HTML elements that inherit properties which return the full URL

HTML elements that inherit properties which return the full URL(including credentials & location.hash), baseURI excluded

Created by: 0x999-x

Created on: Thursday, November 14, 2024 at 11:38:50 AM

Updated on: Tuesday, May 27, 2025 at 3:30:07 PM

Category: HTML Parsing

Vector visibility: Public

Vector type: XSS

Vector charset: UTF-8

Vector data 1: html

Template used:

<$[data1] id="xx">

Code used after fuzz:

function getAllProperties(obj, maxDepth = 3) {0x0D
  const properties = new Set();0x0D
  let depth = 0;0x0D
  while (obj && depth < maxDepth) {0x0D
    Object.getOwnPropertyNames(obj).forEach(prop => properties.add(prop));0x0D
    obj = Object.getPrototypeOf(obj);0x0D
    depth += 1;0x0D
  }0x0D
  return [...properties];0x0D
}0x0D
const properties = getAllProperties(xx)0x0D
        for (const prop of properties) {0x0D
            try {0x0D
                if (xx[prop].includes("shazzer")) {0x0D
0x090x090x090x090x09log('$[data1]:'+prop)0x0D
                }0x0D
            } catch (e) {0x0D
            }0x0D
        }

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

<base:href id="xx">

<button:formAction id="xx">

<form:action id="xx">

<input:formAction id="xx">

Fuzz results

Chrome 143.0.0.0 desktop macOS 10.15.7

Updated

Wed Jan 28 2026

Found 4 results

Show differences only?

Filter out alphanumeric

Sort ascending

Chrome 131.0.0.0 desktop Windows NT 10.0older version