While making a website I made an interesting mistake, and I'm wondering if this could be used to achieve XSS. I've come very close, but not quite.
I can put my user input into a string inside of a <script>
tag. It looks something like this:
<script>
// some code above
some_variable = "my user input"
// some code below
</script>
I intended to escape "
and \
characters, by putting a backslash in front of them. I also completely remove any newlines.
But accidentally I put a normal slash instead of a backslash. So I only escaped the "
and /
characters.
This means I can escape the string with something like \"
which will turn into \\"
and break me out of the string.
Normally you would simply do \"-alert(1)//
to escape the string, execute the alert and then comment out the rest of the code. But since in my unique example I escaped the /
character, you can't comment out the rest with that.
To make it more clear here is an example:
// Common example
some_variable = "\\"-alert(1)//"
// My situation
some_variable = "\\"-alert(1)\/\/"
Lots of things I've tried already all result in some sort of syntax error, which doesn't execute the code. I'm wondering if there is some sort of trick I missed to still get XSS from this.
This question is similar to XSS inside JavaScript string literal without single quotes?, which isn't exploitable. But here I can actually get out of the string without using newlines, maybe that makes a difference.
Here is the exact PHP code that resulted in this problem:
function toSafeJavascript($unsafe) {
$safe = str_replace(array("\r\n", "\n", "\r"), '', $unsafe); // Remove newlines
$safe = preg_replace('/([\\/"])/', '\\\\$1', $safe);
return $safe;
}