Hacker News new | ask | show | jobs
by lazyjones 4399 days ago
' after the timer value, then proceed to construct a JS expression that will be evaluated before the call to setTimer ... Hint: '99'+moo() will evaluate nicely. Don't forgot the "open" the ' again.
3 comments
rhubarbcustard 4399 days ago
I can't figure how to close the quote after the '99 ? I realise that specifying ' on URL gets encoded to %27 but not sure how to turn that into the closing ' for startTime('99'); .....

Help!

link
aetch 4399 days ago
Can you elaborate on this? I tried that and got "unexpected identifier" as a console error. Not sure how it works.
link
tautvidas 4399 days ago
The point is to break out of the startTimer() function call, e.g.:

    startTimer('');foo();//');
The remaining '); can be commented out in order to not create any syntax errors.
link
lazyjones 4399 days ago
SPOILER ALERT

I used this: 1'* alert()* '

(without the spaces needed for markdown here)

link
rhubarbcustard 4399 days ago
Could you explain why the * works in there?
link
lazyjones 4399 days ago
JS does automatic type conversion in this case, so it's syntactically correct to multiply a string with a number (or function result). We're just interested in the side-effects of alert(), so it doesn't really matter what kind of expression we use it in, as long as it parses correctly and causes alert() to be executed (evaluated).
link
mariocarvalho 4396 days ago
Nice!
link
namanaggarwal 4399 days ago
still not able to get :-(
link
sourthyme 4399 days ago
Use the text input instead of the url.
link
erid 4399 days ago
You could use %2b instead of + on the URL and it'll work, or just * as mentioned above.
link
voxtex 4399 days ago
' + alert() + '

worked for me.

link
codeman123 4399 days ago
can't solve it either :-/
link