Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Content-Security-Policy: default-src: 'self'; script-src: 'self' static.domain.tld
<script>...NEVER PUT UNTRUSTED DATA HERE...</script> Directly in a script
<!--...NEVER PUT UNTRUSTED DATA HERE...--> Inside an HTML comment
<div ...NEVER PUT UNTRUSTED DATA HERE...=test /> In an attribute name
<NEVER PUT UNTRUSTED DATA HERE... href="/test" /> In a tag name
<style>...NEVER PUT UNTRUSTED DATA HERE...</style> Directly in CSS
& --> &amp;
< --> &lt;
> --> &gt;
" --> &quot;
' --> &#x27; &apos; not recommended because its not in the HTML spec. &apos; is in the XML and XHTML specs.
/ --> &#x2F; Forward slash is included as it helps end an HTML entity
<body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</body>
<div>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</div>
any other normal HTML elements
<div attr=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>content</div> Inside UNquoted attribute
<div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'>content</div> Inside single quoted attribute
<div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">content</div> Inside double quoted attribute
<script>
window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...');
</script>
<script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script> Inside a quoted string
<script>x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'</script> One side of a quoted expression
<div onmouseover="x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'"</div> Inside quoted event handler
{ background-url : "javascript:alert(1)"; } // and all other URLs
{ text-size: "expression(alert('XSS'))"; } // only in IE
<style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } </style> property value
<style>selector { property : "...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE..."; } </style> property value
<span style="property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">text</span> property value
<a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a >
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.