It's funny that if you open developer tools in facebook.com, you get a nice message about not to copy things into the developer console.<p>Stop!
t78-eatOBZQ.js:172
This is a browser feature intended for developers. If someone told you to copy-paste something here to enable a Facebook feature or "hack" someone's account, it is a scam and will give them access to your Facebook account.
t78-eatOBZQ.js:172
See <a href="https://www.facebook.com/selfxss" rel="nofollow">https://www.facebook.com/selfxss</a> for more information.
Reminds me the old days of mIRC (popular IRC client back then) where you could (and still probably can) run similar scenario using mSL language (<a href="https://en.wikipedia.org/wiki/MIRC_scripting_language" rel="nofollow">https://en.wikipedia.org/wiki/MIRC_scripting_language</a>) directly from the chat input.<p>A script could literally takes control of the computer because mIRC is able to load native code by loading arbitrary DLLs
Out of curiosity, why is it ever a good idea to add a command to execute arbitrary strings in the same space as the user? eval() has been the same source of headaches in javascript over the years.<p>I believe WoW uses it primarily to let the player make macros, which is a legit use, but using something like RunScript to do it seems lazy.
Discussion back when this was posted in 2016: <a href="https://news.ycombinator.com/item?id=12158299" rel="nofollow">https://news.ycombinator.com/item?id=12158299</a>