search

greggman / html5bytebeat

Bytebeats in HTML5
http://greggman.com/downloads/examples/html5bytebeat/html5bytebeat.html
MIT License
426 stars 37 forks source link

js code can access the global scope and do anything #37

Closed SArpnt closed 6 months ago

SArpnt commented 10 months ago

try this one out

import("data:text/javascript,document.location='/'+'/youtu.be/oHg5SJYRHA0'")
jan-ale commented 10 months ago

40ad2fa4a89727c060afe565a2cf3a27282eb35b tried to fix it, but now it shows SyntaxError: Unexpected token 'import'

Quotes don't fix it. Though import is a token, and we can't eval things, so maybe we could detect if the code contains import?

jan-ale commented 6 months ago

commit 081533daac0c85200dceef1440829bda149c9923 fixed it!