🎅 - Yo, ho ho! - 🎄

Welcome to the twentythousand-and-one Vector To Rule Them All Challenge. You are the 1173th visitor!

The intent of this xssmas challenge is to find an XSS vector that triggers in as many contexts as possible and is inspired by Gareth Heyes's classic "One vector to rule them all".


  1. XSS this page.
  2. Your injection will be reflected in a lot of different contexts.
  3. Escape all of them to get as many alerts popping as possible.
  4. Make that XSS vector short.
  5. Rating is currently paused. Submit your solution in an email.
    New: Submissions will be evaluated daily, in the CET evenings.
  6. Tip: Just call alert() and we'll count for you.
  7. Winner is the submission with the most contexts successfully XSS'd, ranked by size (shorter is better).

Submissions that trigger in all contexts

# Name Characters
Simon Pieters84
Robert Xiao118
Andrew Shurigyn142
Clinton Campbell315

Honorable mention for submissions that do not hit all required contexts: Tom Holmes, Roberto Bo Xiao, Richard Moore, smaury, Tolga, Rudra Sarkar, Ross Snider, William Le Berre, Jim Manico, 02E774