XSS

Note: most of this file is commented out. You should uncomment one script at a time locally to play with it, and put the scripts to be tested last.

Master cheatsheet:

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

The goal is to insert:

on the pages.

Script without script element via onerror:

Inside SVG:

Only works for embedded SVGs.

Firefox executes does not run a script with closing element.

This is annoying when you can't inject the slash / character.