Fuzzing for Max sanitized input (simplified)

Simplified test for Max (https://discord.com/channels/1110206757227216916/1168685918920638614/1358614602153201736)
Created by: vitorfhc
Created on: Monday, April 7, 2025 at 11:26:32 AM
Updated on: Wednesday, May 28, 2025 at 5:06:20 PM
Vector type: XSS
Vector charset: UTF-8
Code used before fuzz:
<script>
window.onerror=x=>true;
</script>
<base href="https://example.com" />
Template used:
<a id=x></a>
Code used after fuzz:
const mw = /^(?!javascript:)/i;
function nu(e) {
return (e = String(e)).match(mw) ? e : "unsafe:" + e
}
const t = nu(`${String.fromCodePoint($[i])}javascript:alert(1)`);
x.href = t
x.protocol === 'javascript:' && log($[i])
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...
Sample payloads
<a id=x></a>
Fuzz results

Chrome 135.0.0.0 desktop macOS 10.15.7
Updated
Mon Apr 07 2025
Found 33 results
Loading...

Chrome 136.0.0.0 desktop Windows NT 10.0
Updated
Tue May 27 2025
Found 33 results
Loading...