I am following Port Swigger’s academy (https://portswigger.net/web-security/cross-site-scripting/contexts). At the XSS module when explaining how to break out of a JS string the following code snippet is shown as an example. I don’t understand what are the minus characters doing before and after the function call. Any help is appreciated thanks.
You have to consider where the user input will be injected to.
To take a simple example, assume we are given:
const foo = 'a string with $USERINPUT';
If you replace the placeholder with a straight-forward call to alert then the function call is just part of the string, which is harmless:
const foo = 'a string with alert(document.domain)';
If you use the input you quoted then the first
' ends the string, the
- is a subtraction operator, then the alert is treated as a function call (then you get another subtraction operator and a
' to pair with the original quote that ended the first string.
const foo = 'a string with '-alert(document.domain)-'';
Without the subtraction operators you would have the function call directly adjacent to the string literal:
const foo = 'a string with 'alert(document.domain)'';
… which is a syntax error.