Brave Search

When the iframe is loaded, an XSS vector is appended to the hash, causing the hashchange event to fire. Even newer versions of jQuery can still be vulnerable via the $() selector sink, provided you have full control over its input from a source ...

GitHub

github.com › cve-sandbox › jquery

GitHub - cve-sandbox/jquery: CVE Collection of jQuery XSS Payloads · GitHub

CVE Collection of jQuery XSS Payloads. Contribute to cve-sandbox/jquery development by creating an account on GitHub.

Starred by 75 users

Forked by 11 users

Languages HTML

Videos

02:46

YouTube

DOM XSS in jQuery anchor href attribute sink using location search ...

HackerKast Episode 10 - XSS Vulnerability in jQuery, Let's Encrypt, ...

DOM XSS in jQuery Selector Sink - YouTube

DOM XSS in jQuery Selector Sink using a Hashchange Event - YouTube

January 23, 2023

10:47

YouTube

XSS - Exploiting Vulnerable JQuery Sink - YouTube

exploit-db.com › exploits › 52141

jQuery 3.3.1 - Prototype Pollution & XSS Exploit - Multiple webapps Exploit

April 8, 2025 - Load vulnerable jQuery (version 3.3.1) const script = document.createElement('script'); script.src = "https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"; document.head.appendChild(script); // 2. Function to execute after jQuery is loaded script.onload = function() { console.log("[+] Vulnerable jQuery loaded!"); // 3. Inject malicious content for XSS (CVE-2020-7656) const maliciousContent = "<script>alert('XSS via CVE-2020-7656: ' + document.domain)</script >"; // Space after </script> $('body').append(maliciousContent); console.log("[+] XSS payload (CVE-2020-7656) injected.

TrustedSec

trustedsec.com › home › blog › everything you need to know about jquery and its vulnerabilities

TrustedSec | Everything You Need to Know About jQuery and its…

March 19, 2025 - As an example, the following code would be exploitable if the input value contained an XSS payload. ... Result: The XSS in the username value is added to the page HTML. Another function that can add unmodified HTML to the page is the load() function. load() - Loads data from a server and puts the returned data into the selected element ... redirect = .search if(redirect.indexOf("?redirect=")>=0){ path=redirect.split("redirect=")[1] $('body').load(path) } Another way to execute XSS in jQuery is though the selector engine.

Price $

Address 3485 Southwestern Boulevard, 44333, Fairlawn

GitHub

github.com › EdOverflow › bugbounty-cheatsheet › blob › master › cheatsheets › xss.md

bugbounty-cheatsheet/cheatsheets/xss.md at master · EdOverflow/bugbounty-cheatsheet

A list of interesting payloads, tips and tricks for bug bounty hunters. - bugbounty-cheatsheet/cheatsheets/xss.md at master · EdOverflow/bugbounty-cheatsheet

Author EdOverflow

PortSwigger

portswigger.net › web-security › cross-site-scripting › cheat-sheet

Cross-Site Scripting (XSS) Cheat Sheet - 2026 Edition | Web Security Academy

January 27, 2026 - This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters.

xss.js.org

xss payloads collect

A magical documentation generator.

Stack Exchange

security.stackexchange.com › questions › 183245 › exploiting-xss-in-jquery-without-equal-character

attacks - Exploiting XSS in jQuery without equal character? - Information Security Stack Exchange

Top answer

1 of 4

Contrary to what is being said in the accepted answer, jQuery.html() and the many jQuery functions which accept HTML strings as arguments are more prone to DOM-based XSS injection than innerHTML, as noticed by the OP.

jQuery.html() extracts the <script> tags, updates the DOM and evaluates the code embedded in the script tags.

As a result, XSS can happen without user interaction even after the DOM is loaded when using jQuery.html().

This is very easy to demonstrate.

This will call alert():

$('.xss').html('<script>alert("XSS");</script\>');

http://jsfiddle.net/2TpHC/

While this will not:

var d = document.getElementById('xss');
d.innerHTML = '<script\>alert("XSS");</script\>';

http://jsfiddle.net/Tjspu/

Unfortunately, there are many other code paths (sinks) which lead to calling eval() in jQuery. The security conscious will probably avoid jQuery altogether, as far as possible.

Note that I do not claim that using innerHTML is an effective defense against XSS. It is not. Passing unescaped data to innerHTML is not safe, as pointed out by @daghan. One should always properly escape data when generating HTML.

2 of 4

JQuery strips out the script tags, which is why you aren't seeing it append to the dom let alone executing.

