This page collects reflected XSS from an array of sources and to various sinks which are escaped on the server before being passed to a sink.

HTML Contexts

This class of XSS simply takes a value from the parameter and echoes it back in an HTML page in a specific HTML context with some escaping

CSS context

XSS that can occur inside a STYLE block or inside a style="" attribute.

JS context

XSS that can occur inside a SCRIPT block.

URLs

XSS that can occur due to unsanitized URLs in various contexts.

JS eval context

XSS that can occur inside an eval inside a SCRIPT block.