Visit the following URL, replacing
YOUR-LAB-ID with your lab ID:
The lab will be solved, but the alert will only be called if you click "Back to blog" at the bottom of the page.
The exploit uses exception handling to call the
alert function with arguments. The
throw statement is used, separated with a blank comment in order to get round the no spaces restriction. The
alert function is assigned to the
onerror exception handler.
throw is a statement, it cannot be used as an expression. Instead, we need to use arrow functions to create a block so that the
throw statement can be used. We then need to call this function, so we assign it to the
toString property of
window and trigger this by forcing a string conversion on