To see an explanation of why jquery strips it out, you can see John Resig's reply here: https://forum.jquery.com/topic/jquery-dommanip-script-tag-will-be-removed

Hope this helps

Find elsewhere

Google Bing Mojeek

Medium

bayefran.medium.com › xss-dom-xss-in-jquery-selector-sink-using-a-hashchange-event-17d23417675b

XSS — DOM XSS in jQuery selector sink using a hashchange event | by efran | Medium

August 7, 2023 - I was able to trigger XSS with https://lab-id.web-security-academy.net#<img src=x onerror=alert(1)> Now, let’s load the same page inside an iframe and deliver it to the victim to trigger XSS. The payload should trigger an alert since the jquery selector $() will first try to select (find) the item on the page and when it fails (the string does not exist in this example), it will add the element.

LRQA Korea

lrqa.com › en › cyber-labs › cross-site-scripting-xss-payload-generator

Cross Site Scripting (XSS) Payload Generator | LRQA

September 19, 2024 - It works by setting three basic options for the payload you want to generate which combine to create an encoded string. They should be fairly logical once you get started, but in brief, they are as follows. This is what you want the actual action to be when the XSS is executed and includes two methods for inserting an external script (JQuery and document.createElement), two methods for invoking a URL request (XMLHttpRequest and Image), which are good for establishing execution has occurred when testing for blind XSS, and finally the option to simply write your own JavaScript snippet for when you just gotta have alert(1).

Samuel Mortenson

mortenson.coffee › blog › promoting-jquery-json-jsonp-trigger-xss

Promoting jQuery JSON to JSONP to trigger XSS | Samuel Mortenson

November 20, 2020 - $.ajax("<payload>”, {dataType: "json"}) The answer was, surprisingly, yes. You can trigger XSS by only controlling the AJAX URL, or in some cases just the tail end of the URL, regardless of the caller. To explain this, let’s read the documentation for jQuery.ajax(): dataType (default: Intelligent Guess (xml, json, script, or html)) Type: String The type of data that you're expecting back from the server.

GitHub

github.com › kristovatlas › jquery-xss › blob › master › soundcloudafter-jquery-xss.html

jquery-xss/soundcloudafter-jquery-xss.html at master · kristovatlas/jquery-xss

<html> <head> <title>SoundCloud .after() jQuery XSS Demo</title>  <script type="text/javascript" src="jquery-1.6.4.js"></script> ·

Author kristovatlas

Snyk

security.snyk.io › snyk vulnerability database › npm

Cross-site Scripting (XSS) in jquery.terminal | CVE-2021-43862 | Snyk

jquery.terminal is a plugin for creating command line interpreters in your applications. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The code for XSS payload is always visible, but an attacker can use other ...

HackTricks

book.hacktricks.xyz › pentesting-web › xss-cross-site-scripting

XSS (Cross Site Scripting) | HackTricks

July 19, 2024 - From here: You can execute an XSS payload inside a hidden attribute, provided you can persuade the victim into pressing the key combination. On Firefox Windows/Linux the key combination is ALT+SHIFT+X and on OS X it is CTRL+ALT+X. You can specify ...

GitHub

github.com › cve-sandbox › jquery-ui

GitHub - cve-sandbox/jquery-ui: CVE Collection of jQuery UI XSS Payloads · GitHub

CVE Collection of jQuery UI XSS Payloads . Contribute to cve-sandbox/jquery-ui development by creating an account on GitHub.

Starred by 120 users

Forked by 17 users

Languages HTML

Stack Overflow

stackoverflow.com › questions › 62944833 › dom-xss-in-jquery-show-function

DOM XSS in Jquery show() function - Stack Overflow

July 16, 2020 - Our code scanner keeps marking above line as DOM based XSS. ... I have tried multiple payloads, but I am unable to execute an alert. is this a valid DOM vulnerability and what payload would I need to pass in item to exploit? ... The reason this is flagged is not show(). It's because $('#' + item + '-add') appends user input in a jquery selector.

Snyk

security.snyk.io › snyk vulnerability database › npm

Cross-site Scripting (XSS) in jquery | CVE-2020-7656 | Snyk

May 19, 2020 - jquery is a package that makes ... API that works across a multitude of browsers. Affected versions of this package are vulnerable to Cross-site Scripting (XSS)....

Twitter

twitter.com › therceman › status › 1576648000205918208

Bug Bounty Tips jQuery-UI XSS Payloads - Part 1

October 2, 2022 - JavaScript is not available · We’ve detected that JavaScript is disabled in this browser. Please enable JavaScript or switch to a supported browser to continue using twitter.com. You can see a list of supported browsers in our Help Center · Help Center · Terms of Service Privacy Policy ...

Hackers Online Club

hackersonlineclub.com › home › cross-site scripting (xss) cheatsheet/payloads and tutorial 2025

Cross-Site Scripting (XSS) Cheatsheet/Payloads And Tutorial 2025

June 8, 2025 - Find XSS Vulnerability through utm_source parameter. ... The utm_source parameter is not escaped properly for URL encoded values. We can escape at multiple locations in the source. I escaped in the script section. The payload finished open function calls from jQuery, executes an alert as POC and then finished the original script tag.