3

While trying to understand how a web server worked, I came accross this:

//myfile.js
function donothing(){};

//myfile.html
javascript:donothing(open('http://www.acme.com/whatever.jpg','','left=100, right=0, top=100, scrollbars=no, status=no, titlebar=no, resizable=no, toolbar=no, menubar=no, width=255, height=255'))

I'm no JavaScript expert, so I don't get how an empty function can be made to work. Does someone know?

Thank you.

Improve this question

6 Answers 6

Reset to default
19

This is a homemade void substitute to avoid having the expression return a value.

window.open will return a reference to the opened window, and this can have unexpected results.

For instance, try pasting javascript:a=1 into the address field - this will result in a blank screen with the number 1 in it as the browser will by default try to use the result of any expression run as the new document.

To avoid this you use javascript:void(a=1) as void will not return anything, and so the result isn't used as the new document.

Using donothing(foo=bar) or the equivalent Function.prototype(foo=bar) is not needed as the built-in void does the exact same.

But mind, the use of void is only needed when copying text into the address field, its not necessary when you use the pseudo protocol javscript: in links (which you should never do anyway).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

The one that does the work is open(...). The operands are evaluated first before the function is called (and Javascript doesn't care about the number of operands to the function).

Improve this answer

Comments

2

The donothing function is passed a parameter that it ignores. It is the parameter itself that does the work, however.

Improve this answer

1 Comment

Actually, in order to pass the parameter to donothing, it is first executed. The RESULT (return value) from the function (in this case open) is then passed to donothing.
1

the call to donothing is just acting as a shroud. The open function is being called before donothing.

Apparently whomever wrote it felt the naked javascript: call was vulnerable. Strange.

Improve this answer

Comments

0

Well, although it is difficult to understand the point of donothing without seeing the rest of the code... the open function will be evaluated anyway. So effectively what is happening is that the open function is being called.

Why they're using donothing to do it is difficult to say without other info :)

Improve this answer

3 Comments

Thanks everyone for the feedback. The donothing() is located in a .js file, and is used in hyperlinks such as: <a href="javascript:donothing(open('acme.com/whatever.jpg','','left=100, right=0, top=100, scrollbars=no, status=no, titlebar=no, resizable=no, toolbar=no, menubar=no, width=242, height=325'))"><img src='acme.com/whatever.jpg'>Click me</a>
What's even weirder, is that the Fiddler proxy doesn't display anything when I click on this type of hyperlink :-/
Its not strange if the image is served from the cache. Mind selecting one of the answers as the solution?
0

But mind, the use of void is only needed when copying text into the address field, its not necessary when you use the pseudo protocol javscript: in links (which you should never do anyway).

Not 100% true. If you write, in html, <a href="javascript:1+2;">clickme</a>, many browsers will still give you an empty screen with the return value that evaluates to true in Javascript. That's the precise reason to use the void operator in <a> tags also when you, for example, auto-generate tags in a template language.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.