This page collects reflected XSS from an array of sources and to various sinks which are
escaped on the server before being passed to a sink.
HTML Contexts
This class of XSS simply takes a value from the parameter and echoes it
back in an HTML page in a specific HTML context with some escaping
-
Body - HTML escaped -
The parameter is echoed within the main BODY tag.
-
Body - URL escaped -
The parameter is echoed within the main BODY tag.
-
Head - HTML escaped -
The parameter is echoed within the HEAD tag.
-
Head - URL escaped -
The parameter is echoed within the HEAD tag.
-
Body HTML comment - HTML escaped -
The parameter is echoed inside an HTML comment in the HTML BODY.
-
Body HTML comment - URL escaped -
The parameter is echoed inside an HTML comment in the HTML BODY.
-
Textarea - HTML escaped -
The parameter is echoed in a TEXTAREA tag's CDATA. In this case, no
parsing of the payload is performed unless the textarea tag is closed.
-
Textarea - URL escaped -
The parameter is echoed in a TEXTAREA tag's CDATA. In this case, no
parsing of the payload is performed unless the textarea tag is closed.
-
Tag name - HTML escaped -
The parameter is used as a tag name, i.e.
<%q>
-
Tag name - URL escaped -
The parameter is used as a tag name, i.e.
<%q>
-
Attribute unquoted - HTML escaped -
The parameter is echoed in an HTML attribute, unquoted. i.e.
<foo src=%q>
-
Attribute unquoted - URL escaped -
The parameter is echoed in an HTML attribute, unquoted. i.e.
<foo src=%q>
-
Attribute single quoted - HTML escaped -
The parameter is echoed in an HTML attribute, single quoted. i.e.
<foo src='%q'>
-
Attribute single quoted - URL escaped -
The parameter is echoed in an HTML attribute, single quoted. i.e.
<foo src='%q'>
-
Attribute double quoted - HTML escaped -
The parameter is echoed in an HTML attribute, double quoted. i.e.
<foo src="%q">
-
Attribute double quoted - URL escaped -
The parameter is echoed in an HTML attribute, double quoted. i.e.
<foo src="%q">
-
Attribute name - HTML escaped -
The parameter is used as an attribute name, i.e.
<foo %q=irrelevant>
-
Attribute name - URL escaped -
The parameter is used as an attribute name, i.e.
<foo %q=irrelevant>
CSS context
XSS that can occur inside a STYLE block or inside a style="" attribute.
-
CSS - HTML escaped -
The parameter is echoed as the only content of a STYLE tag positioned
into the HEAD.
-
CSS - URL escaped -
The parameter is echoed as the only content of a STYLE tag positioned
into the HEAD.
-
CSS Value - HTML escaped -
The parameter is echoed as a color value in a STYLE tag positioned into
the HEAD.
-
CSS Value - URL escaped -
The parameter is echoed as a color value in a STYLE tag positioned into
the HEAD.
-
CSS Font Name - HTML escaped -
The parameter is echoed as a font value in a STYLE tag positioned into
the HEAD. Font name is particularly interesting because many sanitizers
do not behave correctly when parsing it.
-
CSS Font Name - URL escaped -
The parameter is echoed as a font value in a STYLE tag positioned into
the HEAD. Font name is particularly interesting because many sanitizers
do not behave correctly when parsing it.
JS context
XSS that can occur inside a SCRIPT block.
-
Javascript unquoted assignment - HTML escaped -
Assigns the parameter value to an unquoted js assignment, i.e. var foo = %q;
-
Javascript unquoted assignment - URL escaped -
Assigns the parameter value to an unquoted js assignment, i.e. var foo = %q;
-
Javascript eval - HTML escaped -
Pipes the parameter into an eval, i.e. eval(%q);
-
Javascript eval - URL escaped -
Pipes the parameter into an eval, i.e. eval(%q);
-
Javascript quoted string - HTML escaped -
Assigns the parameter value to an quoted js assignment, i.e. var foo = "%q";
-
Javascript quoted string - URL escaped -
Assigns the parameter value to an quoted js assignment, i.e. var foo = "%q";
-
Javascript single quoted string - HTML escaped -
Assigns the parameter value to a single quoted js assignment, i.e. var foo = '%q';
-
Javascript single quoted string - URL escaped -
Assigns the parameter value to a single quoted js assignment, i.e. var foo = '%q';
-
Javascript slash quoted string - HTML escaped -
Assigns the parameter value to a single slash quoted js assignment, i.e. var foo = \%q\;
-
Javascript slash quoted string - URL escaped -
Assigns the parameter value to a single slash quoted js assignment, i.e. var foo = \%q\;
-
Javascript comment - HTML escaped -
Inserts the parameter into a javascript comment, i.e. /* %q */
-
Javascript comment - URL escaped -
Inserts the parameter into a javascript comment, i.e. /* %q */
URLs
XSS that can occur due to unsanitized URLs in various contexts.
JS eval context
XSS that can occur inside an eval inside a SCRIPT block.