1)普通的XSS JavaScript注入 
 
(2)IMG标签XSS使用JavaScript命令 
 
(3)IMG标签无分号无引号 
 
(4)IMG标签大小写不敏感 
 
(5)HTML编码(必须有分号) 
 
(6)修正缺陷IMG标签 
http://www.dksrcw.com/article/%E2%80%9D> 
(7)formCharCode标签(计算器) 
 
(8)UTF-8的Unicode编码(计算器) 
 
(9)7位的UTF-8的Unicode编码是没有分号的(计算器) 
 
(10)十六进制编码也是没有分号(计算器) 
 
(11)嵌入式标签,将Javascript分开 
 
(12)嵌入式编码标签,将Javascript分开 
 
(13)嵌入式换行符 
 
(14)嵌入式回车 
 
(15)嵌入式多行注入JavaScript,这是XSS极端的例子 
 
(16)解决限制字符(要求同页面) 
 
 
 
 
 
 
 
 
 
 
(17)空字符12-7-1 T00LS - Powered by Discuz! Board 
https://www.t00ls.net/viewthread.php?action=printable&tid=15267 2/6 
perl -e ‘print “http://www.dksrcw.com/article/%E2%80%9D;’ >out 
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用 
perl -e ‘print “alert(\http://www.dksrcw.com/article/%E2%80%9DXSS\http://www.dksrcw.com/article/%E2%80%9D)\0IPT>http://www.dksrcw.com/article/%E2%80%9D;’ >out 
(19)Spaces和meta前的IMG标签 
 
(20)Non-alpha-non-digit XSS 
 
(21)Non-alpha-non-digit XSS to 2 

 
(22)Non-alpha-non-digit XSS to 3 
 
(23)双开括号