Entities that convert to less than in a iframe srcdoc

This shows which entities convert to the less than character inside a iframe srcdoc. Inspired by: https://x.com/therceman/status/1803666353892585642

Shazzer Elite

Created Aug 1, 2024

Updated May 27, 2025

Detecting browser...

CategoryEntity Parsing

VisibilityPublic

TypeXSS

CharsetUTF-8

$[data1] placeholderhtml_entities

Template used:

<iframe srcdoc="$[data1]" id=x></iframe>

Code used after fuzz:

if(x.srcdoc.includes("<"))log('$[data1]')

Sample payloads

<iframe srcdoc="&lt;" id=x></iframe>

<iframe srcdoc="&LT;" id=x></iframe>

<iframe srcdoc="&nvlt;" id=x></iframe>