Detecting browser...
CategoryXSS Execution
VisibilityPublic
TypeJS
CharsetUTF-8
Code used before fuzz:
var element=document.createElement('img'),document.appendChild(element),S={};function w(a,b,c,d,e,f,g){return{acceptsBooleans:b===2||b===3||b===4,attributeName:a,attributeNamespace:e,mustUseProperty:c,propertyName:d,type:b,sanitizeURL:f,removeEmptyString:g}}["src","href","action","formAction"].forEach(function(e){S[e]=w(e,1,false,e.toLowerCase(),null,true,true)});function sanitizeAttribute(a,b,c){var d=S[b];d&&d.sanitizeURL?/^(https?|ftp|mailto|data):/.test(c)?a.setAttribute(b,c):console.log(`Blocked: ${c}`):a.setAttribute(b,c)}sanitizeAttribute('src','$[chr]><iframe><!--');Template used:
//Code used after fuzz:
if (document.querySelector('iframe')) {0x0D
log($[chr])0x0D
}Sample payloads
//Fuzz results
Chrome 144.0.0.0 desktop Windows NT 10.0
Updated25 Jan 2026
Found 1 result
Loading...
Firefox 147.0 desktop Linux
Updated1 Feb 2026
Found 1 result
Loading...
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0
Updated31 Jan 2026
Found 1 result
Loading...