How do you solve lv4?

lazyjones · on May 29, 2014

' after the timer value, then proceed to construct a JS expression that will be evaluated before the call to setTimer ... Hint: '99'+moo() will evaluate nicely. Don't forgot the "open" the ' again.

rhubarbcustard · on May 29, 2014

I can't figure how to close the quote after the '99 ? I realise that specifying ' on URL gets encoded to %27 but not sure how to turn that into the closing ' for startTime('99'); .....

Help!

aetch · on May 29, 2014

Can you elaborate on this? I tried that and got "unexpected identifier" as a console error. Not sure how it works.

tautvidas · on May 29, 2014

The point is to break out of the startTimer() function call, e.g.:

    startTimer('');foo();//');

The remaining '); can be commented out in order to not create any syntax errors.

lazyjones · on May 29, 2014

SPOILER ALERT

I used this: 1'* alert()* '

(without the spaces needed for markdown here)

rhubarbcustard · on May 29, 2014

Could you explain why the * works in there?

lazyjones · on May 29, 2014

JS does automatic type conversion in this case, so it's syntactically correct to multiply a string with a number (or function result). We're just interested in the side-effects of alert(), so it doesn't really matter what kind of expression we use it in, as long as it parses correctly and causes alert() to be executed (evaluated).

mariocarvalho · on June 1, 2014

Nice!

on May 29, 2014

[deleted]

lazyjones · on May 29, 2014

nope, OSX Safari

namanaggarwal · on May 29, 2014

still not able to get :-(

sourthyme · on May 29, 2014

Use the text input instead of the url.

erid · on May 29, 2014

You could use %2b instead of + on the URL and it'll work, or just * as mentioned above.

voxtex · on May 29, 2014

' + alert() + '

worked for me.

codeman123 · on May 29, 2014

can't solve it either :-/

jofo25 · on May 29, 2014

In the text input I put:

3') + alert('

vsakos · on May 29, 2014

add your alert to the img onload