This class of XSS simply takes a value from the parameter and echoes it back in an HTML page in a specific HTML context with some escaping

• Body - HTML escaped - The parameter is echoed within the main BODY tag.
• Body - URL escaped - The parameter is echoed within the main BODY tag.
• Head - HTML escaped - The parameter is echoed within the HEAD tag.
• Head - URL escaped - The parameter is echoed within the HEAD tag.
• Body HTML comment - HTML escaped - The parameter is echoed inside an HTML comment in the HTML BODY.
• Body HTML comment - URL escaped - The parameter is echoed inside an HTML comment in the HTML BODY.
• Textarea - HTML escaped - The parameter is echoed in a TEXTAREA tag's CDATA. In this case, no parsing of the payload is performed unless the textarea tag is closed.
• Textarea - URL escaped - The parameter is echoed in a TEXTAREA tag's CDATA. In this case, no parsing of the payload is performed unless the textarea tag is closed.
• Tag name - HTML escaped - The parameter is used as a tag name, i.e. <%q>
• Tag name - URL escaped - The parameter is used as a tag name, i.e. <%q>
• Attribute unquoted - HTML escaped - The parameter is echoed in an HTML attribute, unquoted. i.e. <foo src=%q>
• Attribute unquoted - URL escaped - The parameter is echoed in an HTML attribute, unquoted. i.e. <foo src=%q>
• Attribute single quoted - HTML escaped - The parameter is echoed in an HTML attribute, single quoted. i.e. <foo src='%q'>
• Attribute single quoted - URL escaped - The parameter is echoed in an HTML attribute, single quoted. i.e. <foo src='%q'>
• Attribute double quoted - HTML escaped - The parameter is echoed in an HTML attribute, double quoted. i.e. <foo src="%q">
• Attribute double quoted - URL escaped - The parameter is echoed in an HTML attribute, double quoted. i.e. <foo src="%q">
• Attribute name - HTML escaped - The parameter is used as an attribute name, i.e. <foo %q=irrelevant>
• Attribute name - URL escaped - The parameter is used as an attribute name, i.e. <foo %q=irrelevant>

XSS that can occur inside a STYLE block or inside a style="" attribute.

• CSS - HTML escaped - The parameter is echoed as the only content of a STYLE tag positioned into the HEAD.
• CSS - URL escaped - The parameter is echoed as the only content of a STYLE tag positioned into the HEAD.
• CSS Value - HTML escaped - The parameter is echoed as a color value in a STYLE tag positioned into the HEAD.
• CSS Value - URL escaped - The parameter is echoed as a color value in a STYLE tag positioned into the HEAD.
• CSS Font Name - HTML escaped - The parameter is echoed as a font value in a STYLE tag positioned into the HEAD. Font name is particularly interesting because many sanitizers do not behave correctly when parsing it.
• CSS Font Name - URL escaped - The parameter is echoed as a font value in a STYLE tag positioned into the HEAD. Font name is particularly interesting because many sanitizers do not behave correctly when parsing it.

XSS that can occur inside a SCRIPT block.

• Javascript unquoted assignment - HTML escaped - Assigns the parameter value to an unquoted js assignment, i.e. var foo = %q;
• Javascript unquoted assignment - URL escaped - Assigns the parameter value to an unquoted js assignment, i.e. var foo = %q;
• Javascript eval - HTML escaped - Pipes the parameter into an eval, i.e. eval(%q);
• Javascript eval - URL escaped - Pipes the parameter into an eval, i.e. eval(%q);
• Javascript quoted string - HTML escaped - Assigns the parameter value to an quoted js assignment, i.e. var foo = "%q";
• Javascript quoted string - URL escaped - Assigns the parameter value to an quoted js assignment, i.e. var foo = "%q";
• Javascript single quoted string - HTML escaped - Assigns the parameter value to a single quoted js assignment, i.e. var foo = '%q';
• Javascript single quoted string - URL escaped - Assigns the parameter value to a single quoted js assignment, i.e. var foo = '%q';
• Javascript slash quoted string - HTML escaped - Assigns the parameter value to a single slash quoted js assignment, i.e. var foo = \%q\;
• Javascript slash quoted string - URL escaped - Assigns the parameter value to a single slash quoted js assignment, i.e. var foo = \%q\;
• Javascript comment - HTML escaped - Inserts the parameter into a javascript comment, i.e. /* %q */
• Javascript comment - URL escaped - Inserts the parameter into a javascript comment, i.e. /* %q */

XSS that can occur due to unsanitized URLs in various contexts.

• Script SRC double quoted - HTML escaped - Assigns the parameter to a SCRIPT src between quotes.
• Script SRC double quoted - URL escaped - Assigns the parameter to a SCRIPT src between quotes.
• URL - HREF - HTML escaped - Assigns the parameter to an HREF property of an A tag. Requires clicking to trigger.
• URL - HREF - URL escaped - Assigns the parameter to an HREF property of an A tag. Requires clicking to trigger.
• URL - CSS - HTML escaped - Assigns the parameter to the SRC property of a STYLE tag in the HEAD.
• URL - CSS - URL escaped - Assigns the parameter to the SRC property of a STYLE tag in the HEAD.

XSS that can occur inside an eval inside a SCRIPT block.

• Eval payload after applying escape()
• Eval payload after applying encodeURIComponent()
• Eval payload after escaping <, & and >()