javascript – Doubtful exercise of xss


Guys wanted to understand the following logic of a xss challenge she was doing

So because when I put <script>alert(1);</script> doesn't work but when I put </script><script>alert(1);</script> the message appears, why?

The code below generates HTML in an unsafe way. Prove it by calling

function escape(s) {   // Warmup.

   return '<script>console.log("'+s+'");</script>';

Challenge Link:


Inside that function you have a string of HTML.

This string has the opening <script> tag and will receive content that the user enters.

If within the content you insert you put the closing tag of that script </script> then you will "cheat the code" and you can add a new opening <script> tag and put whatever you want in it.

In your first example <script>alert(1);</script> the result is :

return '<script>console.log("<script>alert(1);</script>");</script>';

where the last </script> is discarded by the browser.

In your second example, you interrupt the console.log syntax and generate HTML with the script tag that you inserted and it looks like this :


the first <script>console.log("</script> block gives a syntax error, but the browser still runs the next <script>alert(1);</script> block that gives the alert.

Scroll to Top