On Thu, Dec 14, 2017 at 5:39 AM, Gareth Heyes <[email protected]> wrote:
> Hi all > > So many years ago on the sla.ckers forums Yosuke Hasegawa posted > non-alphanumeric JavaScript. We then worked together to find out the > smallest possible charset required to execute non-alphanumeric JavaScript. > We all broke the wall multiple times and Mario Heiderich found the > character limit was 6 characters. It could not be broken..... > Background for other es-discussers, https://news.ycombinator.com/item?id=4370098 links to Yosuke Hasegawa's various obfuscator demos, and IIRC, Mario's argument about the limit is in "Web Application Obfuscation." Gareth, is there a working 6 character contender? That ycombinator thread notes that utf-8.jp/public/jsfuck.html was broken when the spec changed the semantics of [].sort.call() so that it no longer returns the global object. > Enter the pipeline operator and Masato Kinugawa. He found using the > specified pipeline operator he could break the wall :O. Check it out it is > awesome: > > https://speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-10 > Looks like somebody has already put together a demo page for it: https://syllab.fr/projets/experiments/xcharsjs/5chars.pipeline.html > I really hope the pipeline operator gets specified and implemented by the > various browsers because breaking the wall is a fantastic achievement and > it's useful too. >
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
