level1
![](api/attachments/zBsTpmISUnOD/image/image.png)
level2
input那里没有编码,利用如下
![](api/attachments/qyr4vlm8SrrR/image/image.png)
![](api/attachments/GN5OVb7dGC0Q/image/image.png)
level3
利用属性触发事件,执行javascript
![](api/attachments/11LD0Tz2RGdH/image/image.png)
![](api/attachments/Cm0IKoVHqtjW/image/image.png)
leve4
同上一题,但是换了闭合符
![](api/attachments/GttvppuhuYGl/image/image.png)
![](api/attachments/4UWxUbR8zOYt/image/image.png)
leve5
题目过滤了”on“,则使用闭合input标签,改用 <a href> 标签来调用javascript
![](api/attachments/AnRr6UQOVjQv/image/image.png)
![](api/attachments/iIf2ijGk2Oyp/image/image.png)
leve6
大小写绕过
![](api/attachments/IelRn8zZ0fGJ/image/image.png)
![](api/attachments/PSHDUYsJAFbm/image/image.png)
level7
双写”on“绕过
![](api/attachments/3jtWMkUqFurK/image/image.png)
![](api/attachments/ZJxaRVJbzUzI/image/image.png)
level8
unicode编码绕过
![](api/attachments/rKWdMeVK528x/image/image.png)
![](api/attachments/aknJk9UycDVK/image/image.png)
![](api/attachments/yTLaAkIUi2Mz/image/image.png)
level9
这题检测了链接的合法性,所以可以在javascirpt代码后面加上一个合法的连接即可
payload:javascript:alert('xss')//http://baidu.com
![](api/attachments/1nTlMvZCtIN0/image/image.png)
![](api/attachments/KBB1FV41JNq8/image/image.png)
level10
t_sort值可以被修改
![](api/attachments/cXJZ5Kjrxkbo/image/image.png)
向t_sort中插入恶意代码
![](api/attachments/d8TElPDmYYfZ/image/image.png)
![](api/attachments/81k4ObvMZCHp/image/image.png)