Entities that convert to less than in a iframe srcdoc
3
3
3
3This shows which entities convert to the less than character inside a iframe srcdoc. Inspired by: https://x.com/therceman/status/1803666353892585642
Created byhackvertor
Created Aug 1, 2024
Updated May 27, 2025
Detecting browser...
CategoryEntity Parsing
VisibilityPublic
TypeXSS
CharsetUTF-8
$[data1] placeholderhtml_entities
Template used:
<iframe srcdoc="$[data1]" id=x></iframe>Code used after fuzz:
if(x.srcdoc.includes("<"))log('$[data1]')Sample payloads
<iframe srcdoc="<" id=x></iframe><iframe srcdoc="<" id=x></iframe><iframe srcdoc="<⃒" id=x></iframe>Fuzz results
Chrome 144.0.0.0 desktop Windows NT 10.0
Updated31 Jan 2026
Found 3 results
Loading...
Chrome 143.0.0.0 desktop macOS 10.15.7older version
Updated28 Jan 2026
Found 3 results
Loading...
Firefox 147.0 desktop Linux
Updated1 Feb 2026
Found 3 results
Loading...
Firefox 128.0 desktop macOS 10.15older version
Updated1 Aug 2024
Found 3 results
Loading...
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0
Updated31 Jan 2026
Found 3 results
Loading...
Safari 18.0 desktop macOS 10.15.7
Updated1 Aug 2024
Found 3 results
Loading...