The Author Shows us How He have found unconventional ways to understand JS better , calling functions without parentheses and crafting XSS vectors …..etc
Let’s Start :
- Hex Decimal encoding is a way for representing characters using a base-16 numbering system , in this Encoding the Escape sequence “\” is prefixed with the letter x
Note : The Hex Decimal Encoding works within Strings Only Such as :
“” or ‘’ or ``
EX :
-1 ‘\x61’ // represents the character ‘a’
-2 “\x61” // also represents the character ‘a’
-3 `\x61` // once again represents the character ‘a’
Important Note : we can not call any function using hexadecimal outside of strings , look at example to understand better , EX :
function a() {} // Declaring Function named a()
\x61(), will fail , Cos it Works Only within String
Note : \x61() != a()
- Unicode escapes are used to represent characters using Unicode encoding, in this encoding The escape
sequence “\” is prefixed with the letter “u” and works both in strings and identifiers(without string)
There are two forms for Unicode Encoding :
-1 \u Form : Allows characters in the range 0x00-FFFF (Four Hexdecimal characters Only)
- EX: ‘\u0061’ represents ‘a’
-2 \u{} Form: you are not restricted to four hexadecimal characters (allows you to use any number
of hexadecimal)
- EX: ‘\u{61}’ is also ‘a’
Note : Since Unicode works without strings , Let’s Define Function and call it with unicode
Ex : function a() {}
\u{61}() // Correctly Call The Function
\u0061() // Also Correctly Call The Function
Note : To Define Variable , \u{Ben123}=123 , So unicode character Ben123 is allowed as a variable
- Octal Unicode : is a way for representing Characters using Unicode numbering System
Note : They can only be used within strings like Hexdecimal , And There is no prefix for octal Escapes
you simply use a backslash followed by a base-8 number , Octal Numbering consist of from 0 to 7
Examples :
‘\141’ // represent a letter
“\8” //number outside the octal range so 8 is returned
`\9` //number outside the octal range so 9 is returned
- Eval and Escapes : I mean Here We Can use Eval Function with Escapes like ( Hex , Unicode and Octal)
Important Note : Eval Works with String and decodes The Input Passed to it Then Executes it
Remember Hex Works Only within string but can works with Eval Fuction
EX : eval(‘\x61=123’) is valid, First Eval Decode The input, Convert \x61 to a letter and it sets a to
123
- Eval With Unicode Escape
EX :
eval(‘\\u0061=123’); // The Second backslash inside the string is escaped by First backslash , producing a unicode escape used as an identifier , So \u0061 = 123 = a = 123
- Eval with Unicode and Hexdecimal — merged (Unicode , Hex)
EX : eval(‘\\u\x30061=123’) // The First Part “\u\x300” represents the character ‘0’ So
‘061=123’ When evaluated by eval, it essentially sets the variable named ‘061’ to the value 123
- Strings : We Have 3 Forms Of Strings
- Single-Quoted Strings:
Enclosed by single quotes (e.g., ‘Hello’)
-Double-Quoted Strings:
Enclosed by double quotes (e.g., “Hello”)
-Template Strings:
Enclosed by backticks (e.g., `Hello`)
Single Character Escape Sequences:
‘\b’: Backspace
‘\f’: Form feed
‘\n’: New line
‘\r’: Carriage return
‘\t’: Tab
‘\v’: Vertical tab
‘\0’: Null character
‘\’’: Single quote
‘\”’: Double quote
‘\\’: Backslash
Note : In JavaScript strings, you can escape any character that isn’t part of an escape sequence, and it will be treated as the actual character
EX : “\H\E\L\L\O” results in the string “HELLO”
Note : Double and single quoted strings do not support multiple lines unless you use \ to continue to
the next line , EX :
// Using template string with \
x = `a\
b\
c`;
x === ‘abc’; // true
// Using double and single quoted strings without \
x = `a
b
c`;
x === ‘abc’; // false
- Arbitrary JavaScript Expressions in Placeholders “{}”
Template String `` Allows You to Execute Arbitrary JS withing Placeholder , EX :
`${7*7}` results in the string “49”
- Nested Template Strings Allows You to Execute Arbitrary JS withing
- Multiple Placeholder EX : `${`${`${`${7*7}`}`}`}` results in the string “49”
- Tagged Template Strings and Function Calls : Tagged template strings are a feature in JavaScript that allows you to call a function EX :
- alert`1337` // In this example, alert is the tag function, and it is called with the argument 1337
- Function Invocation with Template String (``) , Let’s Take Example :
function x() {
return x;
}
x````````````
In Above Code we Have Defined a function named x that returns itself , and we calling The Function
with a tagged template string ``
- Call And Apply Function In JS :
- call is a property of every function in JS , EX :
function x() {
console.log(this.bar); // Outputs: “baz”
}
let foo = { bar: “baz” };
x.call(foo);
In Above example, x.call(foo) calls the function x and changes this to refer to the foo object
Note : If you want to pass arguments to the function, you simply add them after the this value
EX : function x() {
console.log(arguments[0]); // Outputs: 1
console.log(arguments[1]); // Outputs: 2
console.log(this); // Outputs: object Window , This Refer to Null That Means object Window
}
x.call(null, 1, 2);
In Above Code, x.call(null, 1, 2) calls the function x, sets this to null, and passes the arguments 1
and 2
Note : If you are in strict mode (“use strict”), and you don’t provide a this value, it defaults to
null
EX :
function x() {
“use strict”;
console.log(arguments[0]); // Outputs: 1
console.log(arguments[1]); // Outputs: 2
console.log(this); // Outputs: null Cos we are in strict mode
}
x.call(null, 1, 2);
- Apply Function : apply is similar to call but with one important difference , you can supply an array of arguments as the second argument
- EX :
function x() {
console.log(arguments[0]); // Outputs: 1
console.log(arguments[1]); // Outputs: 2
console.log(this); // Outputs: [object Window]
}
x.apply(null, [1, 2]);
Note : Here, x.apply(null, [1, 2]) does the same as x.call(null, 1, 2), but you
pass the arguments as an array
