Disclaimer: This platform is for educational and authorized security testing only.
Bricxt SquadCybersecurity Education & Ethical Hacking Labs

XSS Cheat Sheet

XSS is injection of untrusted content into browser-executed contexts. Prevent using contextual output encoding and safe rendering APIs.

Detection Clues

  • Untrusted input reflected/stored in HTML output
  • Use of unsafe DOM sinks such as innerHTML
  • Missing output encoding by context

Prevention

  • Use framework auto-escaping templates
  • Encode output for HTML, attributes, URL, JS context
  • Add CSP and avoid inline scripts where possible

Copy-Ready Safe Test String

This is a harmless encoding test string for verifying sanitization/escaping behavior.

<script>alert('test')</script>

Extended XSS Safe Test Pack (Harmless)

These inputs are sanitized, non-executable representations to validate encoding/escaping in different contexts. Copy and paste to test rendering safely.

XSS Context Matrix (what to encode where)

  • HTML: encode < > & " '
  • Attribute: encode quotes and dangerous chars; wrap in quotes
  • URL: encode with percent-encoding; avoid javascript: schemes
  • JS: safely stringify to JS string (escape backslashes/quotes)
  • CSS: avoid injecting raw; use safe classes or inline styles with sanitization
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<a href=javascript:alert(1)>link</a>
<iframe srcdoc="<script>alert(1)</script>"></iframe>
<body onload=alert(1)>
<input value="" onfocus=alert(1) ">
<div style="background-image:url(javascript:alert(1))"></div>
<math href="javascript:alert(1)"></math>
<img src=x:alert(1) onerror=alert(1)>
<details open ontoggle=alert(1)></details>
<textarea autofocus onfocus=alert(1)></textarea>
<marquee onstart=alert(1)>x</marquee>
<select onchange=alert(1)><option>x</option></select>
<video src=x onerror=alert(1)></video>
<object data=javascript:alert(1)></object>
<img src=1 onerror="this.onerror=null;alert(1)">
<div onpointerenter=alert(1)>hover</div>
<img srcset="x 1x, javascript:alert(1) 2x">
<meta http-equiv="refresh" content="0;url=javascript:alert(1)">
<form action="javascript:alert(1)"><input type=submit></form>

Note: These strings are escaped for safety and intended for verifying if your rendering layer encodes output properly. They are not executed by this page.

Real-Life Bug Pattern (Sanitized)

A comment field rendered with raw HTML caused account takeover attempts in a social app clone. Root cause: trusting user input and injecting it into an admin moderation panel without context-aware encoding.