Last active
July 2, 2017 00:15
-
-
Save ElyDotDev/f231102a7411f2aa19a2ab03e00c758c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Content-Security-Policy: default-src: 'self'; script-src: 'self' static.domain.tld |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<script>...NEVER PUT UNTRUSTED DATA HERE...</script> Directly in a script | |
<!--...NEVER PUT UNTRUSTED DATA HERE...--> Inside an HTML comment | |
<div ...NEVER PUT UNTRUSTED DATA HERE...=test /> In an attribute name | |
<NEVER PUT UNTRUSTED DATA HERE... href="/test" /> In a tag name | |
<style>...NEVER PUT UNTRUSTED DATA HERE...</style> Directly in CSS |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
& --> & | |
< --> < | |
> --> > | |
" --> " | |
' --> ' ' not recommended because its not in the HTML spec. ' is in the XML and XHTML specs. | |
/ --> / Forward slash is included as it helps end an HTML entity |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<div attr=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>content</div> Inside UNquoted attribute | |
<div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'>content</div> Inside single quoted attribute | |
<div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">content</div> Inside double quoted attribute |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<script> | |
window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...'); | |
</script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script> Inside a quoted string | |
<script>x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'</script> One side of a quoted expression | |
<div onmouseover="x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'"</div> Inside quoted event handler |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ background-url : "javascript:alert(1)"; } // and all other URLs | |
{ text-size: "expression(alert('XSS'))"; } // only in IE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } </style> property value | |
<style>selector { property : "...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE..."; } </style> property value | |
<span style="property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">text</span> property value |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a > |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment