I'm searching a way to properly evade from a JavaScript variable to perform XSS. A normal user input will give var a='<b>user input</b>'
.
a
isn't eval anywhere and is not usable. Howewer, I've find something interesting. An input like %0a%0dalert(1);//
will render as:
var a='<b>
alert(1);//</b>'
My browser is warning me about an illegal token error. This is normal, and due to var a
not being closed.
Is there a way to get this to work? Executing the alert function ignoring the previous error. '
is escaped as \'
and \
as \\
.
Others basics HTML characters are also encoded in a normal manner (" < > &
)