
XSS (Cross Site Scripting) Cheat Sheet - duck
http://ha.ckers.org/xss.html
======
damncabbage
This is unfortunately very out of date now.

It is, however, a nice illustration of why your sanitisation regex probably
isn't going to work as well as you'd like.

(Additional notes: [http://stackoverflow.com/questions/1732348/regex-match-
open-...](http://stackoverflow.com/questions/1732348/regex-match-open-tags-
except-xhtml-self-contained-tags/1732454#1732454) )

~~~
jerf
In what way are you saying it's out of date? The vast, vast bulk of those will
work today just fine; very few of them are actually based on browser bugs.
Most of them are really about getting valid HTML past dumb filters.

~~~
aj-code
One of the most useful features of that site used to be that you could tell at
a glance which browsers the XSS payload would work on, and which it wouldn't.
It hasn't been updated for modern browsers so now you have to test each
browser yourself.

A lot of the payloads aren't based on browser "bugs" as such, more just the
way browsers loosely interpret mangled HTML, CSS and JavaScript. Newer
browsers tend to be stricter on what they'll interpret, especially when it
comes to a potential XSS vector. The site doesn't seem to have been updated
for anything after IE7 and Firefox 2, but I'm not aware of any better cheat
sheets. Anyone got any?

------
Kiro
I remember using this a lot when making a site back in the days where users
could change stuff using HTML/CSS. I had to gradually add more regex filters
to combat trolls who managed to insert nasty JS. It was great fun and I don't
think the trolls realised that they were actually doing me a favor all along.

