# # https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet # based on the RSnake original http://ha.ckers.org/xss.html # Retrieved on 2013-11-20 # Much of this wildly obsolete # # XSS Locator 2 '';!--"=&{()}

# Grave Accent Obfuscation

# Malformed A Tags # (not actually malformed) xxs link xxs link # Malformed IMG Tags "> # fromCharCode

# Default SRC tag to get past filters that check SRC domain

# Default SRC tag by leaving it empty # nickg; Unable to replicate in FF,Safari,Chrome 2014-01-10 #

# Default SRC tag by leaving it out entirely # Decimal HTML character references # obsolete?

# Decimal HTML character references without trailing semicolons # obsolete

# Hexadecimal HTML character references without trailing semicolons # obsolete form

# Embedded tab # obsolete form #

# Embedded escaped tab # obsolete form #

# Embedded newline to break up XSS # obsolete form #

# Embedded CR # obsolete form #

# Null # obsolete form #

# Spaces and meta chars before the JavaScript in images for XSS # obsolete form #

# Non-alpha-non-digit XS # this is bogus or obsolete # # Extraneous open brackets < # No closing script tags # INPUT image # BODY image # IMG Dynsrc # Wildly obsolete # IMG LOW src # Wildy obsolete # List-style-image # likely obsolete

XSS
# VBscript in an image # Livescript (older versions of Netscape only) # Obsolete # # BODY tag # BGSOUND # STYLE sheet # Remote style sheet # Remote style sheet part 2 # Remote style sheet part 3 # Remote style sheet part 4 # STYLE tags with broken up JavaScript for XSS # STYLE attribute using a comment to break up expression alert('XSS'); # STYLE tag using background-image # STYLE tag using background # Anonymous HTML with STYLE attribute # Local htc file # META # META using data # META # IFRAME # IFRAME Event based # FRAME # TABLE # TD
# DIV background-image
# DIV background-image with unicoded XSS exploit
# DIV expression
# "Downlevel-hidden block" # BASE tag # Object tag # Using an EMBED tag you can embed a Flash movie that contains XSS # You can EMBED SVG which can contain your XSS vector # Using ActionScript inside flash can obfuscate your XSS vector # N/A # XML data island with CDATA obfuscation # Locally hosted XML with embedded JavaScript that is generated using an XML data island # XSS using HTML quote encapsulatio