Characters that can break out of an inline style background-image url

Created by0xdef1ant

Created Jul 13, 2024

Updated May 27, 2025

Detecting browser...

CategoryURL Handling

VisibilityPublic

TypeXSS

CharsetUTF-8

Template used:

<div id="test" style="background-image: url($[chr];width:100%">hello</div>

Code used after fuzz:

let myDiv = document.getElementById("test");0x0D
function getCSSProperty(element, property) {0x0D
            return window.getComputedStyle(element).getPropertyValue(property);0x0D
        }0x0D
const width = getCSSProperty(myDiv, 'width');0x0D
if (width === '100%') {0x0D
log(String.fromCharCode($[i]))0x0D
  }

Sample payloads

<div id="test" style="background-image: url(⟦00⟧;width:100%">hello</div>

Characters that can break out of an inline style background-image url

Created by0xdef1ant

Created Jul 13, 2024

Updated May 27, 2025

Detecting browser...

CategoryURL Handling

VisibilityPublic

TypeXSS

CharsetUTF-8

Template used:

<div id="test" style="background-image: url($[chr];width:100%">hello</div>

Code used after fuzz:

let myDiv = document.getElementById("test");0x0D
function getCSSProperty(element, property) {0x0D
            return window.getComputedStyle(element).getPropertyValue(property);0x0D
        }0x0D
const width = getCSSProperty(myDiv, 'width');0x0D
if (width === '100%') {0x0D
log(String.fromCharCode($[i]))0x0D
  }

Sample payloads

<div id="test" style="background-image: url(⟦00⟧;width:100%">hello</div>

Characters that can break out of an inline style background-image url

Sample payloads

Fuzz results

Characters that can break out of an inline style background-image url

Sample payloads

Fuzz results

Distributed Fuzzing

Characters that can break out of an inline style background-image url

Sample payloads

Fuzz results

Characters that can break out of an inline style background-image url

Sample payloads

Fuzz results