using System.Globalization;
using System.Text.RegularExpressions;
public static void Main()
Console.WriteLine(XSSChecker.HasXSSPayload("This is Sid , hello </script><script>alert('Hello')</script>"));
Console.WriteLine(XSSChecker.HasXSSPayload("This is Sid , hello I wrote this in engineering"));
Console.WriteLine(XSSChecker.HasXSSPayload("This is Sid , hello >tpircs/<)'olleH'(trela>tpircs<"));
Console.WriteLine(XSSChecker.HasXSSPayload("This is Sid , hello \u003C\u0073\u0063\u0072\u0069\u0070\u0074\u003E\u0061\u006C\u0065\u0072\u0074\u0028\u0027\u0048\u0065\u006C\u006C\u006F\u0027\u0029\u003C\u002F\u0073\u0063\u0072\u0069\u0070\u0074\u003E"));
Console.WriteLine(XSSChecker.HasXSSPayload("This is Sid , hello <script>alert('Hello')</script>"));
Console.WriteLine(XSSChecker.HasXSSPayload("This is Sid , hello <script>alert('Hello')</script>"));
public static class XSSChecker
public static string HasXSSPayload(string htmlString)
htmlString = NormalizeFullWidthCharacters(htmlString);
var pattren = new StringBuilder();
pattren.Append(@"^[+=@]");
pattren.Append(@"|(<(script|/script|iframe|embed|q |q>|a |a>|p |p>|b>|b |u |u>|col |col>|var |var>|br>|br |frame|frameset|object|img|applet|body|html|style|layer|link|ilayer|meta|bgsound|!DOCTYPE|abbr |abbr>|acronym|address|area|article|aside|audio|base|basefont|bdi|bdo|big>|big |blockquote|button|canvas|caption|center|cite|code |code>|colgroup|data>|data |datalist|dd|details|del |del>|dfn|dialog|dir |dir>|div |div>|dl|dt|em |em>|fieldset|figcaption|figure|font|footer|form|head|header|hr |hr>|i>|i |input|ins>|ins |kbd|label|legend|li>|li |map|mark|main|meter|noframes|nav|noscript|ol|optgroup|option|output|ol |ol>|param|picture|progress|pre>|pre |rp|rt|ruby|samp|s |s>|th>|th |section|select|small|source|span|strike|strong|summary|sub |sub>|sup |sup>|svg |svg>|svg|table|tbody|td>|tr>|td |tr |template|textarea|tfoot|thead|time|title|track|tt|ul |ul>|video|wbr|h1|h2|h3|h4|h5|h6))");
return "Has XSS Payload : " + Regex.IsMatch(htmlString, pattren.ToString(), RegexOptions.IgnoreCase | RegexOptions.Compiled);
static string NormalizeFullWidthCharacters(string input) { return string.Concat(input.Normalize(NormalizationForm.FormKC).Where(c => char.GetUnicodeCategory(c) != UnicodeCategory.NonSpacingMark)); }