Cross-Site Scripting (XSS) Cheat Sheet - 2021 Edition | Web Security Academy
As you have injected a backslash and the site isn't escaping them, when the JSON response attempts to escape the opening double-quotes character, it adds a second backslash. The resulting double-backslash causes the escaping to be effectively canceled out. This means that the double-quotes are processed unescaped, which closes the string that should contain the search term.
An arithmetic operator (in this case the subtraction operator) is then used to separate the expressions before the alert()
function is called. Finally, a closing curly bracket and two forward
slashes close the JSON object early and comment out what would have been
the rest of the object. As a result, the response is generated as
follows:
payload : \\"-alert(1)}//
{"searchTerm":"\\\\"-alert(1)}//", "results":[]}