1. <a href="%6a%61%76%61%73%63%72%69%70%74:%61%6c%65%72%74%28%31%29"></a>
URL encoded "javascript:alert(1)"
答:javascript不会执行。
2. <a
href="javascript:%61
%6c%65%72%74%28%32%29">
Character entity encoded "javascript" and URL encoded "alert(2)"
答:javascript将执行。
3. <a href="javascript%3aalert(3)"></a>
URL encoded ":"
答:javascript不会执行。
4. <div><img src=x onerror=alert(4)></div>
Character entity encoded < and >
答:javascript不会执行。
5. <textarea><script>alert(5)</script></textarea>
Character entity encoded < and >
答案: javascript不会执行, 字符实体不会被解码
6. <textarea><script>alert(6)</script></textarea>
答:javascript不会执行。
Advanced
7. <button onclick="confirm('7');">Button</button>
Character entity encoded '
答:javascript将执行。
8. <button onclick="confirm('8u0027);">Button</button>
Unicode escape sequence encoded '
答:javascript不会执行。
9. <script>alert(9);</script>
Character entity encoded alert(9);
答:javascript不会执行。
10. <script>u0061u006cu0065u0072u0074(10);</script>
Unicode Escape sequence encoded alert
答:javascript将执行。
11. <script>u0061u006cu0065u0072u0074u0028u0031u0031u0029</script>
Unicode Escape sequence encoded alert(11)
答:javascript不会执行。
12. <script>u0061u006cu0065u0072u0074(u0031u0032)</script>
Unicode Escape sequence encoded alert and 12
答:javascript不会执行。
13. <script>alert('13u0027)</script>
Unicode escape sequence encoded '
答:javascript不会执行。
14. <script>alert('14u000a')</script>
Unicode escape sequence encoded line feed.
答:javascript将执行。
Bonus
16. <a
href="javascript:%5c%75%30%30%36%31%5c%75%30%30%36%63%5c%75%30%30%36%35%5c%75%30%30%37%32%5c%75%30%30%37%34(15)"></a>
答:javascript将执行。
http://www.wjlshare.xyz/2019/08/10/深入理解浏览器解析机制和xss向量编码-文章总结/