search

Javascript

hashtag
Javascript

Something on sandboxesarrow-up-right

hashtag
Character restrictions

Only ()+[]!arrow-up-right Only +[]{}!$`arrow-up-right No parenthesesarrow-up-right Cool encoderarrow-up-right

If your injected code is HTML-escaped, you can use backticks ` to get strings through. Just be aware that these strings are templates, and will be interpolated.

hashtag
Unicode shenanigans

Of coursearrow-up-right

hashtag
Leaks

A function's .toString() renders its full source code, including comments!

function a() {
    /* Top sneaky: flag{1234} */
}
console.log(a.toString());

hashtag
Exfiltration

hashtag
Change the DOM inside an iframe

Techniquearrow-up-right

The host page isn't supposed to communicate with other domains. If you spawn an iframe and change some DOM in the host, it will be inherited in the guest. Oops.

PreviousWebNextPHP

Last updated