I tried doing google gruyeres XSS challenges (http://google-gruyere.appspot.com/part2), and at the stored AJAX XSS challenge they have the following code part for the JSON response:
all <span style=display:none>"
+ (alert(1),"")
+ "</span>your base
The interesting part is: (alert(1),"")
According to the solution provided, the empty string gets returned. According to my testing, the alert(1) still gets exectued.
Is this some sort of function shorthand, or what would this be called in JS?
Why does it execute the alert, but then return the empty string?
Thank you very much for any help!
Best regards,
Rolf