Fuzzing for Max sanitized input (simplified)

Simplified test for Max (https://discord.com/channels/1110206757227216916/1168685918920638614/1358614602153201736)

Created by: vitorfhc

Created on: Monday, April 7, 2025 at 11:26:32 AM

Updated on: Wednesday, May 28, 2025 at 5:06:20 PM

Vector type: XSS

Vector charset: UTF-8

Code used before fuzz:

<script>
window.onerror=x=>true;
</script>
<base href="https://example.com" />

Template used:
<a id=x></a>

Code used after fuzz:

const mw = /^(?!javascript:)/i;
function nu(e) {
    return (e = String(e)).match(mw) ? e : "unsafe:" + e
}

const t = nu(`${String.fromCodePoint($[i])}javascript:alert(1)`);
x.href = t
x.protocol === 'javascript:' && log($[i])

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

<a id=x></a>

Fuzz results

Chrome 135.0.0.0 desktop macOS 10.15.7

Updated

Mon Apr 07 2025

Found 33 results

Show differences only?

Filter out alphanumeric

Sort ascending

Chrome 136.0.0.0 desktop Windows NT 10.0

Updated

Tue May 27 2025

Found 33 results

Show differences only?

Filter out alphanumeric

Sort ascending