top | item 40295247

(no title)

From article:

So I tried placing there continue=javascript:alert(document.domain), and… It works!

What do you think document.domain returns in this case?

discuss

document.domain returns the current domain used in the document because no redirect occurred. Similar to if you typed it in your address bar right now, it should show you the HN domain.

It's commonly used as a placeholder in an alert-box XSS PoC. Weaponising this into an actual exploit could have been a fetch(), css inclusion, or enumerating localstorage.