Bananascript.com
Internets most efficient javascript compression tool




2013-11-10 Great improvements


2008-02-09 jQuery inside a stylesheet?
Yes, it can be done.

I have made an example that demonstrates how malicious javascript can be hidden in not so obvious places. In this (harmless) case, the entire jQuery library, version 1.2.3, has been minified, obfuscated, compressed, encrypted, then compressed some more and finally stored in a stylesheet.
Another javascript file, which is also minified/obfuscated/compressed/encrypted, loads this external stylesheet, decompresses and decrypts it, then injects the resulting javascript into the document.

The example has only been written for IE and FF on Windows XP SP2. Safari and Opera can't run this example. Mozilla based browsers other than FF might work, but I have not tested it.

This example is just a "proof of concept" of an idea I got after reading an article where the author calls packer a security threat. I can't see how a compressed javascript which includes decompression code in clear view, could be a security threat. The decompression code itself is very short and does only simple string operations.
If anything would be a security threat, it would be the technique demonstrated here. Stylesheets are mostly seen as 100% harmless but can contain just about any malicious javascript code. Encrypting and compressing it without any visible decompression code anywhere and without a single recognizable character in the stylesheet, how would anyone know that something bad is hiding inside?

A couple of notes:
If the example hangs on "Loading stylesheet", reload and try again. There seems to be a timing error sometimes.
The original jQuery 1.2.3 file is 96763 bytes. Reduced here to 19845 bytes by combining my own compressor and Dean Edwards packer.
If you want to have a look at the stylesheet, then it's right here.


And again, the example is here.
Comments: 1


2007-08-02 Progress
More than 2000 files have been compressed here on this site and since the latest version was released I have not received a single bug report. That has given me some time to try some new things for the next version.

As several users has pointed out, it is possible to "double compress" files (compress first with
Deans Edwards packer and then with this one) to achieve even better compression.
Of course, the downside of doing this is that the decompression will be slightly slower.

Nevertheless, I've been experimenting with a packer version that combines Deans ideas with mine to get the best compression results possible and I now have a version that compresses Prototype 1.5.1 to about 23kB.
That's about 23% of it's original size and an improvement by rouhgly 6% compared to the version here on this site. Pretty impressive if you ask me.

I also discovered that it is possible to improve how the base62 encoding is performed for better results. By properly sorting alphanumeric strings before base62 encoding and by only encoding strings when there are bytes to be saved by the encoding, you can improve compression by 1,5kB - 2kB on a file like Prototype 1.5.1.

So far this new version is only an early test and will probably need lots of modifications and bugfixes before i'ts ready for release, but it sure looks promising.
Comments: 3


2007-07-24 Testers needed


2007-07-01 Stat calculations adjusted


2007-05-23 Compressor updated
Last evening came the release of the new version of my compressor. Priorities for what would be in this version has changed a bit during the past months. Almost all focus has been on bug fixing and stability improvements and less focus has been on adding new features.
The only new feature in this version is support for MSIE conditional comments, something that I did not even know existed in javascript before I read
this blog post on the subject, written by my "competitor" Dean Edwards.
Lots of code has been rewritten and lots of tests have been performed in various browsers on different platforms. Having tested this version on a large amount of files and not encountering a single one that failed after compression, I think I can now start focusing on adding new features for the next version.
As with previous versions, no special preformatting of your scripts is needed to have them work after compression. Use semicolon or don't. It does not matter. The only requirement is, as with previous versions, that you use iso-8859-1.
Comments: 0


2007-05-19 Sweet16 hex editor released


2007-04-28 New version on the way


2007-01-31 Two important fixes


2007-01-05 New site


2006-12-30 Optimized compression and decompression routines


2006-12-23 Bugfix and security update


2006-00-00 Various updates




Statistics:
Average compression:76.1%
Highest compression:100.0%
Files compressed:95804
Bytes uploaded:3886357074
Bytes removed:2958471581
News & Updates: