XSS Payload Test Suite for Hive Frontends
XSS Payload Test Suite for Hive Frontends
⚠️ FOR AUTHORIZED TESTING ONLY
Do not use against systems without explicit written permission.
Report ID: AUDIT-20260322
Auditor: louis88
Purpose: Post each payload as a Hive blockchain post body to test sanitization
across condenser and other Hive frontends. All payloads usealert(1)or
alert(document.domain)as a benign proof-of-concept indicator.How to use: Each section contains payloads wrapped in markdown code fences
for reference, followed by the raw payload to copy. Test each payload as:
- A standalone post body
- Wrapped in
<html>...</html>tags (triggers the raw HTML path in MarkdownViewer)- Inside a markdown paragraph mixed with normal text
- As a comment on an existing post
Table of Contents
- Standard Vectors
- HTML Tag Event Handlers — Exhaustive
- SVG Vectors
- MathML Vectors
- HTML5 Semantic & Obscure Tags
- Encoding Bypass Vectors
- Unicode & Character Tricks
- CSS-Based Vectors
- Markdown-Specific Vectors
- Mutation XSS (mXSS)
- DOM Clobbering Chains
- Template & Framework-Specific
- Protocol Handler Abuse
- Meta & Base Tag Injection
- Form & Input Hijacking
- Object, Embed & Applet
- Media Elements
- Focus & Autofocus Chains
- Animation & Transition Events
- Content-Editable & Designmode
- Polyglot Payloads
- DOMPurify Specific Bypasses
- Condenser html-Wrapper Path
- Dangling Markup Injection
- Tab-Nabbing & Window Reference
- Exotic Attribute Vectors
- Regex Sanitizer Bypass Techniques
- Obfuscation & Evasion Techniques
- Payload Chaining & Multi-Stage
1. Standard Vectors
Classic payloads that every sanitizer should catch. If any of these fire, the sanitizer is fundamentally broken.
XSS-STD-001
alert(1)
XSS-STD-002
XSS-STD-003
alert(String.fromCharCode(72,105))
XSS-STD-004
alert(1)
XSS-STD-005
alert(1)
XSS-STD-006 — Script with CDATA (XHTML context)
/**/
XSS-STD-007 — Closing existing tag context
alert(1)
XSS-STD-008 — Closing textarea context
alert(1)
XSS-STD-009 — Closing noscript context
alert(1)
XSS-STD-010 — Line breaks in tag
alert(1)</scr
ipt>
2. HTML Tag Event Handlers — Exhaustive
Comprehensive list of every HTML event handler attribute. Many sanitizers only block onerror and onload but miss obscure handlers.
2.1 Mouse Events
XSS-EVT-001
XSS-EVT-002
XSS-EVT-003
XSS-EVT-004
XSS-EVT-005
XSS-EVT-006
XSS-EVT-007
XSS-EVT-008
XSS-EVT-009
XSS-EVT-010
XSS-EVT-011
XSS-EVT-012
2.2 Keyboard Events
XSS-EVT-013
XSS-EVT-014
XSS-EVT-015
2.3 Load / Lifecycle Events
XSS-EVT-016
XSS-EVT-017
XSS-EVT-018
XSS-EVT-019
XSS-EVT-020
XSS-EVT-021
XSS-EVT-022
XSS-EVT-023
XSS-EVT-024
XSS-EVT-025
Leave XSS Payload Test Suite for Hive Frontends to:
Read more #test posts
Best Posts From Louis Random Audit
We have not curated any of louis.random's posts yet. But you can encourage our curation team to review posts by visiting them regularly and by referring other readers. Because we give priority to frequently read content.
More Posts From Louis Random Audit
- Overlay Check
- test July 1
- testing - nothing to see - realy.
- Test May #1
- Search result 123
- <mark onmouseover=alert(document.domain)>click</mark>
- Understanding Hive Blockchain Governance: A Comprehensive Guide
- XSS Comprehensive Test Suite - Markdown Mode
- XSS Comprehensive Test Suite - HTML Mode
- Gist XSS Verification Test