(![]+[])[+[]]... Explain why this works

alert((![]+[])[+[]]+(![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]);

The output of this code is: fail . Why?

By the way, (![]+[])[+!+[]] == 'false'[1] , right?. But why ![]+[] == "false" and why +!+[] == 1 ?


As @Mauricio commented (![]+[])[+[]] is "f" (the first char of "false"), (![]+[])[+!+[]]) is "a", etc...

How does it work?

Let's examine the first character, 'f':

(![]+[])[+[]]; // 'f'

The first part of the expression—between parentheses—is composed by ![]+[] , the first operand of the Addition operator is ![] and it will produce false , because an array object—as any other Object instance—is truthy, and applying the Logical (!) NOT unary operator, it produces the value false , for example.

![]; // false, it was truthy
!{}; // false, it was truthy
!0;  // true, it was falsey
!NaN;  // true, it was falsey

After it, we have the second operand of the addition, an empty Array, [] , this is made just to convert the false value to String, because the string representation of an empty array is just an empty string, is equivalent to:

false+[]; // "false"
false+''; // "false"

The last part, the pair of square brackets after the parentheses, they are the property accessor, and they receive an expression, which is formed by the Unary Plus Operator applied to an empty array again.

What the Unary Plus Operator does is type conversion, to Number , for example:

typeof +"20"; // "number"

One more time, this is applied to an empty Array, and as I said before, the String representation of an Array is an empty string, and when you convert an empty string to Number, it is converted to zero:

+[]; // 0, because
+[].toString(); // 0, because
+""; // 0

Therefore we can "decode" the expression to in some steps:

(![]+[])[+[]];
(false+[])[+[]];
(false+'')[+[]];
(false+'')[0];
('false')[0];  // "f"

Note that accessing characters by using the bracket notation on String values was not part of the ECMAScript 3rd. Edition Specification, (that's why the charAt method existed).

However this kind of "index properties" that represent the characters of a string were standardized on ECMAScript 5, and even before the standardization the feature was available in a good number of browsers (even in IE8 (standards mode)).

链接地址: http://www.djcxy.com/p/8418.html

上一篇: 何时在JavaScript中使用双引号或单引号?

下一篇: (![] + [])[+ []] ...解释为什么这会起作用