Shazzer logo
Login

HTML-Encoded Attribute Escape

Edge logo 1
Chrome logo 1

Checks for any escaping from the img tag attribute from encoded input without using double quotes

Created by: IDKdir

Created on: Saturday, July 13, 2024 at 4:56:45 PM

Updated on: Tuesday, May 27, 2025 at 8:15:32 AM


Detecting browser...

Category: DOM Behavior

Vector visibility: Public

Vector type: XSS

Vector charset: UTF-8

Template used:
<img src="/image.png" tag="html($[chr])><iframe><!--">
Code used after fuzz:
if (document.querySelector('iframe')) {0x0D
    log($[chr]);0x0D
}

Sample payloads

<img src="/image.png" tag="0x00><iframe><!--">

Fuzz results

Chrome logo
Chrome 144.0.0.0 desktop Windows NT 10.0

Updated

Sun Jan 25 2026
Found 1 result
Loading...
Edge logo
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0

Updated

Sat Jan 31 2026
Found 1 result
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.