The strings Example 1 combine to be a cross-site scripting attack if they are all concatenated together. Although none of them is an attack in its own right, they are all pieces of a standard, basic XSS attack string.
Also, try inserting the sequence in reverse order.
This will work in several scenarios. It will work when there are multiple length-restricted fields that are concatenated together with some punctuation or HTML tags in between. It will also work when multiple instances of the same input field are displayed on the same page. The author has seen several examples in real applications where a list of status codes, for example, are displayed on a page. The status codes are provided by an end user and are not checked at all. The status codes are displayed in a table defined in HTML like that shown in Example 2.
Example 2. Sample application output where status code length is restricted by server
Example 3 shows the resulting script from Example 2.
In most browsers, including Internet Explorer 7 and Mozilla Firefox 3.0, this is equivalent:
As with other similar XSS tests, the application is vulnerable if you see an alert box pop up as a result of injecting your input.