In a mobile app of mine, I have a line of js code like document.getElementById('ID_HERE')
I want to replace ID_HERE with some javascript code. The only part I can communicate to the app from my server is ID_HERE.
I am not able to remove the single quotes until I release another update of the mobile app, unfortunately, so I'd like this as a temporary solution if possible.
Can this be accomplished (and how)?
-
maybe you can do a string replaceIbu– Ibu2014年02月07日 01:38:35 +00:00Commented Feb 7, 2014 at 1:38
-
By "some javascript code" do you mean actual code, or a different selector?cgatian– cgatian2014年02月07日 01:41:24 +00:00Commented Feb 7, 2014 at 1:41
-
I'm not sure I understand what you're trying to do. You have a line of JS in the app, you want to change that line? How are you going to run the code that changes the JS?Barmar– Barmar2014年02月07日 01:44:01 +00:00Commented Feb 7, 2014 at 1:44
1 Answer 1
Not sure if I understand your requirements exactly, but perhaps you can do a single-quote injection? That is, replace ID_HERE with
'+(2*3)+'
so this shows up as document.getElementById(''+(2*3)+'').
If this is your situation, then replace 2*3 with any javascript code.
Another option: Replace ID_HERE with:
'+(function() { alert("hi!"); return 'ID_HERE'; })()+'
resulting in
document.getElementById(''+(function() { alert("hi!"); return 'ID_HERE'; })()+'')
Then replace alert with any code, and it still gets the ID_HERE element (or anything else you want to change it to.)