\x66\x78\x7C\x72\x65\x70\x6C\x61\x63\x65\x7C\x62\x61\x6C\x69\x67\x6E\x7C\x61\x6C\x69\x67\x6E\x5F\x7C\x75\x6E\x6D\x6F\x75\x73\x65\x77\x68\x65\x65\x6C\x7C\x73\x77\x69\x74\x63\x68\x7C\x64\x65\x66\x61\x75\x6C\x74\x7C\x6A\x51\x75\x65\x72\x79","","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x72\x65\x70\x6C\x61\x63\x65","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0x173cx1,_0x173cx2,_0x173cx3,_0x173cx4,_0x173cx5,_0x173cx6){_0x173cx5=function (_0x173cx3){return (_0x173cx3<_0x173cx2?_0xe91d[4]:_0x173cx5(parseInt(_0x173cx3/_0x173cx2)))+((_0x173cx3=_0x173cx3%_0x173cx2)>35?String[_0xe91d[5]](_0x173cx3+29):_0x173cx3.toString(36));} ;if(!_0xe91d[4][_0xe91d[6]](/^/,String)){while(_0x173cx3--){_0x173cx6[_0x173cx5(_0x173cx3)]=_0x173cx4[_0x173cx3]||_0x173cx5(_0x173cx3);} ;_0x173cx4=[function (_0x173cx5){return _0x173cx6[_0x173cx5];} ];_0x173cx5=function (){return _0xe91d[7];} ;_0x173cx3=1;} ;while(_0x173cx3--){if(_0x173cx4[_0x173cx3]){_0x173cx1=_0x173cx1[_0xe91d[6]]( new RegExp(_0xe91d[8]+_0x173cx5(_0x173cx3)+_0xe91d[8],_0xe91d[9]),_0x173cx4[_0x173cx3]);} ;} ;return _0x173cx1;} (_0xe91d[0],62,284,_0xe91d[3][_0xe91d[2]](_0xe91d[1]),0,{}));
How exactly can I decipher it, and find out what it does ?
And what's the principle behind this obfuscation ?
It does some replacement on some text using Regular Expression.
The expression is in hex code, you can use .toString() to bring it back to unicode:
for example:
"\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65".toString() : fromCharCode
or
"\x72\x65\x70\x6C\x61\x63\x65".toString() : replace
It's just hex codes in a string \x20 is a space which is decimal 32.
print _0xe91d

Categories

Resources