4.2.6. Sink

4.2.6.1. 执行JavaScript

  • eval(payload)
  • setTimeout(payload, 100)
  • setInterval(payload, 100)
  • Function(payload)()
  • <script>payload</script>
  • <img src=x onerror=payload>

4.2.6.2. 加载URL

  • location=javascript:alert(/xss/)
  • location.href=javascript:alert(/xss/)
  • location.assign(javascript:alert(/xss/))
  • location.replace(javascript:alert(/xss/))

4.2.6.3. 执行HTML

  • xx.innerHTML=payload
  • xx.outerHTML=payload
  • document.write(payload)
  • document.writeln(payload)