Cross Site Scripting injection

Question

I am testing a web application. I want to write an XSS script that will display an alert \"Hello\".

The first script I wrote was:

Answer 1

Most likely that site replaces double quotes with HTML entities or tries to escape them in some other way that makes them unsuitable for JavaScript. When using String.fromCharCode(...) you don't have to use any quotation marks so it'll work. It gets a list of the ASCII codes of the string's characters and creates a string out of them during runtime. So there's no need for any quoting.

The proper way to avoid this kind of XSS is to replace < with < - that way a script tag cannot be created at all.

Note that >, " and & should also be replaced with their respective HTML entities when sanitizing data containing HTML! However, only < is absolutely required to defeat XSS attacks assuming no untrusted data can be used in HTML attributes (that's where " needs to be sanitized)