Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Calling toString on a javascript function returns source code

I just found out that when you call toString() on a javascript function, as in myFunction.toString(), the source code of that function is returned.

If you try it in the Firebug or Chrome console it will even go as far as formatting it nicely for you, even for minimized javascript files.
I don't know what is does for obfuscated files.

What's the use of such a toString implementation?

like image 965
Sergi Papaseit Avatar asked Mar 16 '11 15:03

Sergi Papaseit


People also ask

What does toString return in JavaScript?

The toString() method returns a string as a string. The toString() method does not change the original string. The toString() method can be used to convert a string object into a string.

What is toString call in JavaScript?

toString . For user-defined Function objects, the toString method returns a string containing the source text segment which was used to define the function. JavaScript calls the toString method automatically when a Function is to be represented as a text value, e.g. when a function is concatenated with a string.

What is the use of toString ()?

A toString() is an in-built method in Java that returns the value given to it in string format. Hence, any object that this method is applied on, will then be returned as a string object.

Can we override toString method in JavaScript?

The toString() method is automatically invoked when the string value of the object is expected. The method is inherited by the descendants of the object. The objects override the method to return a specific string value. In case the toString() method is not overridden, [object type] is returned.


4 Answers

It has some use for debugging, since it lets you see the code of the function. You can check if a function has been overwritten, and if a variable points to the right function.

It has some uses for obfuscated javascript code. If you want to do hardcore obfuscation in javascript, you can transform your whole code into a bunch of special characters, and leave no numbers or letters. This technique relies heavily on being able to access most letters of the alphabet by forcing the toString call on everything with +""

example: (![]+"")[+[]] is f since (![]+"") evaluates to the string "false" and [+[]] evaluates to [0], thus you get "false"[0] which extracts the first letter f.

Some letters like v can only be accessed by calling toString on a native function like [].sort. The letter v is important for obfuscated code, since it lets you call eval, which lets you execute anything, even loops, without using any letters. Here is an example of this.

like image 125
HoLyVieR Avatar answered Oct 09 '22 13:10

HoLyVieR


function.ToString - Returns a string representing the source code of the function. For Function objects, the built-in toString method decompiles the function back into the JavaScript source that defines the function.

Read this on mozilla.

like image 33
CloudyMarble Avatar answered Oct 09 '22 13:10

CloudyMarble


You can use it as an implementation for multi-line strings in Javascript source.

As described in this blog post by @tjanczuk, one of the massive inconveniences in Javascript is multi-line strings. But you can leverage .toString() and the syntax for multi-line comments (/* ... */) to produce the same results.

By using the following function:

function uncomment(fn){
  return fn.toString().split(/\/\*\n|\n\*\//g).slice(1,-1).join();
};

…you can then pass in multi-line comments in the following format:

var superString = uncomment(function(){/*
String line 1
String line 2
String line 3
*/});

In the original article, it was noted that Function.toString()'s behaviour is not standardised and therefore implementation-discrete — and the recommended usage was for Node.js (where the V8 interpreter can be relied on); however, a Fiddle I wrote seems to work on every browser I have available to me (Chrome 27, Firefox 21, Opera 12, Internet Explorer 8).

like image 27
Barney Avatar answered Oct 09 '22 12:10

Barney


A nice use case is remoting. Just toString the function in the client, send it over the wire and execute it on the server.

like image 35
R.Moeller Avatar answered Oct 09 '22 13:10

R.Moeller