Level 4 - Context matters

Hints

1. Take a look at how the startTimer function is called.

2. When browsers parse tag attributes, they HTML-decode their values first. <foo bar='z'> is the same as <foo bar='&#x7a;'

3. Try entering a single quote (') and watch the error console.

Exploitation

Payload

We can provide the following payload to solve this problem:

1'); alert('1