拦截JavaScript Alert()..? 可以接受吗?
[英]intercepting javascript alert()..? is it acceptable?
问题描述
I just found we can intercept the javascript alert() native call and hook the user code before the actual execution. 
我刚刚发现我们可以拦截javascript alert()本机调用并在实际执行之前挂接用户代码。 check out the sample code.. 查看示例代码。
function Test(){
var alertHook=function(aa){
this.alert(aa);
}
this.alert("aa");
this.alert = alertHook;
alert("aa");
}
so everytime i call alert("aa") is been intercepted by my alertHook local function. 因此,每次我调用alert(“ aa”)都会被我的alertHook本地函数拦截。 But the below implementation with the small change does not work. 但是下面的更改很小的实现不起作用。
function Test(){
var alertHook=function(aa){
alert(aa);
}
alert("aa");
alert = alertHook; //throws Microsoft JScript runtime error: Object doesn't support this action
alert("aa");
}
it throws Microsoft JScript runtime error: Object doesn't support this action . 它将引发Microsoft JScript运行时错误:对象不支持此操作 。
I dont know how this .alert = alertHook; 我不知道这个 .alert = alertHook; let me intercept the call, but alert=alertHook; 让我拦截呼叫,但是alert = alertHook; not.?? 不。??
So i assume using this to intercept any native js methods.? 所以我假设使用它来拦截任何本地js方法。 is that right? 那正确吗?
And is that acceptable? 可以接受吗? because this way i can completely replacing any native JS calls with my own methods?? 因为这样我可以用我自己的方法完全替换任何本地JS调用?
UPDATE: 更新:
I asked is that acceptable? 我问是否可以接受? because how this is a good approach having eval() and letting users to replace native function calls? 因为这是具有eval()并让用户替换本地函数调用的好方法?
And its responsibility of a language to protect developers from the misleading features, replacing the native js calls in a window level(or in a common framework js file) would crash the whole system.. isn't it?? 它的语言责任是保护开发人员免受误导功能的侵害,在窗口级别(或公共框架js文件)中替换本机js调用会导致整个系统崩溃。不是吗?
i may be wrong in my opinion because i dont understand the reason behind this feature..? 我认为我可能是错的,因为我不了解此功能背后的原因。 I never seen a language that let developer to replace its own implementation.. 我从未见过一种语言可以让开发人员替换其自己的实现。
3 个解决方案
解决方案1
3 2010-01-19 13:07:03
Depending on how Test(); 取决于Test(); is being called, this should be the window Object. 被调用, this应该是window对象。
I believe Microsoft allows overwriting native JS functions only by specifying the window object. 我相信Microsoft仅允许通过指定window对象来覆盖本机JS函数。
So window.alert = alertHook; 所以window.alert = alertHook; should work anywhere. 应该在任何地方工作。
is it acceptable? 可以接受吗?
Yes it is. 是的。 This is a major strength for the flexibility of the language, although I'm sure there's better alternatives instead of overwriting native behavior. 这是提高语言灵活性的主要优势,尽管我敢肯定还有更好的替代方法,而不是覆盖本地行为。
Overwriting native JavaScript functions isn't really a security issue. 覆盖本地JavaScript函数并不是真正的安全问题。 It could be one if you're running someone elses code that does it; 如果您正在运行执行此操作的其他人的代码,则可能是这样。 but if you're running someone elses code there's a lot of other security issues you should be concerned about. 但是,如果您正在运行其他人的代码,则还应该关注许多其他安全问题。
解决方案2
0 2010-01-19 13:17:07
In my opinion, it never is good practice to redefine the native functions. 我认为,重新定义本机函数永远不是一个好习惯。 It's rather better to use wrappers (for instance, create a debug function that directs its output to alert or console.log or ignores the calls or whatever suits your needs). 最好使用包装器(例如,创建一个debug函数,将其输出定向到alert或console.log或忽略调用或任何满足您需要的函数)。
As for why JScript throws an exception with your second example and not the first one, it's easy. 至于为什么JScript在第二个示例而不是第一个示例中引发异常,这很容易。 In the first example, you create a property called alert in your local scope, so when you refer alert you'll be referring this.alert rather than window.alert . 在第一个示例中,您在本地范围内创建了一个名为alert的属性,因此当您引用alert您将引用this.alert而不是window.alert 。 In the second example, the alert you're referencing is the one from window , so assigning a different function to it will fail. 在第二个示例中,您所引用的alert是来自window的alert ,因此为其分配其他功能将失败。
解决方案3
0 2010-01-19 13:45:43
And its responsibility of a language to protect developers from the misleading features, replacing the native js calls in a window level(or in a common framework js file) would crash the whole system.. isn't it??
Not true, replacing the native call only hooks into it, replaces it: it does not rewrite the native at all. 并非如此,替换本机调用仅会钩住它,然后将其替换:它根本不会重写本机。 Crashing the "whole" system; 破坏“整个”系统; JavaScript runs in a Virtual Machine, it's interpreted, so the chance of crashing the "whole" system (ie Blue Screen of Death?) is very very small. JavaScript是在虚拟机中运行的,它是经过解释的,因此,使“整个”系统(即,蓝屏死机?)崩溃的机会非常小。 If so: it's not the programmers fault, but the implementation of JavaScript which is causing the error. 如果是这样:不是程序员的错,而是导致错误的JavaScript实现。
You can consider it as a feature: for instance, if you load a JavaScript from someone else's hand, you can reimplement some functions to extend. 您可以将其视为功能:例如,如果从别人的手上加载JavaScript,则可以重新实现某些功能以进行扩展。
Protection to the programmer is like keeping a dog on the leash: only unleash it, when you trust the dog! 对程序员的保护就像将狗拴在皮带上:只有当您信任它时,才能释放它! Since JavaScript runs in a Virtual Machine, any programmer can be unleashed -- if the implementation is secure enough, which it is (most of the time?) 由于JavaScript在虚拟机中运行,因此任何程序员都可以释放出来-如果实现的安全性足够高(大多数情况下是这样)?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.