Last active
January 29, 2024 05:01
-
-
Save kaiili/73f9c284e06b1f239bc7415c3a0f9ae1 to your computer and use it in GitHub Desktop.
XSS all in one
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| dom.querySelector("script") || | |
| dom.querySelector("svg") || | |
| dom.querySelector("meta") || | |
| dom.querySelector("x") || // todo: x:script | |
| dom.querySelector("object[data]") || | |
| dom.querySelector("iframe[src]") || | |
| dom.querySelector("iframe[srcdoc]") || | |
| dom.querySelector("embed[src]") || | |
| dom.querySelector("base[href]") || | |
| dom.querySelector("form[formaction]") || | |
| dom.querySelector("form[action]") || | |
| dom.querySelector("[onerror]") || | |
| dom.querySelector("[onload]") || | |
| dom.querySelector("[onclick]") || | |
| dom.querySelector("[onchange]") || | |
| dom.querySelector("[onclose]")); | |
| // and more onxxx... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
// links
javascript:alert(1)
javascript:'<script>alert(1)</script>'
data:text/javascript,alert(1)
data:image/svg+xml,"..."
data:image/svg+xml;base64,"..."
data:text/xml;charset=utf-8,"..."
// and more: charset, encode