What does the XSS Payload Pattern (Basic Detection) regex match?

Detects common XSS (Cross-Site Scripting) payloads in input strings.

Is the XSS Payload Pattern (Basic Detection) regex ReDoS-safe?

Yes. Manually audited and tested against ReDoS attack strings. Anchors and possessive-style constraints prevent runaway backtracking paths.

How do I use this regex in javascript?

Security/Injection Patterns

Verified Safe

XSS Payload Pattern (Basic Detection) Regex for JavaScript

/(?:<script[\s>]|<\/script>|javascript:|vbscript:|onload\s*=|onerror\s*=|onclick\s*=|onmouseover\s*=|<iframe\b|<object\b|<embed\b|<svg[\s>]|document\.cookie|document\.write|eval\s*\(|setTimeout\s*\(|setInterval\s*\(|window\.location|alert\s*\(|confirm\s*\(|prompt\s*\(|data:text/html)/i

What this pattern does

This page provides a comprehensive, battle-tested regular expression for matching xss payload pattern (basic detection), ported and verified for JavaScript. In security-sensitive code, using an unverified regex can open the door to both false positives and denial-of-service attacks. The snippet below is ready to drop into your JavaScript project — whether you're validating in an Express middleware, a Next.js API route, or a client-side form.

Javascript Implementation

Javascript

// XSS Payload Pattern (Basic Detection)
// ReDoS-safe | RegexVault — Security > Injection Patterns

const xssPayloadPatternBasicDetectionRegex = /(?:<script[\s>]|<\\/script>|javascript:|vbscript:|onload\s*=|onerror\s*=|onclick\s*=|onmouseover\s*=|<iframe\b|<object\b|<embed\b|<svg[\s>]|document\.cookie|document\.write|eval\s*\(|setTimeout\s*\(|setInterval\s*\(|window\.location|alert\s*\(|confirm\s*\(|prompt\s*\(|data:text\/html)/i;

function validateXssPayloadPatternBasicDetection(input: string): boolean {
  return xssPayloadPatternBasicDetectionRegex.test(input);
}

// Example
console.log(validateXssPayloadPatternBasicDetection("<script>alert(1)</script>")); // true

Test Cases

Matches (Valid)	Rejects (Invalid)
`<script>alert(1)</script>`	`Hello World`
`javascript:void(0)`	`This is a normal comment`
`onload=malicious()`	`<b>Bold text</b>`
`<svg onload=alert(1)>`	`onclick is a word`
`document.cookie`	—

When to use this pattern

This pattern is drawn from the Security > Injection Patterns category and carries a ReDoS-safe certification. That matters for JavaScript developers because especially critical in long-running Node.js event loops where a ReDoS vulnerability can block the entire process. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

There are over 1000 known XSS filter bypass techniques. Regex-based XSS filtering in input validation is cat-and-mouse. Use DOMPurify for sanitizing user HTML, and rely on CSP (Content Security Policy) as the final layer of defense.

Technical Notes

Basic XSS detection. Incomplete — XSS payloads can be encoded in dozens of ways (HTML entities, Unicode escapes, UTF-7, etc.). Use as a signal for logging/alerting. The real defense is output encoding via a template engine (React, Vue, Jinja2 with auto-escaping).

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern