6:["$","div",null,{"className":"flex flex-col lg:flex-row","children":["$","div",null,{"children":[["$","div",null,{"className":"grid grid-cols-1 md:grid-cols-2 xl:grid-cols-2 gap-3","children":[["$","div",null,{"children":[["$","div",null,{"className":"mb-4","children":[["$","h1",null,{"className":"text-3xl font-bold break-words tracking-tight","children":"Tags that HTML encode it's contents"}],["$","div",null,{"className":"flex flex-col gap-2","children":[false,["$","div",null,{"className":"flex flex-row","children":[["$","div","browserIcon0",{"className":"mt-5 mr-5 relative inline-block tooltip tooltip-bottom","data-tip":"Chrome 145.0.0.0 - Updated 2d ago","children":[["$","$L16",null,{"src":"/logos/browsers/chrome.png","width":32,"height":32,"alt":"Chrome logo","className":"","priority":true}]," ",false," ",false," ",false," ",["$","span",null,{"className":"badge badge-secondary absolute top-0 right-0 translate-x-1/2 -translate-y-1/2","children":"2"}]]}],["$","div","browserIcon1",{"className":"mt-5 mr-5 relative inline-block tooltip tooltip-bottom","data-tip":"Firefox 147.0 - Updated 19d ago","children":[false," ",["$","$L16",null,{"src":"/logos/browsers/firefox.png","width":32,"height":32,"alt":"Firefox logo","className":"","priority":true}]," ",false," ",false," ",["$","span",null,{"className":"badge badge-secondary absolute top-0 right-0 translate-x-1/2 -translate-y-1/2","children":"2"}]]}],["$","div","browserIcon2",{"className":"mt-5 mr-5 relative inline-block tooltip tooltip-bottom","data-tip":"Microsoft Edge 145.0.0.0 - Updated 2d ago","children":[false," ",false," ",false," ",["$","$L16",null,{"src":"/logos/browsers/edge.png","width":32,"height":32,"alt":"Edge logo","className":"","priority":true}]," ",["$","span",null,{"className":"badge badge-secondary absolute top-0 right-0 translate-x-1/2 -translate-y-1/2","children":"2"}]]}],["$","div","browserIcon3",{"className":"mt-5 mr-5 relative inline-block tooltip tooltip-bottom","data-tip":"Safari 17.4 - Updated 1y ago","children":[false," ",false," ",["$","$L16",null,{"src":"/logos/browsers/safari.png","width":32,"height":32,"alt":"Safari logo","className":"","priority":true}]," ",false," ",["$","span",null,{"className":"badge badge-secondary absolute top-0 right-0 translate-x-1/2 -translate-y-1/2","children":"2"}]]}]]}]]}]]}],["$","p",null,{"className":"text-base-content/80 break-words leading-relaxed mb-6","children":"This enumerates through all HTML tags and checks if the span gets HTML encoded."}],["$","div",null,{"className":"flex items-center gap-3 mb-6 p-3 bg-base-200 rounded-lg w-fit","children":[["$","div",null,{"className":"avatar","children":["$","div",null,{"className":"w-10 rounded-full","children":["$","$L16",null,{"src":"https://avatars.githubusercontent.com/u/1217702?v=4","width":40,"height":40,"alt":"hackvertor","className":"rounded-full"}]}]}],["$","div",null,{"className":"flex flex-col","children":[["$","span",null,{"className":"text-xs text-base-content/60 uppercase tracking-wide","children":"Created by"}],["$","$L1b","6605740959c283fb174e7998",{"href":"/profile?id=6605740959c283fb174e7998","className":"link link-hover font-semibold","children":"hackvertor"}]]}],null]}],["$","div",null,{"className":"flex flex-wrap gap-4 text-sm text-base-content/70 mb-6","children":[["$","div",null,{"className":"flex items-center gap-2","children":[["$","svg",null,{"xmlns":"http://www.w3.org/2000/svg","className":"h-4 w-4","fill":"none","viewBox":"0 0 24 24","stroke":"currentColor","children":["$","path",null,{"strokeLinecap":"round","strokeLinejoin":"round","strokeWidth":2,"d":"M8 7V3m8 4V3m-9 8h10M5 21h14a2 2 0 002-2V7a2 2 0 00-2-2H5a2 2 0 00-2 2v12a2 2 0 002 2z"}]}],["$","span",null,{"children":["Created"," ","Jul 16, 2024"]}]]}],["$","div",null,{"className":"flex items-center gap-2","children":[["$","svg",null,{"xmlns":"http://www.w3.org/2000/svg","className":"h-4 w-4","fill":"none","viewBox":"0 0 24 24","stroke":"currentColor","children":["$","path",null,{"strokeLinecap":"round","strokeLinejoin":"round","strokeWidth":2,"d":"M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15"}]}],["$","span",null,{"children":["Updated"," ","May 27, 2025"]}]]}]]}],["$","div",null,{"className":"space-y-4","children":[["$","div",null,{"className":"flex flex-wrap gap-2","children":[["$","$L1c",null,{"data1":"html","data2":"","end":65535,"initCode":"","afterCode":"x.innerHTML.includes('<') && log('$[data1]')","template":"<$[data1] id=x>","mode":"XSS","csrfToken":"AAiQeOCHEnvSL4RWPgg+TU3bm15ENJKkojnNrQfe","charset":"UTF-8"}],["$","$L1d",null,{"start":0,"end":65535,"autofuzz":false,"template":"<$[data1] id=x>","vectorType":"XSS","fuzzToken":"0751cff8bdbc714051a67e16254e270f","initCode":"","afterCode":"x.innerHTML.includes('<') && log('$[data1]')","data1":"html","data2":"","csrfToken":"AAiQeOCHEnvSL4RWPgg+TU3bm15ENJKkojnNrQfe","id":"6696ceb6fedc8b29e3ed9c5c","doRedirect":true,"charset":"UTF-8"}]]}],["$","div",null,{"className":"divider my-2"}],["$","div",null,{"className":"flex flex-wrap items-center gap-2","children":[["$","button",null,{"type":"button","className":"btn btn-secondary","disabled":true,"children":[["$","svg",null,{"xmlns":"http://www.w3.org/2000/svg","className":"h-4 w-4","fill":"none","viewBox":"0 0 24 24","stroke":"currentColor","children":["$","path",null,{"strokeLinecap":"round","strokeLinejoin":"round","strokeWidth":2,"d":"M11 5H6a2 2 0 00-2 2v11a2 2 0 002 2h11a2 2 0 002-2v-5m-1.414-9.414a2 2 0 112.828 2.828L11.828 15H9v-2.828l8.586-8.586z"}]}],"Edit"]}],["$","$L1b",null,{"href":"/vectors/new/?id=6696ceb6fedc8b29e3ed9c5c","children":["$","button",null,{"type":"button","className":"btn btn-secondary","children":[["$","svg",null,{"xmlns":"http://www.w3.org/2000/svg","className":"h-4 w-4","fill":"none","viewBox":"0 0 24 24","stroke":"currentColor","children":["$","path",null,{"strokeLinecap":"round","strokeLinejoin":"round","strokeWidth":2,"d":"M8 16H6a2 2 0 01-2-2V6a2 2 0 012-2h8a2 2 0 012 2v2m-6 12h8a2 2 0 002-2v-8a2 2 0 00-2-2h-8a2 2 0 00-2 2v8a2 2 0 002 2z"}]}],"Fork"]}]}],["$","$L1e",null,{"fuzzToken":"0751cff8bdbc714051a67e16254e270f"}],["$","$L1f",null,{"text":"Tags that HTML encode it's contents"}],["$","$L20",null,{"disabled":true,"toggleLike":"$h21","id":"6696ceb6fedc8b29e3ed9c5c","likeCount":0,"currentLikeStatus":false,"csrfToken":"AAiQeOCHEnvSL4RWPgg+TU3bm15ENJKkojnNrQfe"}]]}]]}]]}],["$","div",null,{"children":[["$","div",null,{"className":"mb-5","children":["$","$L22",null,{}]}],["$","div",null,{"className":"bg-base-200 rounded-lg p-4 mb-5","children":["$","div",null,{"className":"flex flex-wrap gap-3 lg:grid lg:grid-cols-2 justify-items-start","children":[["$","div",null,{"className":"flex flex-col","children":[["$","span",null,{"className":"text-xs text-base-content/60 uppercase tracking-wide mb-1","children":"Category"}],["$","span",null,{"className":"badge badge-primary","children":"HTML Parsing"}]]}],["$","div",null,{"className":"flex flex-col","children":[["$","span",null,{"className":"text-xs text-base-content/60 uppercase tracking-wide mb-1","children":"Visibility"}],["$","span",null,{"className":"badge badge-primary","children":"Public"}]]}],["$","div",null,{"className":"flex flex-col","children":[["$","span",null,{"className":"text-xs text-base-content/60 uppercase tracking-wide mb-1","children":"Type"}],["$","span",null,{"className":"badge badge-primary","children":"XSS"}]]}],["$","div",null,{"className":"flex flex-col","children":[["$","span",null,{"className":"text-xs text-base-content/60 uppercase tracking-wide mb-1","children":"Charset"}],["$","span",null,{"className":"badge badge-primary","children":"UTF-8"}]]}],["$","div",null,{"className":"flex flex-col","children":[["$","span",null,{"className":"text-xs text-base-content/60 uppercase tracking-wide mb-1","children":"$$[data1] placeholder"}],["$","span",null,{"className":"badge