All geek questions in one place

Replace window or document objects with a Javascript object

Is there a way to replace window or document objects? Basically I want to provide some kind of JavaScript proxy, I want the user to not get the "SOME" (only some! This is important) DOM element on the page. By "user" I mean the third third of the script.

I can do it:

document.getElementsByTagName("a") //NodeList[129] document.getElementsByTagName = function(){} //function (){} document.getElementsByTagName("a") //undefined

But what can I do for document.all , how can I replace the field of the DOM object so that it returns only โ€œSOMEโ€ of the DOM elements?

UPD If there is a way to replace the document object with some JavaScript object, it will be much better

UPD2 . I donโ€™t care if your method doesnโ€™t work with older browsers. Therefore, I am well versed in any solution that works on gamers "A"

UPD3 . I know that 100% security does not exist in JavaScript, I do not want hackers from "HACKING", I know that this is not possible, I want developers to write a "plugin" for my "home" structure to do stupid things.

UPD4 : fine, I cannot replace Document or Window, but can I at least replace all the "fields" or "functions" that are overwritten to return "DOM" elements? for example "document.getElementById" or "document.all"?

UPD5 : User @pebbl suggested something that is "close" to what I want

 function a(window, document){ /// in here window and document should be numerics alert(window); alert(document); } a(123,456);

but its solution has one big problem http://jsfiddle.net/kRLax/

UPD6-7 : it's "perfect" (at least for me)

http://jsfiddle.net/kRLax/12/

 function Fx(){return function(){}} function SafeThis(that){ if (that == window) { return fakeWindow; } else if (that = document) { return fakeDocument; } else { return that; } } var fakeDocument = { write: function(a){ document.write(a) } } var fakeWindow = { document: fakeDocument } var moduleA = function(Function, window, document, eval){ document.write(window + "<br>"); var f = new Function("return this"); document.write(f() + "<br>"); var win = (function(){return this;})(); document.write(win + "<br>"); var e = eval("this"); document.write(e + "<br>"); document.write(this + "<br>"); document.write(window + "<br>"); document.write(document + "<br>"); this.a = 1; document.write(JSON.stringify(this)); }; var moduleA_Fx = '!' + moduleA.toString().replace(/\bthis\b/g,"SafeThis(this)") + '(Fx,fakeWindow,fakeDocument,Fx)'; document.write(moduleA_Fx + "<br><br>"); eval(moduleA_Fx);โ€‹
+2
source share
3 answers

You can do the following, but you have to parse an external script within your function:

 function a(window, document){ /// in here window and document should be numerics alert(window); alert(document); } a(123,456);

Or, if you have a server proxy, you can rewrite your code using the wrapped anon function, which is then called in your proxy document and window object.

 ;(function(window, document){ /// the unknown external code here. })(windowProxy, documentProxy);

However, there are ways around this, as they may use the following depending on the JS environment:

 var win = (function(){return this;})();

You may also need to include other collections to make sure they are not available:

 ;(function(window, document, all, images, ...){ ... }

But they will also be able to access the original document through any dom elements that you also allowed them to ...

Regarding UPD6

Just in case, this is useful, you can also connect the following holes:

  • Settimeout
  • setInterval

Both of these values โ€‹โ€‹can be used to evaluate the code.

 setTimeout('(function(){alert('+'th'+'is'+');})()');

Plus, when exposing document.write this is also doable:

 document.write( '<img src="data:image/gif;base64,ERROR" '+ 'onerror="alert(th'+'is.ownerDocument);" />' );

And you must block access to SafeThis and rewrite any mention of it in the target code, otherwise it can be canceled:

 SafeThis = function(that){return that;}

Also, although it seems pretty safe. I am sure that there will be other ways around you: if you are zealous enough, but it really depends on how confident you are that your potential attackers might be;)

+1
source

You can reassign only writable properties, so document and window are outside the table.

+1
source

The global "document" property is not writable and cannot be configured, so no, you cannot.

 // try this in global code Object.getOwnPropertyDescriptor( this, 'document' ).writable // false
+1
source

Source: https://habr.com/ru/post/1266255/

More articles:


All Articles