About cross-site scripting attacks_javascript skills

A general attack is to write a script to see if it can be executed, and then you can determine whether it is an attack. For example, if I write
, and then see if it can be executed when the page is loaded, that's it. So far, this code will not be executed on ordinary websites, but what about another way?

For example,
, there are probably a few websites that implement it, and everyone knows it.
Let’s look at a more obscene test example, '';!--"
=&{()}, this is a good example to test whether there will be xxs, try again and see how many websites there are If you can resist, here is an example I wrote casually, and then tested a few websites to see,
Source code: '';!--";eval('alert('What the hell is going on with you uncle? ! ')');"
SS>=&{()}, and then try taking a screenshot (no malicious intent, just testing!): <script> alert("执行了我了哦！！！"); </script><script>alert(String.fromCharCode(88,83,83))</script>http://search.360buy.com/Search? book=y&keyword=1