Web browsers are quite helpful: If you are a web-designer and you don't produce (X)HTML compliant pages, they will be rendered correctly anyway, because they quite fault-tolerant. But there are some features in some browsers that are questionable, here are some advanced examples:
- Even though this file has a strange extension, IE will interpret the JavaScript inside: http://kleinerfeigling.kl.ohost.de/hubi.istdick
- IE guesses the protocol you wanted to use, so try to enter this link: somescript:alert("hi");
See here for more examples of that. It seems that a simple link to this doesn't work, but with a few tricks you can execute it:
<a ONclicK=` ;; morescript:alert(String.fromCharCode(88,83,83))` xhref='#'>TEST</a> - The last example actually contains another trick to hide malicious code: the onclick event is used with backticks `
- Do you know the data protocol of Firefox, you can hide JavaScript in it, you can even base64 encode it, try this link: data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
Older tricks can be found in the XSS Cheat Sheet…