Published 1 year ago • Last updated May 12, 2025 • ⏱️ < 1 min read
Back in the day, you could use valueOf to access the window object because browsers would fall back to it by default. This behavior was eventually patched in the JavaScript specification - now, the engine returns undefined instead. Here’s what that trick looked like:
(1,[].valueOf)().alert(1)
We used this for all sorts of non-alphanumeric payloads, but that fun ended with the spec change. Still, not all is lost: you can still (ab)use valueOf in event handlers. In that context, valueOf refers to the current HTML node, much like this.
<svg onload=valueOf().ownerDocument.defaultView.alert(1)>
Basically calling valueOf() in the event will be the equivalent of accessing this since the HTML node is an object and valueOf() will return the current object's value and the JS specification doesn't alter this behaviour.