HTML-Encoded Attribute Escape

Checks for any escaping from the img tag attribute from encoded input without using double quotes

Created byIDKdir

Created Jul 13, 2024

Updated May 27, 2025

Detecting browser...

CategoryDOM Behavior

VisibilityPublic

TypeXSS

CharsetUTF-8

Template used:

<img src="/image.png" tag="html($[chr])><iframe><!--">

Code used after fuzz:

if (document.querySelector('iframe')) {0x0D
    log($[chr]);0x0D
}

Fuzz results

Chrome 145.0.0.0 desktop Windows NT 10.0

Updated17 Feb 2026

Found 1 result

Show differences only?

Filter out alphanumeric

Sort ascending

Firefox 148.0 desktop Windows NT 10.0

Updated23 Feb 2026

Found 1 result

Show differences only?

Filter out alphanumeric

Sort ascending

Microsoft Edge 145.0.0.0 desktop Windows NT 10.0

Updated18 Feb 2026

Found 1 result

Show differences only?

Filter out alphanumeric

Sort ascending