Characters that can break out of an inline style background-image url

Created by: 0xdef1ant

Created on: Saturday, July 13, 2024 at 9:12:51 PM

Updated on: Monday, August 26, 2024 at 3:11:45 AM

Vector type: XSS

Template used:
<div id="test" style="background-image: url($[chr];width:100%">hello</div>

Code used after fuzz:

let myDiv = document.getElementById("test");
function getCSSProperty(element, property) {
            return window.getComputedStyle(element).getPropertyValue(property);
        }
const width = getCSSProperty(myDiv, 'width');
if (width === '100%') {
log(String.fromCharCode($[i]))
  }

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

<div id="test" style="background-image: url(;width:100%">hello</div>

Fuzz results

Chrome 124.0.0.0 desktop macOS 10.15.7

Found 1 result

Show differences only?

Data
)