Use JScript RuntimeObject to detect global pollution

This is an article about JScriptRuntimeObject (MSDN) debugging. Although most of these examples cannot run in other browsers, they can run in IE 5.5 +.

Leaked GLobal IDEntifier

For example, you accidentally created a global attribute, such:

Function playRugby (players ){
Var items,
I;
Len = items. length; // Global.
}
Function kick (){
Var x = 10
Y = 11; // As I makes y global.
}

When playRugby is called, The Global attribute len is created. If it does not exist, assign the value of items. length to it. Similarly, when kick is called, global attribute y is created.

These global variables are not intentional. They corrupt the encapsulation and leak execution details. This may cause conflicts and tricky dependencies.

To detect these inadvertently created global identifiers, we can use the for in loop global object. The "DOM" tag of Firebug provides this practical global detection.

Unfortunately, in IE, for in cannot enumerate any global variables and function declarations. Take a look at the following example:

// Property of global variable object.
Var excluglobal_variable = 10;
// Property of global object.
This. exdomainglobal_property = 11;
// Property of global variable object.
Function EX1_GLOBAL_FUNCTION (){}
(Function (){
Var results = [];
For (var p in this ){
Results. push (p );
}
Alert ("Leaked: \ n" + results. join ("\ n "));
}) (); // Property of global variable object.
Var excluglobal_variable = 10;
// Property of global object.
This. exdomainglobal_property = 11;
// Property of global variable object.
Function EX1_GLOBAL_FUNCTION (){}
(Function (){
Var results = [];
For (var p in this ){
Results. push (p );
}
Alert ("Leaked: \ n" + results. join ("\ n "));
})();

In IE, The result contains a combination of window attributes and one of the four user-defined attributes: EX1_GLOBAL_PROPERTY.

So what happened to the other three user-defined attributes? Why can't they be displayed in the for in loop.

It turns out that when a global object is enumerated, the assigned Global Object Attributes are enumerated instead of global variables.

Why can't Global attributes be enumerated while global variables. Experience tells us that JScript marks the global variable (declared with var) with DontEnum. Since global objects are defined as global variable objects, this seems to be a reasonable explanation. This is not a standard, but it can explain the behavior in IE. However, Eric Lippert proposes another explanation: the Global object and the global variable object are two different objects in IE.

According to MS-ES3:

The variable Declaration In JScript 5.x creates the Global Object attribute, which has the DontEnum feature.

Enumeration scheme: JScript RuntimeObject

Using the JScript RuntimeObject method to enumerate global attributes is different from enumeration global objects. You will use a normal execution to enumerate an object returned by the global RuntimeObject method.

Var GLOBAL_VAR1,
GLOBAL_VAR2,
GLOBAL_VAR3 = 1;
GLOBAL_PROP1 = 12;
Function GLOBAL_FUNCTION (){}
If (this. RuntimeObject ){
Void function (){
Var ro = RuntimeObject (),
Results = [],
Prop;
For (prop in ro ){
Results. push (prop );
}
Alert ("leaked: \ n" + results. join ("\ n "));
}();
} Var GLOBAL_VAR1,
GLOBAL_VAR2,
GLOBAL_VAR3 = 1;
GLOBAL_PROP1 = 12;
Function GLOBAL_FUNCTION (){}
If (this. RuntimeObject ){
Void function (){
Var ro = RuntimeObject (),
Results = [],
Prop;
For (prop in ro ){
Results. push (prop );
}
Alert ("leaked: \ n" + results. join ("\ n "));
}();
}

Results in IE

In IE8 and other earlier versions, the results include GLOBAL_FUNCTION, GLOBAL_VAR3, and GLOBAL_PROP1 (In addition, window ). Note that GLOBAL_VAR1 and GLOBAL_VAR2 do not include them. It seems that RuntimeObject does not collect any variable that has not been assigned a value. According to Microsoft's documentation, this is not a specified behavior (here are more information ).

Microsoft RuntimeObject document

RuntimeObject is a built-in extension of JScript. JScript defines seven additional built-in Global Methods: ScriptEngine, ScriptEngineBuildVersion, ScriptEngineMajorVersion, ScriptEngineMinorVersion, CollectGarbage, RuntimeObject, and GetObject. These objects are local JScript objects and should not be confused with the Host object.

