- script tags
- attributes with event handler value (onload, onerror, ...)
- 2.1. some here
- 2.2. to discover others: search for events accepted by the app (use this list) and try to evolve to an xss
- 2.3.
alert(1) == location=window.atob`amF2YXNjcmlwdDphbGVydCgxKQoK`
- attributes with URL value
- 3.1. embed/src, iframe/src, object/data, a/href, button/formaction, form/action more in https://www.w3.org/TR/2017/REC-html52-20171214/fullindex.html#attributes-table