Characters allowed to break double quotes

Characters allowed to break double quotes in the action attribute

Created byp3n7a90n

Created Jun 30, 2024

Updated May 27, 2025

Detecting browser...

CategoryDOM Behavior

VisibilityPublic

TypeXSS

CharsetUTF-8

Template used:

<form id="test" action="aaa$[chr]onsubmit=alert(1)><input/type='submit'>0x0D

Code used after fuzz:

var form = document.getElementById("test");0x0D
if (typeof form.onsubmit === 'function') {0x0D
log(String.fromCharCode($[i]))0x0D
  }

Sample payloads

<form id="test" action="aaa0x00onsubmit=alert(1)><input/type='submit'>0x0D