Brunner Adam schrieb:
Hello!
Hi. does anyone know how to call a function from a url like
http://www.XYZ.com/page.html#FUNCTION
Here's what you can try (untested):
try {
var functionNameFromHash = location.hash.replace('#', '');
eval(functionNameFromHash + '()');
} catch(e) {
// fail silently
}
I can't think of another way than using eval here, one of the rare
cases. And I recommend using try/catch here, who knows whats in the
URL's hash which isn't allowed in a function name.
And Welcone XSS! :)
I think this is not the best way.
I would do something like:
switch(location.hash) {
case '#option1': //dosomething
break;
case '#option2': //dosomethingelse
break;
default:
}
So you can ignore user attacks.
Adam
Oh well. Thats right, eval in this case especially is not the way to go!
I'm sorry for proposing that at all.
Is the other approach flawed as well?
window[...]();
An attacker could only call functions that are part of the global scope.
Unless he finds a way to inject own JavaScript into the page...
-- Klaus