I'll show eight different types that transform strings into code that can be executed immediately. In this case, I'm using pure javascript only, but libraries like jQuery have methods that can implicitly be exploited as eval.
eval ()
Own eval
eval("alert('lorem ipsum')");
setTimeout ()
setTimeout is the best-known example of using eval
case you pass a string.
// Ambos são equivalentes
setTimeout("alert('lorem ipsum')", 100);
setTimeout(function(){ eval("alert('lorem ipsum')"); }, 100);
setInterval ()
setInterval is similar to setTimeout, but runs every time and not just at the end of the chosen time.
// Ambos são equivalentes
setInterval("alert('lorem ipsum')", 100);
setInterval(function(){ eval("alert('lorem ipsum')"); }, 100);
new Function ()
Function can implicitly be considered a form of eval because it accepts strings
var adder = new Function("a", "b", "return a + b");
alert(adder(3,5));
document.write ()
document.write , if used to write <script>
tags, also works as eval
document.write('<script>alert("lorem ipsum")</script>')
document.writeln ()
document.writeln is very similar to document.write, however adds a new line to the end.
document.writeln('<script>alert("lorem ipsum")</script>')
Data URI
Data URIs are the most atypical example, but are eventually used to exploit browser failures. / p>
var s = document.createElement('script');
s.src = 'data:text/javascript,' + encodeURIComponent('alert("lorem ipsum")')
document.body.appendChild(s);
Reference: self-knowledge, MDN links and link
DOM
Similar to approaching date URIs, but inserting the code directly rather than using the src
attribute:
var s = document.createElement('script');
s.appendChild(document.createTextNode('alert("lorem ipsum");'));
document.body.appendChild(s);
javascript:
Also similar to the date URIs, however inserting the code into the% of page%:
location.replace('javascript:alert("lorem ipsum");void(0)');