Redefining builtin functions

JavaScript is an amazing language.  I love it.  But there's problems too! =)
In JS one can redefine builtin functions.  In short, demonstrated in this page:

<html>
<head>
<script>
prompt=function(){alert("You cannot use prompt!");}
</script>
</head>
<body>
<a href="javascript:prompt('What is the secret?');">Ask</a>
</body>
</head>

This effects me because I've written a password generator bookmarklet that I'm quite proud of.  But it has the distinct security vulnerability that any site you visit can redefine the prompt command and steal your master input.

Is there a way in JS to detect when a function has been redefined like this?  Is there a way to call the standard builtin function either way?  Any other information that might effect my problem?
LVL 18
arantiusAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GwynforWebCommented:
<html>
<head>
<script>
 otherPrompt=prompt
 prompt=function(){alert("You cannot use prompt!");}
</script>
</head>
<body>
 <a href="javascript:otherPrompt('What is the secret?');">Ask</a>
</body>
</head>
0
devicCommented:
here is my example:
====================
<html>
<head>
<script>
window.prompt=function(){alert("You cannot use prompt!");}

document.onclick=function ()
{
      if(!(prompt+"").match(/\[native code\]/))
      {
            alert("alaram, we have a situation here!")
            return false;
      }
      return true;
}
</script>
</head>
<body>
<a href="javascript:prompt('What is the secret?','');">Ask</a>

</body>
</html>
0
Oliver_DornaufCommented:
Should secret code (password generator) executed in a not trusted environment (internet zone)???
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

arantiusAuthor Commented:
The password generator is a bookmarklet as I mentioned briefly in my original post.  It is trusted, but the sites that you visit which it operates on are not necessarily trusted.
It's here, for reference:  http://www.arantius.com/article/arantius/password+maker+bookmarklet/

In theory, any site you are currently viewing could redefine the prompt method and thus steal the master password.  Which would be bad =)

Gwyn: That won't work in a bookmarklet type of environment.
devic: Interesting, I'm checking that out.
0
arantiusAuthor Commented:
devic:  Very close but not quite.

<html>
<head>
<script>
window.prompt=function(){fakeout="[native code]";alert("You cannot use prompt!");}

document.onclick=function ()
{
     if(!(prompt+"").match(/\[native code\]/))
     {
          alert("alaram, we have a situation here!")
          return false;
     }
     return true;
}
</script>
</head>
<body>
<a href="javascript:prompt('What is the secret?','');">Ask</a>

<a href="javascript:alert( prompt.toString() );">Test</a>

</body>
</html>


Yes, this is a very difficult challenge!
0
devicCommented:
document.onclick=function ()
{
      if((prompt+"").length!=41)
      {
            alert("alaram, we have a situation here!")
            return false;
      }
      return true;
}
0
arantiusAuthor Commented:
Well then it wouldn't be hard to redefine it to contain exactly the right number of characters, and just call an external function!
I suppose the only way is to really check for the entirety of the original content that evaluates to "[native code]" either checking the length as well, or the whole 3 lines of it.
0
devicCommented:
arantius, try again

document.onclick=function ()
{
      var p=prompt+"";
      if(p.length!=41 || p.substr(25,13)!="[native code]")
      {
            alert("alaram, we have a situation here!");
            return false;
      }
      return true;
}
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GwynforWebCommented:
try this

document.body.innerHTML+='<iframe name=i1></frame>';
prompt=i1.prompt;
0
arantiusAuthor Commented:
Ah yes devic, much closer to perfect.  And sneaky Gwyn, I like it !

These are sufficient answers for me.  I'm going to split the points because it's impossible to choose between those two solutions.
0
devicCommented:
yep, I like Gwyn's idea too :)
0
GwynforWebCommented:
thx for the points, :)
(make the iframe height and width 0 of course),
0
arantiusAuthor Commented:
For a little trivia, I've worked myself to this point.
I'd love one to work but it doesn't (might work with a little tweaking).  Three matches Gwyn's actual suggestion but works in IE only.  Two works in Firefox and IE.


<html>
<head>
<script>
function foo1() {
      i=document.createElement("iframe");
      document.body.appendChild(i);
      i.prompt("Yes?");
}
function foo2() {
      document.body.innerHTML+='<iframe name="i1" height="0" width="0"></frame>';
      i1.prompt("Yes?");
}
function foo3() {
      document.body.innerHTML+='<iframe name="i1" height="0" width="0"></frame>';
      prompt=i1.prompt;      
      prompt("Yes?");
}
window.prompt=function(){alert("hahah!");};
</script>
</head>

<body>
<button onclick="javascript:foo1();">Foo1</button>
<button onclick="javascript:foo2();">Foo2</button>
<button onclick="javascript:foo3();">Foo3</button>
<br>
</body>
</html>
0
devicCommented:
hi arantius, check this:
==================
<html>
<head>
<script>
function myprompt(str)
{
      var sp=document.createElement("span");
      sp.innerHTML="<iframe name=sembel_NET style=display:none></iframe>"
      document.body.appendChild(sp);
      return window.frames["sembel_NET"].prompt(str,";)");
}
window.prompt=function(){alert("hahah!");};
</script>
</head>

<body>
<button onclick="alert(myprompt('Yes?'));">Foo1</button>
</body>
</html>
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
JavaScript

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.