Wednesday, March 31st, 2010

jQuery one-line plugin to crash IE6

Category: Browsers, JavaScript

Malicious code that targets browsers has quite some history and it gets bizarre when you see just how easy it can be to crash a certain browser. If you remember, an input type of “crash” used to kill IE6. Now there is an interesting one line jQuery plugin to crash IE6 available:


  1. /**
  2.  * jQuery Crash (
  3.  * A jQuery plugin to crash IE6.
  4.  *
  5.  * v0.0.2 - 5 March 2010
  6.  *
  7.  * Copyright (c) 2009 Chad Smith (
  8.  * Dual licensed under the MIT and GPL licenses.
  9.  *
  10.  *
  11.  *
  12.  * Use $.crash();
  13.  *
  14.  **/
  15. ;jQuery.crash=function(x){for(x in;};

Any ideas why this works?

Posted by Chris Heilmann at 9:23 am

3.5 rating from 28 votes


Comments feed TrackBack URI

Is that under GPL2 or GPL3 license?

Comment by BenGerrissen — March 31, 2010

I don’t know why it works, but I know that you can’t just do

function(x){for(x in;}();

So it must come from something in the way jQuery constructs its plugins.

Comment by Skilldrick — March 31, 2010

@Skilldrick, That’s not jQuery, that’s javascript.

Try: (function(x){for(x in;})();

Comment by Jadet — March 31, 2010

translates to ->
for(undefined in;

Comment by BenGerrissen — March 31, 2010

@jadet that would just declare the function in a scope, the function it self will not run there as it would in @skilldricks example

if @skilldricks code doesnt work you should be able to do this in ie6:

var $ = {};
$.crash = function(x){for(x in;}

This cant have anything to do with jQuery because $.crash = is just a regular assignment.

Comment by andriijas — March 31, 2010

@andriijas, You are wrong. Mine will run because of the scope. The reason Skilldrick’s won’t run is because you can’t call a function like that.

Comment by Jadet — March 31, 2010

@jadet ye you are right. Afternoon-tiredness… But @BenGerrissen already pointed out the why’s… Does it still crash if you do (function(x){for(x in;})([]); ?

Comment by andriijas — March 31, 2010

Just a hunch, but is it something to do with the initial semi-colon usage and IE6’s JS parser?

Comment by ckorhonen — March 31, 2010

$.crash() is definatly unrelated to jquery, you could stick that method on dojo and call it the ‘dojo crash dijit’ if you like.
But still wondering, is that code released under GPL2 or GPL3 =P

Comment by BenGerrissen — March 31, 2010

I don’t care why it works. This is the best IE6 compatibility fix ever.

Comment by bugme — March 31, 2010

Now this is the kind of awesome information that keeps me coming back to this site. Booyah!

Comment by NerdInACan — March 31, 2010

Isn’t it more respectable to tell the user they need to install chromeframe?

I mean if they are on IE6 it’s either because their employer is forcing them to, or they are completely PC ignorant. If you have a good site they want to see and insist that chromeframe is the only way to see it, they might just install it and you are helping them.

Otherwise they might just assume your site is simply badly designed and ignore it even after they finally install another browser.

Comment by ck2 — March 31, 2010

Because it’s trying to loop over undefined objects? Why would this not just return NULL (i.e. loop 0 times)?

Comment by axoplasm — March 31, 2010

seems for(x in alert); can do as this for(x in alert);

Comment by caii — March 31, 2010

@BenGerrissen you are wrong, it is absolutely not equivalent to
for(undefined in ), as for in introduces new scope. And

function(){for(x in;}

“works” as well

Comment by monoid — April 1, 2010

BenGerrissen is sort of correct that it is equivalent to for (undefined in, although not, I suspect, for the reason he thought. undefined is simply a property of the global object and may be overwritten. Try the following in Firebug/console of your choice: for (undefined in window) {console.log( undefined, window[undefined]); }. The crash happens somewhere in the mechanics of the attempt to iterate (an iteration which is defined in the ECMAScript spec as implementation specific) over the properties of the host method Finally, a for … in loop does not introduce a new scope, contrary to monoid’s assertion.

Comment by timdown — April 1, 2010

If anyone from Google is listening, please do the rest of us a favor and sneak this snippet of code into the Google Analytics JavaScript. kthxbye.

Comment by tlrobinson — April 1, 2010

Hah, nice – similar to my WinXP crasher that was 5 lines I released a few years ago ( Although it doesn’t work now, that bug did get fixed

Comment by digitalspaghetti — April 2, 2010

An awful lot of disinformation here.

1. It has nothing to do with scope. Zero, zip, nada, nothing.
2. It has nothing to do with jQuery. Nothing whatever.
3. It has nothing to do with x being undefined.

For the record, the following are virtually identical:

var o = (function(x){for (x in})();

var o = function(x){for (x in}();

and both crash IE 6.0.2800.1106. You can also do it with:

function crash (){
for (var x in document.getElementById) {}

The cause appears to be a bug in JScript. The algorithm of (Section 12.6.4 of the ECMAScript Language spec) requires that the value of x is set to each enumerable property of the object in turn. It is likely that it is this attempt to get the enumerable properties of certain host methods that causes the crash (probably when attempting to call the object’s internal [[get]] method).

For example, it “works” with the following also:

function crash (){
var el = document.createElement(‘div’);
for (var x in el.getElementsByTagName) {}

It also “works” with getAttribute, setAttribute, and so on. Just about every host method I tried “worked”.

In ECMAScript, all built-in and native methods are functions and are therefore objects and so *must* implement [[get]] per the specification. However, host objects are not required to implement [[get]] at all and therefore may not act as expected when used in a statement.

All the same, IE 6 should not crash. It should just not attempt to call [[get]] for those properties or on those host methods that don’t support it. In any case, it seems it’s fixed in later versions.


Comment by RobG — April 4, 2010

Leave a comment

You must be logged in to post a comment.