I came across to this code snippet, I wonder if anybody knows how to bypass the # sign that make my payload syntax problematic and write a successful XSS payload for this case.
var hashvalue = window.location.hash.substring(1);
var i = $(’#’ + hashvalue);
when I use something like www.example.com/index.html#alert(1234); i value becomes #alert(1234) and payload doesn’t work. Any suggestion will be appreciated.
Thanks in advance