greggman
commented
1 year ago lol! that was amazing
I cleared that constructor. Happy to fix others too if it's easy.
Closed jan-ale closed 1 year ago
greggman
commented
1 year ago lol! that was amazing
I cleared that constructor. Happy to fix others too if it's easy.
jan-ale
commented
1 year ago Turns out I just needed to clear my cache
jan-ale
commented
1 year ago After some more testing, I found out that ""["constructor"]["constructor"] still returns Function. I think this could be fixed by setting Function.prototype.constructor instead.
jan-ale
commented
1 year ago jan-ale
commented
1 year ago I've opened a pull request that should hopefully fix it
jan-ale
commented
1 year ago Seems to work, though one thing is I think you can just use "Function.prototype.constructor" without any issues.
I've found an exploit that lets you get window. So, 0 is a number, I think we can agree on that. So 0["constructor"] returns the function Number. Now Number is a function, and we can use 0["constructor"]["constructor"] to get the function Function. The problem is, that we can do Function("return this")(), and get window, because it's running as window. window also has more useful keys inside of it, like document There's also the fact that you can't type in the code without it automatically running when it checks for errors. This can be solved, by setting it to glitch, where "return this" causes an error due to the space. Then, in the URL, you can change e to 0 to create an automatically running link. There's also a limitation where "https://" is automatically escaped or something, so you have to split links into two strings, or encode it somehow Here's an example