Characters that can work as attribute seperator

This vector shows which characters can be used instead of the normal space to work as an attribute seperator

Created by: Sudistark

Created on: Saturday, August 17, 2024 at 4:51:50 AM

Updated on: Wednesday, January 15, 2025 at 3:16:03 AM

Vector type: JS

Vector charset: UTF-8

Template used:

var markup = `<a$[chr]id=xss>shirley</a>`
var dom = new DOMParser().parseFromString(markup,'text/html')

if(dom.getElementById('xss')){
     log($[i])
 }

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

var markup = `<a	id=xss>shirley</a>`
var dom = new DOMParser().parseFromString(markup,'text/html')

if(dom.getElementById('xss')){
     alert(9)
 }

var markup = `<a
id=xss>shirley</a>`
var dom = new DOMParser().parseFromString(markup,'text/html')

if(dom.getElementById('xss')){
     alert(10)
 }

var markup = `<aid=xss>shirley</a>`
var dom = new DOMParser().parseFromString(markup,'text/html')

if(dom.getElementById('xss')){
     alert(12)
 }

var markup = `<a
id=xss>shirley</a>`
var dom = new DOMParser().parseFromString(markup,'text/html')

if(dom.getElementById('xss')){
     alert(13)
 }

var markup = `<a id=xss>shirley</a>`
var dom = new DOMParser().parseFromString(markup,'text/html')

if(dom.getElementById('xss')){
     alert(32)
 }

var markup = `<a/id=xss>shirley</a>`
var dom = new DOMParser().parseFromString(markup,'text/html')

if(dom.getElementById('xss')){
     alert(47)
 }

Fuzz results

Chrome 127.0.0.0 desktop Windows NT 10.0

Updated

Sat Aug 17 2024

Found 6 results

Show differences only?

Filter out alphanumeric

Sort ascending