by Georges Michel
Good year 2017 :)
Yesterday I was stuck when I DOM-based XSSed a website which removes quotes, double-quotes, parenthesis and back-tick.
I haven’t found yet a solution without using parenthesis or back-tick :-( but I found funny things I am going to show you.
The main idea is to use the implicit cast of a shortened RegExp notation :
In order to instantiate the string "/test/g".
However, if we want to use it, we need to remove the starting char "/" and ending chars "/g" like this:
Let’s play :
Above, note these double back-slash ("\") avoid syntax error and they will be replaced by "//" in the location value.