Popping up an XSS alert via a field which does not accept more than 20 characters

While testing an app, a text field on one of the pages, was not accepting more than 20 characters (server side validation). I inserted following piece of code to check XSS (From RSnake’s XSS cheat sheet):


and verified the HTML source for <XSS verses &lt;XSS . As <XSS was in the HTML source,  the input field was missing output encoding and was vulnerable to cross site scripting.

I was now aiming to get a popup. Only thing was I was used to alert(1) and here I needed a smaller script. I tried to create/find some script which is less than or equal to 20 characters but I was unable to find anything. At that point of time, a random thought came to my mind that, what could be the smallest payload to pop up an alert. I asked this question in IT Security stack-exchange forum. I was also able to make a few payloads myself. Here are those payloads as well as the payload from one of the answer.

<a href=http://a.by>
<a onclick=alert(2)>
<b onclick=alert(2)>
<script src=//h4k.me

Update (7th March, 2019)- This is a very old post and may be obsolete now. I guess as someone replied to that question in 2017, following may be the smallest payload to pop up an alert now. I need to check.