I am following Port Swigger’s academy (https://portswigger.net/web-security/cross-site-scripting/contexts). At the XSS module when explaining how to break out of a JS string the following code snippet is shown as an example. I don’t understand what are the minus characters doing before and after the function call. Any help is appreciated thanks.
'-alert(document.domain)-'
>Solution :
You have to consider where the user input will be injected to.
To take a simple example, assume we are given:
const foo = 'a string with $USERINPUT';
If you replace the placeholder with a straight-forward call to alert then the function call is just part of the string, which is harmless:
const foo = 'a string with alert(document.domain)';If you use the input you quoted then the first ' ends the string, the - is a subtraction operator, then the alert is treated as a function call (then you get another subtraction operator and a ' to pair with the original quote that ended the first string.
const foo = 'a string with '-alert(document.domain)-'';Without the subtraction operators you would have the function call directly adjacent to the string literal:
const foo = 'a string with 'alert(document.domain)'';
… which is a syntax error.