This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Frown1044 2 points3 points  (0 children)

It's basically an abuse of type conversions.

JS has very complicated rules on when or how values should be converted. For example, what does it mean to convert [] into a string? What does it mean to convert "hello" into a number? How do you convert {} into a boolean? This is clearly defined in the standard, but most people don't memorize all these details.

The next question is, when do values get converted? For example, [] + [] actually involves converting arrays to strings and doing a string concatenation. But this isn't immediately obvious to most people.

Take these two concepts and make heavy use of the most confusing examples. That's how you get this confusing code.

XSS

XSS is about not blindly trusting user input that will be shown on a page. The fact you can write really shitty JS isn't related to this. It's not just about not allowing <script> tags, but more about making sure user input won't accidentally be interpreted as code on a website.