Basics 1. URL encoded "javascript:alert(1)" Answer: The javascript will NOT execute. 2. Character entity encoded "javascript" and URL encoded "alert(2)" Answer: The javascript will execute. 3. URL encoded ":" Answer: The javascript will NOT execute. 4.
<img src=x onerror=alert(4)>
Character entity encoded < and > Answer: The javascript will NOT execute. 5. Character entity encoded < and > Answer: The javascript will NOT execute AND the character entities will NOT be decoded either 6. Answer: The javascript will NOT execute. Advanced 7. Character entity encoded ' Answer: The javascript will execute. 8. Unicode escape sequence encoded ' Answer: The javascript will NOT execute. 9. Character entity encoded alert(9); Answer: The javascript will NOT execute. 10. Unicode Escape sequence encoded alert Answer: The javascript will execute. 11. Unicode Escape sequence encoded alert(11) Answer: The javascript will NOT execute. 12. Unicode Escape sequence encoded alert and 12 Answer: The javascript will NOT execute. 13. Unicode escape sequence encoded ' Answer: The javascript will NOT execute. 14. Unicode escape sequence encoded line feed. Answer: The javascript will execute. Bonus 16. Answer: The javascript will execute.