Friday, December 30, 2016

possible XSS execution in Javascript context

The following browser behaviour may be useful for bug bounty programs.

The alert(1) is executed in all common browsers, Even if the JS is inside a string context.
A lot of standard libraries does only encode the quote or doublequote with \ or html entities, specially for JSON/XmlHttpRequest responses.

<html>
test
<script>
foo="text </script><script>alert(1)</script>";
</script>
</html>

Googles chrome team responded to my question about the reason: