This page collects reflected XSS from an array of sources and to various sinks. The sinks are distributed to cover the HTML contexts, while the sources try to cover as many of the real data sources as possible.

Unless otherwise specified, no escaped is performed on the payload.

HTML Contexts

This class of XSS simply takes a value from the parameter and echoes it back in an HTML page in a specific HTML context

Error status codes:

Simple body-based reflected XSS served with an error HTTP status code.

Tags with special semantics:

Tags that ignore content in between the closing and the opening tag

CSS context

XSS that can occur inside a STYLE block or inside a style="" attribute.

HTML event handler JS context

XSS that can occur inside eventhandler attribute of a HTML element.
Note that these payloads are escaped so that they break out of the handler.

JS context

XSS that can occur inside a SCRIPT block.


XSS that can occur due to unsanitized URLs in various contexts.

Content sniffing

These XSS can only be triggered on (and affect) content sniffing browsers.

Escaping and filtering

XSS requiring escaping or filtering certain types of requests.