We will be at OWASP APPSEC EUROPE 2017 - Belfast! Let’s talk!MORE INFO

Help Center

Get to know more about our API, Code Annotations and Code Transformations

String Annotations

Some bundlers and compilers, like the Google Closure Compiler, remove the code’s comments which can be a problem if you use code annotations and want to apply Jscrambler’s transformations after bundling. To avoid this issue you can use Jscrambler’s Annotations as strings instead of code comments.

In order to use String Annotations, simply use the same @jscrambler directives inside a literal expression instead of a comment, in the same way you’d do to enable strict mode.

For instance, the following example using comment annotations:

1
2
// @jscrambler enable regexObfuscation
/\sMSIE\s[6-9]\./test(navigator.userAgent);

Is equivalent to:

1
2
[email protected] enable regexObfuscation';
/\sMSIE\s[6-9]\./test(navigator.userAgent);

Which in turn, would produce something like the following code as a result of having enabled the regexObfuscation transformation on the next block:

1
/[\r​\u2028\u1680​\t\v\u2000-\u200a​\u00a0​\u3000\f\n\u205f\u180e​\u202f\u2029 ]\x4d\x53\x49\u0045[ \u205f​\u202f\u2000-\u200a\f​\u3000\u180e​\u00a0\t\v​\u2028\u2029\r\n\u1680​][96-78]\./.test(navigator.userAgent);

Please be aware that there are some cases where strings as annotations lead to errors or unexpected behavior:
1) Without semicolon (;)
2) Inside the body of ES2015 Classes
3) When mixing comment and string annotation formats

Unexpected Behavior

1. Not Using Semicolons

Not using semicolons in string annotations may cause the string directives to be misinterpreted by our parser which can cause the annotation to be ignored.

2. Usage in ES2015 classes

ES6 classes do not support strings inside the class body. The following code is syntactically invalid.

1
2
3
4
5
6
7
class A {
"@jscrambler enable functionOutlining"; // SyntaxError
a () {
// function body
}
// class body
}

You can still use string annotations in class methods by placing the string annotation at the beginning of function’s body and then wrapping the actual function code in an additional block, like so:

1
2
3
4
5
6
7
8
class A {
a () {
"@jscrambler enable functionOutlining";
{
// your function code
}
}
}

3. When mixing comment and string annotation formats

Annotations in string and comment formats are parsed at different times when a protection is triggered. Mixing code annotations formats may lead to unexpected results since some of them would be parsed sooner than others and act upon different blocks of code.

Annotations like these are correct since they use a consistent format:

1
2
3
"@jscrambler define selfDefending {threshold: 512} as sd1";
[email protected] enable functionOutlining, sd1';
function foo () {}
1
2
3
// @jscrambler define selfDefending {threshold: 512} as sd1
// @jscrambler enable functionOutlining, sd1
function foo () {}

Annotations like these may lead to errors because they contain both comment annotations and string annotations:

1
2
3
4
"@jscrambler define selfDefending {threshold: 512} as sd1";
// @jscrambler enable functionOutlining, sd1
[email protected] target functions';
function foo () {}