This page collects reflected XSS from an array of sources and to various sinks.
    The sinks are distributed to cover the HTML contexts, while the sources try to
    cover as many of the real data sources as possible.
  
  
    Unless otherwise specified, no escaped is performed on the payload.
  
 
HTML Contexts
   This class of XSS simply takes a value from the parameter and echoes it
      back in an HTML page in a specific HTML context 
  
 
Error status codes:
  Simple body-based reflected XSS served with an error HTTP status code.
  
 
Tags with special semantics:
  Tags that ignore content in between the closing and the opening tag
  
    - 
      Parameter - iFrame Attribute Value - 
      The parameter is used as an attribute value, i.e. <iframe attribute=%q>
- 
      Parameter - iFrame srcdoc - 
      The parameter is used as an attribute value, i.e. <iframe srcdoc=%q>.
      The srcdoc attribute is supposed to be used together with the sandbox and seamless attributes.
      If a srcdoc attribute is present within an iframe it will override content specified by the 
      src attribute. Thereby it accepts arbitrary HTML code which will be rendered inside the iframe.
- 
      Parameter - Textarea -
      The parameter is echoed in a TEXTAREA tag's CDATA. In this case, no
      parsing of the payload is performed unless the TEXTAREA tag is closed.
    
- 
      Parameter - Textarea Attribute Value - 
      The parameter is used as an attribute value, i.e. <textarea attribute=%q>
- 
      Parameter - NoScript -
      The parameter is echoed in a NOSCRIPT tag's CDATA. In this case, no
      parsing of the payload is performed unless the NOSCRIPT tag is closed.
    
- 
      Parameter - Style Attribute Value - 
      The parameter is used as an attribute value, i.e. <style attribute=%q>
 
CSS context
   XSS that can occur inside a STYLE block or inside a style="" attribute. 
  
    - 
      Parameter - CSS - 
      The parameter is echoed as the only content of a STYLE tag positioned
      into the HEAD.
    
- 
      Parameter - CSS Value - 
      The parameter is echoed as a color value in a STYLE tag positioned into
      the HEAD.
    
- 
      Parameter - CSS Font Name - 
      The parameter is echoed as a font value in a STYLE tag positioned into
      the HEAD. Font name is particularly interesting because many sanitizers
      do not behave correctly when parsing it.
    
 
HTML event handler JS context
   XSS that can occur inside eventhandler attribute of a HTML element. 
      Note that these payloads are escaped so that they break out of the handler.
  
 
JS context
   XSS that can occur inside a SCRIPT block. 
  
 
URLs
   XSS that can occur due to unsanitized URLs in various contexts.
 
  
    - Parameter - Script SRC double quoted -
      Assigns the parameter to a SCRIPT src between quotes.
    
- 
      URL - HREF -
      Assigns the parameter to an HREF property of an A tag. Requires clicking to trigger.
    
- 
      URL - CSS - 
      Assigns the parameter to the SRC property of a STYLE tag in the HEAD.
    
- 
      URL - Script SRC - 
      Assigns the parameter to the SRC property of a SCRIPT tag. The parameter must contain
      a parseable URL.
    
- 
      URL - Object DATA - 
      Assigns the parameter to the DATA property of an OBJECT tag. The parameter must contain 
      a parseable URL.
    
- 
      URL - Param SRC - 
      Assigns the parameter to the SRC property of an OBJECT's PARAM tag. The parameter 
      must contain a parseable URL.
    
 
Content sniffing
  These XSS can only be triggered on (and affect) content sniffing browsers.
 
  
    - 
      Parameter - JSON -
      Inserts the parameter inside a JSON object. Returns an HTML content type.
      Note that this XSS does not actually require MIME content sniffing
    
- 
      ContentSniffing -
      Inserts the parameter inside a JSON object. Returns a JSON content type.
    
- 
      ContentSniffing -
      Inserts the parameter in a plain/text page.
    
- 
      ContentSniffing - Callback -
      Uses an hidden callback parameter as a JSONP callback. The interesting bit
      here is that the callback parameter is not in this link, so the scanner
      has to guess its presence.
    
 
Escaping and filtering
  XSS requiring escaping or filtering certain types of requests.