IE – Disable JavaScript execution from console

In last post, I mentioned how to disable JavaScript execution from Chrome Developer Tools and now we’ll have a close look on how to achieve it for IE Developer toolbar.

Before getting into how to disable, let’s understand what goes under the hood when you type in JS code in console (or how it is understood by console and executed in the web application environment). Let’s assume that you are trying to execute the following code snippet in console

	var z = parseInt( '123', 10 );

How IE’ console shows it

IE - Console Messages
IE - Console Messages

When you type-in the above statement in IE’s console, it translate it into a full blown script statements and execute it as

document.__IE_DEVTOOLBAR_CONSOLE_EVAL_RESULT = undefined;
document.__IE_DEVTOOLBAR_CONSOLE_EVAL_ERROR = false;
try{
    document.__IE_DEVTOOLBAR_CONSOLE_EVAL_RESULT = eval( "var z = parseInt( '123', 10 );" );
}
catch(__IE_DEVTOOLBAR_CONSOLE_EVAL_ERROR){
    document.__IE_DEVTOOLBAR_CONSOLE_EVAL_RESULT =__IE_DEVTOOLBAR_CONSOLE_EVAL_ERROR.message;
    document.__IE_DEVTOOLBAR_CONSOLE_EVAL_ERROR = true;
}

Notice line no 4 where the code which typed in is exactly being passed to parameter to eval function in web application environment.

At this point, you could say – Aha, let me override eval function and discard any string which is being passed from console. Simple, isn’t it? But wait, you could do so if you are sure that eval is not being used in your application code. If it is, how would you differentiate when it is being executed from console or from the application code? (Phew, don’t remind of argument.callee and all!) that is exactly we are going to solve now.

Now, let’s revisit the code snippet generated by IE’s console. Notice that it sets a property “__IE_DEVTOOLBAR_CONSOLE_EVAL_ERROR” in document object as false before executing script and resets to true if there are any exception .

With the above knowledge, what we can do

• Create a watch property on “__IE_DEVTOOLBAR_CONSOLE_EVAL_ERROR” to understand when the value is being set to true/false.

• Set the watch property to true when the “__IE_DEVTOOLBAR_CONSOLE_EVAL_ERROR” property is set to false indicating that the next call to eval is definitely from console.

• Override eval function. Check whether the watched property is true and if so, throw exception which will be catched by code injected from console. Catch handler would reset “__IE_DEVTOOLBAR_CONSOLE_EVAL_ERROR” and accordingly our watch property. With this, we now are sure that if there are any call to eval from our application code would definitely be honored.

Now is the time to see the real code which I added to have the same functionality

(function(){
    var  _eval       = eval,
          evalError  = document.__IE_DEVTOOLBAR_CONSOLE_EVAL_ERROR,
          flag       = false;
        
    Object.defineProperty( document, "__IE_DEVTOOLBAR_CONSOLE_EVAL_ERROR", {
	get : function(){
		return evalError;
	},
	set : function(v){
		flag = !v;
                evalError = v;
	}
    });
        
    eval = function(){
	if( flag ){
		throw "";
        }
        return _eval.apply( this, arguments );
    };
})();

After adding the code, let’s see what IE’s console does –

IE - Console Disabled
IE - Console Disabled

Stay tuned for next post where I am going to describe how to handle it for Firebug console in Firefox. Don’t forget to leave comments if you have any.

List Only Hidden Files

If you are working on unix based system (for any reason), you know that you will need “ls” command more than often. Not anyone would disagree that “ls” is one of the most widely used command in any unix based system.

However one of the thing which got me surprised is the lack of option with “ls” which would list *only* hidden file (or directory). Obviously I am not interested in getting the result which includes the famous “.” and “..” (current and parent directory respectively).

When trying with the option “a”

ls -a
./      ../     .data   .dump/  src     test

As expected, the list included all the files present in the directory (including hidden files as well). However as I was interested only in getting the name of hidden files, I executed

ls -a .*
.data

.:
./      ../     .data   .dump/  src     test

..:
./                                ../                               test/

.dump:
./       ../      dump.1   dump.2

Oouch! Because of the “.*” for file name, it traversed the directories present and hence the above result. So let’s ask “ls” not to traverse directories present and just list the name

ls -ad .*
./      ../     .data   .dump/

Ok. Still the result includes “.” and “..” which I did not want. My attempt also included

ls -ad .*
./      ../     .data   .dump/


ls -a | grep "^\."
./
../
.data
.dump/

At the end, I realized there is an option with “ls” which directs it to ignore “.” and “..” while listing and finally,

ls -A |  grep "^\."
.data
.dump/

However, I still wonder why there is not direct option with “ls” which only list the name of hidden files (excluding “.” and “..” .) Probably because “.” and “..” are also considered as hidden and hence the output.