Eval a url
Tuesday, 8 May 2012
(label) (comment) (newLine) (functionCall)
So now we don’t need to do eval(location.hash.slice(1)) we can simply do eval(location) I found this while discussing with Mario and Yosuke Hasegawa on what the shortest HTML based XSS injection was. Using this technique it’s probably 21 (without using netscape 4).
As Stefano Di Paola points out, using hash will allow you to use this technique on Chrome and Opera.