A vector displaying the HTML5 form and formaction capabilities for form hijacking outside the actual form.
This vector uses an input element with autofocus to call its own focus event handler - no user interaction required
<input onfocus=write(1) autofocus>
<input onblur=write(1) autofocus><input autofocus>
<body onscroll=alert(1)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
Enter a value into the form element to see how "onforminput" and "onformchange" attributes can monitor <FORM> activity - even from outside the <FORM> via the form attribute on a <BUTTON> element.
<form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X</button>
Opera 10.5+ and Chrome allow error handlers in <SOURCE> tags if encapsulated by a <VIDEO> tag. The same works for <AUDIO> tags
Firefox 3.5+ allows error handlers in <VIDEO> tags when applied with a <SOURCE> tag. The same works for <AUDIO> tags.
A vector displaying the HTML5 "formaction" capabilities for form hijacking. Note that this variation does not use the "id" and "form" attributes to connect button and form.
All browsers besides Internet Explorer 9↓ support the "oninput" event handler around form elements like the given <INPUT>. The event works for the form elements itself, the surrounding form and <BODY> as well as <HTML> tags.
<body oninput=alert(1)><input autofocus>
The <DETAILS> element fires an "ontoggle" event without user interaction on modern Blink-based browsers. This can be abused to bypass blacklists as the event-tag combination is not very well known.
<details open ontoggle="alert(1)">
The <VIDEO> element fires an "onratechange" event without user interaction on Firefox, even if no actual value for the "src" attribute is given. This can be used to bypass WAF and IDS systems as this combination of tag and attributes is rather uncommon and unknown.
<video src onratechange="alert(1)">