Here is a xss code:
<img src=x onerror="javascript:window.onerror=alert;throw 1">
I can't understand the usage of alert
here. Why we don't need parentheses after the alert
? And I can't understand the behavior of browser. The browser will pop up a box and dislplay Uncaught 1
. It looks like that the browser first pop up an alert box and then fill the exception string into the box. However, I am not quite sure how this happens. BTW, I tested this in chrome.
The
window.onerror
itself is a function. You can say it as a function name or better, function reference. And alert is also a name of the function, which can be called as funtion reference.So, they are mapping the
onerror
withalert
, i.e., when theonerror
event takes place, there will be an alert.The
window.onerror
being an event handler, andalert
is something that alerts whatever sent into the parameter, now theonerror
event handler sends the event information to thealert
and yes, you get what's the error, when an error occurs.More information about parameters and working of
window.onerror
. Their syntax is:Where the
funcRef
is referred toalert()
.