The power of our
XSS cheat sheet
is we get fantastic contributions from the web security community and this update is no exception. We had valuable contributions from Mozilla to remove events that no longer work with the marquee tag on Firefox.
There was a wonderfully obscure Safari only vector that used the event
onwebkitplaybacktargetavailabilitychanged
from
@amirmsafari
that works on audio and video tags:
We had a submission from
@Wcraft-log
with the
onpointercancel
event that requires heavy user interaction:
@Filipnyquist
pointed out that we didn’t document that pretty much every element can now use the
autofocus attribute. This was discovered earlier by
@RenwaX23
and
@lbherrera_
.
Finally we had a submission from
@zhenwarx
that showed there are a bunch of webkit events we missed that require user interaction with the trackpad.
Big thanks to the web security community for keeping the
XSS cheat sheet
up to date with the latest XSS vectors. If you would like to contribute please
raise an issue
or a
PR
.
Note: If you are wondering what we use to generate code snippet images. We use the excellent online tool
Ray.so
.
Back to all articles
