Fuzzing for Max sanitized input (simplified)

Simplified test for Max (https://discord.com/channels/1110206757227216916/1168685918920638614/1358614602153201736)

Created by: vitorfhc

Created on: Monday, April 7, 2025 at 11:26:32 AM

Updated on: Monday, April 7, 2025 at 5:16:20 PM

Vector type: XSS

Vector charset: UTF-8

Code used before fuzz:

<script>
window.onerror=x=>true;
</script>
<base href="https://example.com" />

Template used:
<a id=x></a>

Code used after fuzz:

const mw = /^(?!javascript:)/i;
function nu(e) {
    return (e = String(e)).match(mw) ? e : "unsafe:" + e
}

const t = nu(`${String.fromCodePoint($[i])}javascript:alert(1)`);
x.href = t
x.protocol === 'javascript:' && log($[i])

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

<a id=x></a>

Fuzz results

Chrome 135.0.0.0 desktop macOS 10.15.7

Updated

Mon Apr 07 2025

Found 33 results

Show differences only?

Filter out alphanumeric

Sort ascending