I thought this was cool whilst experimenting, I found I could use hex decimal (ooops that’s what I get for posting on Monday morning) entities within a url to combine unicode strings to produce anything. The result is a truly obscure looking javascript, I’ve included a plain text alert to help understand what’s going on, the code basically translates to javascript:x=’eval’ notice how it is possible to assign strings even though entities are used.
<a href="javascript: x='\145\166\141\154',alert(x)">Test</a>
Post a Comment