Characters that can break out of an inline style background-image url

Created by: 0xdef1ant

Created on: Saturday, July 13, 2024 at 9:12:51 PM

Updated on: Tuesday, May 27, 2025 at 8:15:32 AM

Category: URL Handling

Vector visibility: Public

Vector type: XSS

Vector charset: UTF-8

Template used:

<div id="test" style="background-image: url($[chr];width:100%">hello</div>

Code used after fuzz:

let myDiv = document.getElementById("test");0x0D
function getCSSProperty(element, property) {0x0D
            return window.getComputedStyle(element).getPropertyValue(property);0x0D
        }0x0D
const width = getCSSProperty(myDiv, 'width');0x0D
if (width === '100%') {0x0D
log(String.fromCharCode($[i]))0x0D
  }

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

<div id="test" style="background-image: url(⟦00⟧;width:100%">hello</div>

Fuzz results

Chrome 124.0.0.0 desktop macOS 10.15.7

Updated

Sat Jul 13 2024

Found 1 result

Show differences only?

Filter out alphanumeric

Sort ascending

Characters that can break out of an inline style background-image url

Sample payloads

Fuzz results

Distributed Fuzzing