What is the meaning of the minus character in javascript in front and after a function call?

I am following Port Swigger’s academy (https://portswigger.net/web-security/cross-site-scripting/contexts). At the XSS module when explaining how to break out of a JS string the following code snippet is shown as an example. I don’t understand what are the minus characters doing before and after the function call. Any help is appreciated thanks.


>Solution :

You have to consider where the user input will be injected to.

To take a simple example, assume we are given:

const foo = 'a string with $USERINPUT';

If you replace the placeholder with a straight-forward call to alert then the function call is just part of the string, which is harmless:

const foo = 'a string with alert(document.domain)';

If you use the input you quoted then the first ' ends the string, the - is a subtraction operator, then the alert is treated as a function call (then you get another subtraction operator and a ' to pair with the original quote that ended the first string.

const foo = 'a string with '-alert(document.domain)-'';

Without the subtraction operators you would have the function call directly adjacent to the string literal:

const foo = 'a string with 'alert(document.domain)'';

… which is a syntax error.

Leave a Reply