[aetch]

Can you elaborate on this? I tried that and got "unexpected identifier" as a console error. Not sure how it works.

[tautvidas]

The point is to break out of the startTimer() function call, e.g.:

    startTimer('');foo();//');

The remaining '); can be commented out in order to not create any syntax errors.

[lazyjones]

SPOILER ALERT

I used this: 1'* alert()* '

(without the spaces needed for markdown here)

[rhubarbcustard]

Could you explain why the * works in there?

[lazyjones]

JS does automatic type conversion in this case, so it's syntactically correct to multiply a string with a number (or function result). We're just interested in the side-effects of alert(), so it doesn't really matter what kind of expression we use it in, as long as it parses correctly and causes alert() to be executed (evaluated).

[mariocarvalho]

Nice!