For those curious, the trick works by creating strings (such as "NaN" or "Infinity") and integers, then treating the strings as arrays and selecting out characters. The [], +, ! and () are assembled in sequences that result in these strings/integers (thanks to Javascript's liberal language rules).<p>Here's a dictionary/more information: <a href="http://sla.ckers.org/forum/read.php?24,33349,33405" rel="nofollow">http://sla.ckers.org/forum/read.php?24,33349,33405</a>
While this might seem like nothing more than a neat parlor trick, there is an important lesson to take away: NEVER, under ANY circumstances insert untrusted values into your scripts. No amount of white-listing/black-listing/escaping/etc. will protect you.
In the past, this was worked on Chrome and Firefox. but now JSF*ck is worked only Opera. Sorry, but I have no patience to fix it.<p>--
Yosuke HASEGAWA / utf-8.jp
Oddly I could not get it to work in chrome or firefox, and it managed to crash all my tabs in chrome.<p>The other demos seem to work much better though:
<a href="http://utf-8.jp/public/jjencode.html" rel="nofollow">http://utf-8.jp/public/jjencode.html</a>
On Chrome 14 (Linux), when I click "eval" it doesn't show the alert dialog. Even leaving the default text there. It's an interesting concept though, would definitely be good to see an explanation of how it works.