User blog:Raumaankidwai/Indirect Eval: Possible Security Vulnerability in KA

Alright, so I'll sum this up in 5 words: Eval is working in KA! I'll report to Zendesk as soon as I have the time. This is crazy. I'll try to give an explanation, so tell me if it's OK. So, if you have a function, it can be called using. This is called "Direct Calling". But there's another way to do it. To understand this method, you first need to understand the comma operator. From Wikipedia, "the comma operator (represented by the token ) is a binary operator that evaluates its first operand and discards the result, and then evaluates the second operand and returns this value (and type)." For example,  will always return , and   will first evaluate  , returning 1, and then compute   which will return 2. So can you guess what happens when you have a function, and you execute  ? You probably see where I'm going with this, but that's right; you get  again! So... what about ? returns ...  This is Indirect Eval, and as an ES6 feature it doesn't have an associated check! This means we can execute JavaScript inside KA's JavaScript files. If that doesn't hit you, read it again. I might add more later. Bye for now!