Note: most of this file is commented out. You should uncomment one script at a time locally to play with it, and put the scripts to be tested last.
Master cheatsheet:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_SheetThe goal is to insert:
on the pages.
Script without script
element via onerror
:
Inside SVG:
Only works for embedded SVGs.
Firefox executes does not run a script with closing element.
This is annoying when you can't inject the slash /
character.