原文:http://stackoverflow.com/questions/7202157/why-is-10
If we split it up, the mess is equal to:
++[[]][+[]]+[+[]]
In JavaScript, it is true that +[] === 0. + converts something into a number, and in this case it will come down to +"" or 0 (see specification details below).
Therefore, we can simplify it (++ has precendence over +):
++[[]][0]+[0]
Because [[]][0] means: get the first element from [[]], it is true that:
[[]][0] returns the inner array ([]). Due to references it's wrong to say [[]][0] === [], but let's call the inner array A to avoid wrong notation.
++[[]][0] == A + 1, since ++ means 'increment by one'.
++[[]][0] === +(A + 1); in other words, it will always be a number (+1 does not necessarily return a number, whereas ++ always does - thanks to Tim Down for pointing this out).
Again, we can simplify the mess into something more legible. Let's substitute [] back for A:
+([]+1)+[0]
In JavaScript, this is true as well: [] + 1 === "1", because [] == "" (joining an empty array), so:
+([] + 1) === +("" + 1), and
+("" + 1) === +("1"), and
+("1") === 1
Let's simplify it even more:
1+[0]
Also, this is true in JavaScript: [0] == "0", because it's joining an array with 1 element. Joining will concatenate the elements separated by ,. With one element, you can deduce that this logic will result in the first element itself.
So, in the end we obtain (number + string = string):
1+"0"==="10"// Yay!
简单的说:
++[[]][+[]]+[+[]]
等于
++[[]][+[]]
+
[+[]]
而 +[] = 0 代入
等于
++[[]][0]
+
[0]
等于
1+[0]
等于"10"
同理
([+[][[]]]+[][[]])[++[[]][+[]]+[+[]]]
等于
“NaNundefined”[10]
等于
"e"
抛砖隐喻,能不能搜集所有的字符集,从而进行xss,躲避常规正则呢。
提供字符转换网站 http://utf-8.jp/public/jsfuck.html
