Edit: I answered completely off base. Misunderstood the question. My hunch on the original question: Maybe some system only allow injected JS? Wordpress anyone? Not quite sure.
Yes, I learned it not so long ago in fact and I am a bit ashamed of it.
Try to save this into a HTML file:
"} If you execute just the JavaScript in your browser console: perfectly fine, valid JS. Now open the HTML file in a browser: powned.
This the because the browser has a HTML parsing phase, and only after JS is executed.
When . It doesn't matter if the happened to be inside the context of a JavaScript string. At this point the browser doesn't know about JS.
from Hacker News - New Comments: "WordPress" https://ift.tt/2FG9Fdm
via IFTTT
No comments:
Post a Comment