I was confused. How could those characters change the interpretation of a string?
David grabbed the keyboard, and wrote the following HTML page:
var a = "</script><script>alert('xss');</script>";
"What do you think will happen here?", David asked.
"Ehm..", I replied intelligently.
"Now why do you think that happened?"
"I have no clue... How are we breaking out of the variable?", I asked.
with the firebug add-in
var a = "\x3C/script\x3E\x3Cscript\x3Ealert('xss');\x3C/script\x3E";
Continue to part 11...
Go back to: Part 1
, Part 2
, Part 3
, Part 4
, Part 5
, Part 6
, Part 7
, Part 8
, Part 9