You're Invited: Meet the Socket team at BSidesSF and RSAC - April 27 - May 1.RSVP
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

github.com/portswigger/xss-cheatsheet-data

Package Overview
Dependencies
Alerts
File Explorer
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

github.com/portswigger/xss-cheatsheet-data

v0.0.0-20241115112246-def184e73f8b
Source
Go
Version published
Created
Source

This is the data that powers the PortSwigger XSS cheat sheet. We have put this data on Github so the community can contribute vectors via pull requests.

Contributing

To contribute please create a pull request with changes to the JSON data.

For example, to add onwaiting to the data, do:

"onwaiting": {
        "description": "Fires when while waiting for the data",
        "tags": [
            {
                "tag": "video",
                "code": "<video autoplay controls onwaiting=alert(1)><source src=\"validvideo.mp4\" type=video\/mp4><\/video>",
                "browsers": [
                    "edge"
                ],
                "interaction": false
            }
        ]
    }

The tags array contains the tags supported by the vector and browser support. Supported browsers are chrome,safari,firefox,edge all in lowercase. The interaction flag specifies if the vector requires user interaction.

Please make sure you search the data to ensure your vector hasn't already been added. Please include your Twitter handle in the pull request message if you would like to be credited with it.

License

The copyright for this project belongs to PortSwigger Web Security. We do not want this data to be used to create derivative cheat sheets hosted elsewhere, so we are not providing a license. That said, you are free to fork this repo in order to create pull requests back.

FAQs

Package last updated on 15 Nov 2024

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Malicious npm Package Disguised as Advcash Integration Triggers Reverse Shell

Research

Malicious npm Package Disguised as Advcash Integration Triggers Reverse Shell

The Socket Research Team investigates a malicious npm package that appears to be an Advcash integration but triggers a reverse shell during payment success, targeting servers handling transactions.

By Socket Research Team, Sarah Gooding  -  Apr 14, 2025
Turtles, Clams, and Cyber Threat Actors: Shell Usage

Security Fundamentals

Turtles, Clams, and Cyber Threat Actors: Shell Usage

The Socket Threat Research Team uncovers how threat actors weaponize shell techniques across npm, PyPI, and Go ecosystems to maintain persistence and exfiltrate data.

By Olivia Brown, Kirill Boychenko  -  Apr 11, 2025