Characters that can break out of an inline style background-image url
1
1
1Characters that can break out of an inline style background-image url
Created by0xdef1ant
Created Jul 13, 2024
Updated May 27, 2025
Detecting browser...
CategoryURL Handling
VisibilityPublic
TypeXSS
CharsetUTF-8
Template used:
<div id="test" style="background-image: url($[chr];width:100%">hello</div>Code used after fuzz:
let myDiv = document.getElementById("test");0x0D
function getCSSProperty(element, property) {0x0D
return window.getComputedStyle(element).getPropertyValue(property);0x0D
}0x0D
const width = getCSSProperty(myDiv, 'width');0x0D
if (width === '100%') {0x0D
log(String.fromCharCode($[i]))0x0D
}Sample payloads
<div id="test" style="background-image: url(⟦00⟧;width:100%">hello</div>Fuzz results
Chrome 145.0.0.0 desktop Windows NT 10.0
Updated17 Feb 2026
Found 1 result
Loading...
Chrome 144.0.0.0 desktop macOS 10.15.7older version
Updated17 Feb 2026
Found 1 result
Loading...
Firefox 147.0 desktop Linux
Updated1 Feb 2026
Found 1 result
Loading...
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0
Updated31 Jan 2026
Found 1 result
Loading...