Chars allowed between src and = in img tag

Chrome logo 5

Shows characters that are allowed between src and = in an img tag.

Created by: rootd4ddy

Created on: Sunday, March 2, 2025 at 2:00:18 AM

Updated on: Monday, April 7, 2025 at 8:32:23 PM

Vector type: XSS

Vector charset: UTF-8

Code used before fuzz:
<script>
window.onerror = () => true; 
</script>
Template used:
<img src$[chr]=data:text/plain, id="testImg">
Code used after fuzz:
const img = document.getElementById('testImg');
if (img.hasAttribute('src') && img.getAttribute('src') === 'data:text/plain,') {
    log($[i]);
}
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...

Sample payloads

<img src	=data:text/plain, id="testImg">
<img src
=data:text/plain, id="testImg">
<img src=data:text/plain, id="testImg">
<img src
=data:text/plain, id="testImg">
<img src =data:text/plain, id="testImg">

Fuzz results

Chrome logo
Chrome 132.0.0.0 desktop Linux Unknown

Updated

Sun Mar 02 2025
Found 5 results
Loading...