Home/ Questions/Q 8599455
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T01:24:06+00:00

One of the guarantees that strict mode provides is that in strict function code,

  • 0

One of the guarantees that strict mode provides is that in strict function code, the identifier arguments always refers to that function’s Arguments object. 

function fn () { 
    'use strict';

    // malicious code

    arguments // still refers to the function's Arguments object
}

So, no matter what code is injected at // malicious code, the arguments identifier is immutably bound to the function’s Arguments object during the entire function invocation.

I was wondering if the same guarantees are provided for the eval identifier, i.e. does the eval identifier with guarantee refer to the built-in global eval function at all times?

I’d like to point out that the above mentioned guarantee is not provided if our strict code is nested within non-strict code. Non-strict code is allowed to create local "eval" bindings, or to mutate the global "eval" binding. (Also, if another non-strict program uses the same global object (as in a web-page containing multiple scripts), the above mentioned guarantee is also not provided.)

So, for the sake of this question, I’d like to define the following scenario:

  • our program is stand-alone, i.e. it doesn’t share its global object with any other program,

  • our program consists of a single strict IIFE, like so:

    (function () {
    'use strict';

    // malicious code

    eval // does it still refer to the built-in global eval function? 

}());

Given these conditions, is it possible to inject code at \\ malicious code, that will change the value of the eval identifier?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Theoretically it should not be possible to reassign the eval identifier to something other than the eval property of the global object, or mask it with a local variable, according to annex C:

    The identifier eval or arguments may not appear as the LeftHandSideExpression of an Assignment operator (11.13) or of a PostfixExpression (11.3) or as the UnaryExpression operated upon by a Prefix Increment (11.4.4) or a Prefix Decrement (11.4.5) operator.

    It is a SyntaxError if the Identifier “eval” or the Identifier “arguments” occurs as the Identifier in a PropertySetParameterList of a PropertyAssignment that is contained in strict code or if its FunctionBody is strict code (11.1.5).

    It is a SyntaxError if the identifier eval or arguments appears within a FormalParameterList of a strict mode FunctionDeclaration or FunctionExpression (13.1)

    …and so on.

    As discussed below, it’s possible to change the global eval function by assigning a new value to that property of the global object. A reference to the global object can be obtained by an indirect call to eval in strict mode:

    var glob = (0,eval)('this');

    You could extend that to something that will work reliably in non-strict mode as well:

    var glob = (function(){ return this || (0,eval)('this') }());

    …and then assign its eval property to something else.

    While eval will still be identical to the eval property of the global object, it won’t be the built-in eval anymore, which should meet your conditions.

    • 0