Firing Range - Tag based injections

This page collects XSS attacks where the payload is validated to be a specific HTML tag. This severely restricts the payloads that can be used, and is generally relevant for testing attacks against CMS systems or similar features.

Pure Tags

These vectors only verify if the tag in the request is a certain tag.

Any tag - Allows any HTML tag in the request.
META - Only allows META tags through. META tags can perform redirect attacks.
DIV - Allows any DIV tag.
IMG - Allows any IMG tag.
STYLE - Allows any STYLE tag.
IFRAME - Allows any IFRAME tag.

Attributes restricted

The following vectors will only allow a certain attribute for a tag.
The first value is the tag being allowed, the second the specific attribute.

Other attacks

A collection of other esoteric attack types, exercising various types of escaping.

Expression based attacks - Only allows tags, but filtering out event handlers. It only allows style as a property, but explicitly blocks the word "expression" in the style. To exploit this vector, the payload has to use something like ex/**/pression or so.
Multiline tags - Only multiline tags allowed (%0a<script>alert(1)</script>). The server applies a single line regular expression to filter out any tag in the request, which can be tricked by a multiline payload.