If you use a bookmarklet on Facebook and it calls window.alert(), it doesn't quite do what you expect. They've re-defined the entire alert() method - it will pop up a box, but it will also behind the scenes send what you tried to pop up to the server!?! Look at Facebook's alert code (shown in an appropriate setting, of course):
More non-malicious use of function clobbering, though not sure why this is in production code. This example amuses me. In our book Ajax Security we clobber the alert() function as an example and show it in Opera to prove it works on the strictest of browsers. good stuff. Facebook monitors your alert() usage |