Embarrassed that their code works in IE.



  • This is from the Javascript of some forum software.  Try as I might, I can't think of a reason for this bit of code:

    this.handler = eval("new A" + "ctiv" + "eX" + "Ob" + "ject('Micr" + "osoft.XM" + "LHTTP');");



  • [quote user="Cap'n Steve"]This is from the Javascript of some forum software.  Try as I might, I can't think of a reason for this bit of code:

    this.handler = eval("new A" + "ctiv" + "eX" + "Ob" + "ject('Micr" + "osoft.XM" + "LHTTP');");
    [/quote]


    To prevent automatic filters from noticing that the code will only work on Windows, even if you tell the browser to pretend it's IE? (Although why that would be a good thing I don't know. Presumably you want people to be able to tell in advance if the page isn't going to work in their browser, before they start spending a lot of time on filling in forms and so forth...)



  • Seems like suspicious behaviour to me. Doing it like that in the hope of getting around filters or suchlike that are looking for ActiveX controls for security reasons. I wouldn't touch it with a 10 foot punt pole. The ActiveX object in question is probable malware of some sort.



  • The ActiveX object Microsoft.XMLHTTP is actually a pretty standard way of connecting back to the server from JScript/ASP/whatever... I know because I'm struggling to reproduce its functionality on a WinCE platform that doesn't seem to have it.

     

    Now, the script which calls it could certainly be using its powers for evil.

     



  • Likely, it's to get around client-side filters.

     

    Not
    that this is necessarily for evil.  A few months ago had a client
    of ours who was wondering why our site wasn't working for them. 
    We asked if they were using any sort of firewall, etc, and they said
    no; turns out, unsurprisingly, that they were.  Their particular
    firewall of choice had blocked the download of a Javascript file of
    ours named popup.js.  Changing the name of the file (but none of
    its contents) worked just fine.

      



  • That would make some sense.  I'm hoping these filters look for ActiveX in general and not AJAX.



  • I did something like this to get around filters at Xanga.com. They allow JavaScript, but try to limit what it can do. Obviously they fail miserably.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.