4.2.5. Sink

4.2.5.1. 执行Js

• eval(payload)
• setTimeout(payload, 100)
• setInterval(payload, 100)
• Function(payload)()
• <script>payload</script>
• <img src=x onerror=payload>

4.2.5.2. 加载URL

• location=javascript:alert(/xss/)
• location.href=javascript:alert(/xss/)
• location.assign(javascript:alert(/xss/))
• location.replace(javascript:alert(/xss/))

4.2.5.3. 执行HTML

• xx.innerHTML=payload
• xx.outerHTML=payload
• document.write(payload)
• document.writeln(payload)