Some event handlers do not appear in the OWASP list. It is a touch event like ontouch*. It is a limited item on mobile devices, so it has a less effective effect than general purpose, but it is a good item to trigger XSS.
(In fact, sometimes I forgot this event handler. so i take a note!)
<body ontouchstart=alert(45)> <body ontouchend=alert(45)> <body ontouchmove=alert(45)> <!-- [ ontouchstart ] Triggers when a finger touch the screen [ ontouchend ] Triggers when a finger is removed from touch screen [ ontouchmove ] When a finger is dragged across the screen. -->
|only mobile…, pc browser is not running code|