Shazzer logo
Login

HTML-Encoded Attribute Escape

Chrome logo 1
Firefox logo 1
Edge logo 1

Checks for any escaping from the img tag attribute from encoded input without using double quotes

IDKdir
Created byIDKdir
Created Jul 13, 2024
Updated May 27, 2025

Tweet
Detecting browser...
CategoryDOM Behavior
VisibilityPublic
TypeXSS
CharsetUTF-8
Template used:
<img src="/image.png" tag="html($[chr])><iframe><!--">
Code used after fuzz:
if (document.querySelector('iframe')) {0x0D
    log($[chr]);0x0D
}

Fuzz results

Chrome logo
Chrome 148.0.0.0 desktop Windows NT 10.0
Updated15 Mar 2026
Found 1 result
Loading...
Firefox logo
Firefox 149.0 desktop macOS 10.15
Updated3 Apr 2026
Found 1 result
Loading...
Edge logo
Microsoft Edge 146.0.0.0 desktop Windows NT 10.0
Updated6 Apr 2026
Found 1 result
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.