Owasp Xss Filter Evasion Cheat Sheet
Browser support reference table:
Xss Injection Cheat Sheet
. OWASP Cheat Sheet: XSS Filter Evasion. OWASP Java Encoder Project External. CWE-79: Improper neutralization of user supplied input. PortSwigger: Client-side template injection. Cross-site Scripting Attack Vectors. The following is a list of common XSS attack vectors that an attacker could use to compromise the security of a website or web application through an XSS attack. A more extensive list of XSS payload examples is maintained by the OWASP organization: XSS Filter Evasion Cheat Sheet.
| IE7.0 | Vector works in Internet Explorer 7.0. Most recently tested with Internet Explorer 7.0.5700.6 RC1, Windows XP Professional SP2. |
| IE6.0 | Vector works in Internet Explorer. Most recently tested with Internet Explorer 6.0.28.1.1106CO, SP2 on Windows 2000. |
| NS8.1-IE | Vector works in Netscape 8.1+ in IE rendering engine mode. Most recently tested with Netscape 8.1 on Windows XP Professional. This used to be called trusted mode, but Netscape has changed it's security model away from the trusted/untrusted model and has opted towards Gecko as a default and IE as an option. |
| NS8.1-G | Vector works in Netscape 8.1+ in the Gecko rendering engine mode. Most recently tested with Netscape 8.1 on Windows XP Professional |
| FF2.0 | Vector works in Mozilla's Gecko rendering engine, used by Firefox. Most recently tested with Firefox 2.0.0.2 on Windows XP Professional. |
| O9.02 | Vector works in Opera. Most recently tested with Opera 9.02, Build 8586 on Windows XP Professional |
| NS4 | Vector works in older versions of Netscape 4.0 - untested. |
Owasp Xss Filter Evasion Cheat Sheet 2019
Note: if a vector is not marked it either does not work or it is untested.