Martin Paul Eve bio photo

Martin Paul Eve

Professor of Literature, Technology and Publishing at Birkbeck, University of London

Email Books Twitter Google+ Github Stackoverflow MLA CORE Institutional Repo Hypothes.is ORCID ID   ORCID iD

Email Updates

Whilst working on the next release of .NETIDS I came across some interesting info about the parsing of numbers within JavaScript - information that is of particular relevance when it comes to filtering against String.fromCharCode injection attempts. The first item of interest is that JavaScript will parse hexadecimal in the form 0xYY even when not enclosed in quotes (ie. as a string), so this can be used in fromCharCode.

The second interesting issue concerns the following 2 statements:

alert(String.fromCharCode(101));

alert(String.fromCharCode(0101));

When I was writing the parser my maths engine originally assumed that 0101 was equivalent to 101, but in JavaScript this is NOT the case. In JS, a preceding 0 indicates that the number is octal - hence the difference in outcome between the 2 statements.

The table at http://www.jibbering.com/faq/faq_notes/type_convert.html sums up JS' internal handling of number formats.