alert(document.domain), Documenting the impossible: Unexploitable XSS labs, within a script based context and the second in HTML. I wish this infographic helps you find proper CSS selectors.
J?_���P>��`����tU��i�e�zDhd�4|Y�����~�:�l3�8��ҕ���y���a ���ΑI���:6�!6Z��&�5�"4y%,n�3e���1s�Q oG6!=��O�#�]�3�Y��8��|���9��'=��:{���KH����C�8���7p�h���[q�ɀ1j��N�ޮ(7��^PM��JI�W���U۟^�5(u?�����7�A�^�n�uL&s8����7 �(��Cjx��t���)G29^�%������wHms��R��ӰY��R[/�!�Z`�DW��f�F�C�� In quirks mode IE allowed you to use = instead of : Older versions of IE supported event handlers in functions, GreyMagic HTML+time exploit (no longer works even in 5 docmode). Save time/money. Submitted by David Cross .
Fires when enough data has been loaded to play the resource all the way through, Fires when the resource is finished playing, Fires when the resource fails to load or causes an error, Fires when message event is received from a postMessage call, Fires when the video/audio begins downloading, Fires when right clicking or using the middle button of the mouse, Triggered when right clicking to show the context menu, Triggered when double clicking the element, Triggered dragging is finished on the element, Fires when a video changes full screen status. �h�r�[ܵ)d:�33��q�ZRS�� :�gV������+g����I��=��m8��'VPF���+2n�S�ッ��������i�z �[�u�Yn$��fI�F-x�������a�V�S�w����>n`��]II�,�s3�1�
1Rx��ZFu 7 0 obj
<>/ExtGState<>/XObject<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 11 0 R/Group<>/Tabs/S/StructParents 1>>
No parentheses using location redirect no strings, No parentheses using template strings and location hash, No parentheses or spaces, using template strings and location hash, Object data attribute with JavaScript protocol, Embed src attribute with JavaScript protocol, Characters \x01-\x20 are allowed before the protocol, Characters \x09,\x0a,\x0d are allowed inside the protocol, Characters \x09,\x0a,\x0d are allowed after protocol name before the colon, Xlink namespace inside SVG with JavaScript protocol, SVG script href attribute without closing script tag, Base tag with JavaScript protocol rewriting relative URLS, Animate tag with keytimes and multiple values, Click a submit element from anywhere on the page, even outside the form, Hidden inputs: Access key attributes can enable XSS on normally unexploitable elements, Link elements: Access key attributes can enable XSS on normally unexploitable elements, Download attribute can save a copy of the current webpage, Set window.name via parameter on the window.open function, Set window.name via name attribute in a