<html> <head> </head> <body> <h1>1 test</h1> <p><style> block</p> <style>input { left:expression( alert('expression!') ) }</style> <style>div { background:url(alert('URL!') ) }</style> <h1>2 test</h1> <p><div> block</p> <div style="font-style:italic">valid css</div> <div style="color:red; background:url('//somedomain.com/somepath/somefile.png')"> <div style="{ left:expression( alert('expression!') ) }"> <div style="{ background:url( alert('URL!') ) }"> <h1>3 test</h1> <p>Inject comment text</p> <div style="{ left:exp/* */ression( alert('xss3') ) }"> <div style=" background:u/* */rl( alert('xssurl3') ) "> <h1>4 test</h1> <p>Using reverse solid to directe the codepoint</p> <div style="{ left:\0065\0078pression( alert('xss4') ) }"> <div style="{ background:\0075rl( alert('xssurl4') ) }"> <h1>5 test</h1> <p>Character entity references</p> <p>Character entity references is acceptable in "inline styles"</p> <div style="{ left:expression( alert('xss') ) }"> <div style="{ left:expression( alert('xss') ) }"> <div style="{ background:url( alert('URL!') ) }"> <div style="{ background:url( alert('URL!') ) }"> <div style="{ left:expression( alert('xss') ) }"> <div style="{ left:�.�.p�.�.�.�.�.o�.( alert('xss') ) }"> <div style="{ left:�.�./**/pression( alert('xss') ) }"> <div style="{ left:expʀessioɴ( alert('xss') ) }"> <div style="{ left:\0065\0078pression( alert('xss') ) }"> <div style="{ left:ex p ression( alert('xss') ) }"> <div style="{ background:�.�.�.( javascript:alert('xss') ) }"> <div style="{ background:u/**/rl( javascript:alert('xss') ) }"> <div style="{ background:\0075\0072\006c( javascript:alert('xss') ) }"> <div style="{ background:uʀʟ( javascript:alert('xss') ) }"> <div style="{ background:\0075\0280l( javascript:alert('xss') ) }"> <div style="{ background:u r l( javascript:alert('xss') ) }"> </body> </html>