Characters that can work as attribute seperator
6
6
6This vector shows which characters can be used instead of the normal space to work as an attribute seperator
Created bySudistark
Created Aug 17, 2024
Updated May 27, 2025
Detecting browser...
CategoryDOM Behavior
VisibilityPublic
TypeJS
CharsetUTF-8
Template used:
var markup = `<a$[chr]id=xss>shirley</a>`0x0D
var dom = new DOMParser().parseFromString(markup,'text/html')0x0D
0x0D
if(dom.getElementById('xss')){0x0D
log($[i])0x0D
}0x0D
0x0D
0x0D
Sample payloads
var markup = `<a0x09id=xss>shirley</a>`0x0D
var dom = new DOMParser().parseFromString(markup,'text/html')0x0D
0x0D
if(dom.getElementById('xss')){0x0D
alert(9)0x0D
}0x0D
0x0D
0x0D
var markup = `<a
id=xss>shirley</a>`0x0D
var dom = new DOMParser().parseFromString(markup,'text/html')0x0D
0x0D
if(dom.getElementById('xss')){0x0D
alert(10)0x0D
}0x0D
0x0D
0x0D
var markup = `<a0x0Cid=xss>shirley</a>`0x0D
var dom = new DOMParser().parseFromString(markup,'text/html')0x0D
0x0D
if(dom.getElementById('xss')){0x0D
alert(12)0x0D
}0x0D
0x0D
0x0D
var markup = `<a0x0Did=xss>shirley</a>`0x0D
var dom = new DOMParser().parseFromString(markup,'text/html')0x0D
0x0D
if(dom.getElementById('xss')){0x0D
alert(13)0x0D
}0x0D
0x0D
0x0D
var markup = `<a id=xss>shirley</a>`0x0D
var dom = new DOMParser().parseFromString(markup,'text/html')0x0D
0x0D
if(dom.getElementById('xss')){0x0D
alert(32)0x0D
}0x0D
0x0D
0x0D
var markup = `<a/id=xss>shirley</a>`0x0D
var dom = new DOMParser().parseFromString(markup,'text/html')0x0D
0x0D
if(dom.getElementById('xss')){0x0D
alert(47)0x0D
}0x0D
0x0D
0x0D
Fuzz results
Chrome 144.0.0.0 desktop Windows NT 10.0
Updated31 Jan 2026
Found 6 results
Loading...
Chrome 143.0.0.0 desktop macOS 10.15.7older version
Updated25 Jan 2026
Found 6 results
Loading...
Firefox 147.0 desktop Linux
Updated1 Feb 2026
Found 6 results
Loading...
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0
Updated31 Jan 2026
Found 6 results
Loading...