badge-primary","children":"html"}]]}],""]}]}],"",["$","div",null,{"className":"mb-5","children":["Template used:",["$","br",null,{}],["$","$L23",null,{"code":"<$[data1] id=x>","language":"markup","maxHeight":"300px"}]]}],["$","div",null,{"className":"mb-5","children":["Code used after fuzz:",["$","br",null,{}],["$","$L23",null,{"code":"x.innerHTML.includes('<') && log('$[data1]')","language":"javascript","maxHeight":"300px"}]]}]]}]]}],["$","div",null,{"className":"mt-5 overflow-x-visible overflow-y-auto max-h-[300px] w-full border-t border-slate-700 p-5","children":[["$","h2",null,{"className":"text-xl font-bold mb-3","children":"Sample payloads"}],["$","div",null,{"className":"flex gap-2","children":[["$","$L24",null,{"text":"Copy payloads to clipboard","data":"\n"}],["$","$L25",null,{"vector":{"id":"6696ceb6fedc8b29e3ed9c5c","visibility":"Public","privatePrefixToken":"309afb7ab7","category":"HTML Parsing","initCode":"","afterCode":"x.innerHTML.includes('<') && log('$[data1]')","description":"This enumerates through all HTML tags and checks if the span gets HTML encoded.","name":"Tags that HTML encode it's contents","type":"XSS","data1":"html","data2":"","charset":"UTF-8","vector":"<$[data1] id=x>","viewed":127,"fuzzToken":"0751cff8bdbc714051a67e16254e270f","createdAt":"$D2024-07-16T19:49:10.411Z","updatedAt":"$D2025-05-27T08:15:23.776Z","userId":"6605740959c283fb174e7998","User":{"id":"6605740959c283fb174e7998","name":"Gareth Heyes","username":"hackvertor","image":"https://avatars.githubusercontent.com/u/1217702?v=4"}},"payloads":["",""]}]]}],["$","div",null,{"className":"grid grid-cols-1 md:grid-cols-2 xl:grid-cols-2 gap-3 mt-5","children":["$","$L26",null,{"vector":"$27","fuzzResults":[{"id":"697f35e5873500fc328e2f7d","vectorId":"6696ceb6fedc8b29e3ed9c5c","charset":"UTF-8","browser":"Firefox","version":"147.0","platform":"desktop","os":"Linux","characters":"textarea,title","userId":"6605740959c283fb174e7998","createdAt":"$D2026-02-01T11:15:49.693Z","updatedAt":"$D2026-02-01T11:15:49.693Z"},{"id":"697e72dd41798ad437530d35","vectorId":"6696ceb6fedc8b29e3ed9c5c","charset":"UTF-8","browser":"Microsoft Edge","version":"145.0.0.0","platform":"desktop","os":"Windows NT 10.0","characters":"textarea,title","userId":"6605740959c283fb174e7998","createdAt":"$D2026-01-31T21:23:41.901Z","updatedAt":"$D2026-02-18T18:17:29.234Z"},{"id":"697d746f85d893c67f4484ed","vectorId":"6696ceb6fedc8b29e3ed9c5c","charset":"UTF-8","browser":"Chrome","version":"145.0.0.0","platform":"desktop","os":"Windows NT 10.0","characters":"textarea,title","userId":"6605740959c283fb174e7998","createdAt":"$D2026-01-31T03:18:07.324Z","updatedAt":"$D2026-02-17T20:35:40.451Z"},{"id":"6696cee46306f2d92d5788f8","vectorId":"6696ceb6fedc8b29e3ed9c5c","charset":"UTF-8","browser":"Safari","version":"17.4","platform":"desktop","os":"macOS 10.15.7","characters":"textarea,title","userId":"6605740959c283fb174e7998","createdAt":"$D2024-07-16T19:49:56.620Z","updatedAt":"$D2024-07-16T19:49:56.620Z"},{"id":"6696ced26306f2d92d5788f7","vectorId":"6696ceb6fedc8b29e3ed9c5c","charset":"UTF-8","browser":"Firefox","version":"128.0","platform":"desktop","os":"macOS 10.15","characters":"textarea,title","userId":"6605740959c283fb174e7998","createdAt":"$D2024-07-16T19:49:38.215Z","updatedAt":"$D2024-07-16T19:49:38.215Z"},{"id":"6696cebde95c5589544cf041","vectorId":"6696ceb6fedc8b29e3ed9c5c","charset":"UTF-8","browser":"Chrome","version":"144.0.0.0","platform":"desktop","os":"macOS 10.15.7","characters":"textarea,title","userId":"6605740959c283fb174e7998","createdAt":"$D2024-07-16T19:49:17.593Z","updatedAt":"$D2026-02-17T20:33:27.776Z"}],"limit":20}]}]]}],["$","div",null,{"className":"mt-5 border-t border-slate-700 p-5","children":[["$","h2",null,{"className":"text-xl font-bold mb-3","children":"Fuzz results"}],["$","$L29",null,{"fuzzResults":"$2a","highlights":[],"vector":"$27"}]]}]]}]}]

Tags that HTML encode it's contents

Sample payloads

Fuzz results

Distributed Fuzzing