如果你试图沙盒javascript代码，并禁用所有可能的方法来求值字符串到javascript代码中，要注意阻塞所有明显的eval/document。Function/setTimeout/setInterval/innerHTML和其他DOM操作是不够的。

给定任何对象o, o.constructor.constructor("alert('hi')")()将弹出一个警告对话框，其中包含单词"hi"。

可以写成

var Z="constructor";
Z[Z][Z]("alert('hi')")();

有趣的东西。

JavaScript没有块作用域(但它有闭包，所以让我们称它为偶数?)

var x = 1;
{
   var x = 2;
}
alert(x); // outputs 2

语法糖:内联for循环闭包

var i;

for (i = 0; i < 10; i++) (function ()
{
    // do something with i
}());

几乎打破了Douglas Crockford的所有代码惯例，但我认为它看起来很漂亮，从未减少:)

选择:

var i;

for (i = 0; i < 10; i++) (function (j)
{
    // do something with j
}(i));

您可以动态地重新定义运行时环境的大部分内容，例如修改Array构造函数或定义undefined。并不是说你应该这样做，但它可以是一个强大的功能。

一种稍微不那么危险的形式是向现有对象添加helper方法。例如，你可以让IE6在数组上“原生”支持indexOf。

下面是一些有趣的事情:

Comparing NaN with anything (even NaN) is always false, that includes ==, < and >. NaN Stands for Not a Number but if you ask for the type it actually returns a number. Array.sort can take a comparator function and is called by a quicksort-like driver (depends on implementation). Regular expression "constants" can maintain state, like the last thing they matched. Some versions of JavaScript allow you to access $0, $1, $2 members on a regex. null is unlike anything else. It is neither an object, a boolean, a number, a string, nor undefined. It's a bit like an "alternate" undefined. (Note: typeof null == "object") In the outermost context, this yields the otherwise unnameable [Global] object. Declaring a variable with var, instead of just relying on automatic declaration of the variable gives the runtime a real chance of optimizing access to that variable The with construct will destroy such optimzations Variable names can contain Unicode characters. JavaScript regular expressions are not actually regular. They are based on Perl's regexs, and it is possible to construct expressions with lookaheads that take a very, very long time to evaluate. Blocks can be labeled and used as the targets of break. Loops can be labeled and used as the target of continue. Arrays are not sparse. Setting the 1000th element of an otherwise empty array should fill it with undefined. (depends on implementation) if (new Boolean(false)) {...} will execute the {...} block Javascript's regular expression engine's are implementation specific: e.g. it is possible to write "non-portable" regular expressions.

[更新了一点，以回应良好的评论;请参阅评论]

有些人会说这是品味问题，但是:

aWizz = wizz || "default";
// same as: if (wizz) { aWizz = wizz; } else { aWizz = "default"; }

三元操作符可以被链接到Scheme的(cond…):

(cond (predicate  (action  ...))
      (predicate2 (action2 ...))
      (#t         default ))

可以写成……

predicate  ? action( ... ) :
predicate2 ? action2( ... ) :
             default;

这是非常“实用的”，因为它可以在没有副作用的情况下对代码进行分支。所以不要:

if (predicate) {
  foo = "one";
} else if (predicate2) {
  foo = "two";
} else {
  foo = "default";
}

你可以这样写:

foo = predicate  ? "one" :
      predicate2 ? "two" :
                   "default";

也适用于递归:)