[jannes]

For me it actually worked to use a script tag, but I'm confused about why, as the hint says it shouldn't.

This is the URL I used:

    https://xss-game.appspot.com/level3/frame#'><script>alert('bla')</script>

But the hint is hinting at something more like this, I think:

    https://xss-game.appspot.com/level3/frame#' onerror="alert('bla')">

Can somebody explain why the first one worked? Are they wrong when they say that the browser won't execute scripts added after the page has loaded?

[maxjus]

Interestingly, modern WebKit browsers include an "XSS auditor" that will refuse to run javascript sent in the request that loaded the page. It's pretty good (and open-source), so figuring out a way to have XSS without hitting the auditor is a big win for the attacker.

[matchu]

Might be because the script is injected during `onload`, which is arguably the very end of the page-loading process. But, yeah, the hint is clearly incorrect in the latest version of Chrome.

[aetch]

Why do we need the single quote after the # sign? I don't understand why and would like to know.

[HackyGeeky]

As "sbd" said, the "html +=" statement is using the "num" parameter as it is.

The real problem is the substring(1) function which passes the "num", instead of making sure the length is 1 it is allowing everything.

[sbd]

in the chooseTab function you have the following line: html += "<img src='/static/level3/cloud" + num + ".jpg' />";

the src opens with a single quote and looks for the 'num' var. So instead of num in the URL, you close the single quote and then close the image tag, and then run your script.