For RuntimeObject, Microsoft's JScript extension MS-ES3EX statement is as follows:

RuntimeObject is used to find the attributes of a global variable. These attributes with names match the specific pattern. This function only looks for attributes explicitly created by using VariableStatement or FunctionDeclaration in the global object, or attributes implicitly created as identifiers on the left side of the operator. You cannot search for properties explicitly created by accessing a global object.

Rough test results show that Microsoft documents are unreliable.

The returned object does not include all identifiers added to the variable object, but only the identifiers assigned values. It doesn't matter whether they are created through VariableDeclaration or FunctionDeclaration or as a global attribute declaration.

Search for the example of an identifier created through FunctionBindingList

In the FunctionBindingList of JScriptFunction, all identifiers become attributes of the included variable object, such:

Var foo = {}, undef, ro;
(Function () {function foo. bar, baz (){}})();
Ro = RuntimeObject ();
Alert ([ro. foo. bar, "undef" in ro]. join ("\ n"); var foo ={}, undef, ro;
(Function () {function foo. bar, baz (){}})();
Ro = RuntimeObject ();
Alert ([ro. foo. bar, "undef" in ro]. join ("\ n "));

IE elerts

Function foo. bar (){}
False: When JScript is run in the browser except IE, SyntaxError (syntax error) is thrown as scheduled when the FunctionBindingList of JScriptFunction is parsed ). This is expected because it is a syntax extension.

Bookmarks

Javascript :( function () {var ro = RuntimeObject (), r = [], I = 0, p; for (p in ro) {r [I ++] = p;} alert ('leaked: \ n' + r. join ('\ n') ;}) (); JScript syntax Extension
The JScript extension-JScriptFunction was mentioned in the earlier example of "Searching for Identifiers created by FunctionBindingList. This name is not a flaw. It is an extension of the JScript Language. JScriptFunction is as follows:

JScriptFunction: function FunctionBindingList (FormalParameterListopt) {FunctionBody}

RuntimeObject (filterString): The filterString Parameter

The RuntimeObject method accepts an optional filter character to match the identifier. Unfortunately, filterString cannot be converted to a regular expression. Instead, the optional leftWild and rightWild are used for submatching. The default value is "*".

This means that filterString = "a *" will match the identifiers a and a1, not ba.

Conclusion

Aside from the bugs and disadvantages of the document, RuntimeObject provides a useful alternative to solve the problem of enumerating global attributes in JScript. The advantage of RuntimeObject is that it only includes user-defined attributes, except for global window attributes.

The previously mentioned bookmarks provide a simple way to view the global attributes that are inadvertently created on a page (it also indicates that this site is not a shining example of global object Cleansing ).

Other RuntimeObject applications

Leak bookmarks with different browser IDS

Compared with the IE identity leak detection, writing a cross-browser identity leak detection is the next logical step.

Automatic identifier Leakage Detection

The unexpected GLobal IDEntifier detection should be automatic.

The unit Test framework of YUI Test provides hooks for TEST_CASE_BEGIN_EVENT and TEST_CASE_COMPLETE_EVENT. These events are used to detect RuntimeObject and capture leaked identifiers during program code execution.

Check RuntimeObject in TEST_CASE_BEGIN_EVENT and store the result. Check RuntimeObject again in TEST_CASE_COMPLETE_EVENT and compare it with the results stored in TEST_CASE_BEGIN_EVENT. Next, for each attribute that appears in TEST_CASE_COMPLETE_EVENT but does not appear in TEST_CASE_BEGIN_EVENT, a global identifier has been leaked, and a warning for a test case will be recorded.

Reference

[MS-ES3EX]: Microsoft JScript Extensions to the ECMAScript Language Specification Third Edition.
Original address: http://dhtmlkitchen.com /? Category =/Browsers/& date = 2010/04/11/& entry = Detecting-Global-Pollution-with-the-JScript-RuntimeObject

Reprint address: http://www.denisdeng.com /? P = 1043