This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Talk:XSS Filter Evasion Cheat Sheet

Revision as of 20:22, 12 October 2016 by Abhi M Balakrishnan (talk | contribs) (Filter bypass based polyglot)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

I can speak from being on the receiving end of XSS Evasion Attacks :)

Essentially what we need to do is to consolidate a couple of key resources. The top two being -

   HTML5Sec Vectors -  These are taken from Mario's awesome work -
   Shazzer's Successful Fuzzes -  These are from Gareth's equally awesome work -  

I would start with these two resources as the base and build from there.


Outdated Examples?

According to and due to my own observations, it seems that the examples with <img src="..."> provided here are outdated and irrelevant. Means: they are only relevant to Browsers <=IE6 . This makes it hard to collect the relevant (test-)cases from this page and may make people think that an application is not xss save if it does not handle these cases (as it was in my case). Can these examples either be removed or moved to a dedicated sub-chapter? Or I am completely wrong? - Markus Down

The site has been down for quite some time now, breaking the examples listed on the page. I've setup a mirror for these files, so the samples will work again. If ever comes back, the change to use the mirror can be reverted.

If anyone objects to this, please let me know. --Adam Caudill (talk) 18:43, 3 March 2016 (CST)


I searched online with "%tag" internet explorer, saw an example in The Browser Hackers Handbook 2014 and a reference to the main article. I wonder if the main article should include the <%tag style=xss:expression(alert(6))> trick. Another article explained that IE ignored a possibility of code execution via the unexpected tag, --Eelgheez (talk)

My attempt with %tag could not evade IE11's XSS filter. Oh well. --Eelgheez (talk) 17:14, 7 July 2016 (CDT)

Filter bypass based polyglot

Why is this polyglot linking to a resource on a private website? ( I believe it should link to localhost. In the case of a successful execution of the payload, the referrer header will get listed on the logs of

Abhi M Balakrishnan (talk)