0

Is it possible in some way to hack the behaviour of window.location.replace, to fire a JavaScript function (let's say alert) instead of making the user go to the new location?

I'll give you the example, let's say we have this function:

setTimeout(function(){ window.location.replace("#SOMETHING_HERE#"); }, 900);

this is fired when a user clicks on a specific button; the #SOMETHING_HERE# is a placeholder, the administrator can put there a URL via a configuration panel.

Now, we all know clients are weird, and mine has just asked me to find a way to fire a JavaScript instead of redirect the user, well, I'm stuck. Of course I should modify the function bound to the button, but actually I have no access to the code and the only entry point is that panel I've mentioned before, I can only change the value of #SOMETHING_HERE#. Do someone has some clues on how I could for example fire an alert("foo"); ? is that possible in some way?

the answer could be also "NO" and I'll simply say them that we have to find a way to change that code.

Improve this question
8
  • 4
    If its validation is crappy, try "); alert("whatever Commented Feb 2, 2016 at 13:52
  • 1
    en.wikipedia.org/wiki/Bookmarklet Commented Feb 2, 2016 at 13:53
  • Client is not being weird here since I don't think client would have asked you to use ocation.replace at first place. Why can't you invoke location.replace conditionaly? Commented Feb 2, 2016 at 13:54
  • the code isn't mine and I don't know the workflow and decisions taken when it was first written :( Commented Feb 2, 2016 at 13:56
  • 1
    LOL the only real solution is to inject javascript through a "we-are-lucky-this-allows-xss!" control panel (the first comment here on top)... WOW. Tell client that this is what happens when you don't have a budget for a web application. Hacks will get you nowhere and this is a maintenance nightmare. Commented Feb 2, 2016 at 13:58

1 Answer 1

Reset to default
8

You can prefix your string with javascript::

setTimeout(function(){ window.location.replace("javascript:alert('hello world!')"); }, 900);

This works because the spec for location.replace ends up at the definition for "navigate", which says:

  1. This is the step that attempts to obtain the resource, if necessary. Jump to the first appropriate substep:

...

If the new resource is a URL whose scheme is javascript

Queue a task to run these "javascript: URL" steps, associated with the active document of the browsing context being navigated:

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

this is perfect, really really thanks, also for the informations!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.