eval(unescape("http://somesite.com/%0Aalert('hello')"))
and have it display an alert. I had said that the javascript interpreter ignored the line that failed and skipped to the next line (the alert). WRONG! The real reason why that works is that URLs are VALID javascript! In javascript, you can label a block of code, like so:
label: {
}
}
and then use goto statements to jump to it. In the case of URLs, http: is merely a label!
The next part of a url is the two forward slashes, which is, of course, a single-line comment in javascript. Thus, when a newline is inserted into the url, it works because it is VALID javascript. Super coolness!
I haven't been able to find anyone else talk about this. I don't really even care if I "discovered" it first (which I might have?). It's just plain cool and makes me laugh :)
Use this diet hack to drop 2 lb of fat in just 8 hours
ReplyDeleteWell over 160,000 men and women are using a easy and SECRET "water hack" to drop 2lbs each and every night while they sleep.
It's proven and it works every time.
Here's how you can do it yourself:
1) Hold a glass and fill it with water half the way
2) Proceed to use this proven hack
and be 2lbs skinnier the very next day!