While investigating the security of a website, I noticed a way to inject HTML via query strings. Unfortunately, all quotation marks have been removed from my JavaScript code. For this reason it was not possible for me to inject meaningful code into the page.
Strings are important, for example to select DOM elements, listen to events or to obfuscate further code inside the query string. Luckily, JavaScript is very powerful and can create strings without quotes. You can just use the String() function with a regular Expression.
Than you have to remove the delimter characters from the start and end of your string using substring and slice.
Look at this working example code:
https://mywebsite.com/newsletter.php?email=<script>alert(String(/Evil/).substring(1).slice(0,-1));</script>
What can you learn from this? Always remove all the HTML from requests and not just rely on removing or escaping quotes!
Title image: https://pixabay.com/de/photos/code-javascript-programmieren-3337044/