masato - braves parsing finding valid attributes

Trying to see what attributes are filtered

Created byInsertScript

Created Aug 3, 2025

Updated Aug 3, 2025

Detecting browser...

CategoryDOM Behavior

VisibilityPublic

TypeXSS

CharsetUTF-8

$[data1] placeholderattributes

Template used:

<div id="x$[data1]"><span x="$[data1]=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x$[data1]"].innerHTML=window["x$[data1]"].innerHTML;0x0D
if (window["x$[data1]"].firstChild.getAttribute("$[data1]") == 123)0x0D
{0x0D
log('$[data1]')0x0D
}0x0D
</script>

Sample payloads

<div id="xaccesskey"><span x="accesskey=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xaccesskey"].innerHTML=window["xaccesskey"].innerHTML;0x0D
if (window["xaccesskey"].firstChild.getAttribute("accesskey") == 123)0x0D
{0x0D
alert('accesskey')0x0D
}0x0D
</script>

<div id="xanchor"><span x="anchor=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xanchor"].innerHTML=window["xanchor"].innerHTML;0x0D
if (window["xanchor"].firstChild.getAttribute("anchor") == 123)0x0D
{0x0D
alert('anchor')0x0D
}0x0D
</script>

<div id="xautocapitalize"><span x="autocapitalize=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xautocapitalize"].innerHTML=window["xautocapitalize"].innerHTML;0x0D
if (window["xautocapitalize"].firstChild.getAttribute("autocapitalize") == 123)0x0D
{0x0D
alert('autocapitalize')0x0D
}0x0D
</script>

<div id="xautofocus"><span x="autofocus=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xautofocus"].innerHTML=window["xautofocus"].innerHTML;0x0D
if (window["xautofocus"].firstChild.getAttribute("autofocus") == 123)0x0D
{0x0D
alert('autofocus')0x0D
}0x0D
</script>

<div id="xclass"><span x="class=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xclass"].innerHTML=window["xclass"].innerHTML;0x0D
if (window["xclass"].firstChild.getAttribute("class") == 123)0x0D
{0x0D
alert('class')0x0D
}0x0D
</script>

<div id="xcontenteditable"><span x="contenteditable=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xcontenteditable"].innerHTML=window["xcontenteditable"].innerHTML;0x0D
if (window["xcontenteditable"].firstChild.getAttribute("contenteditable") == 123)0x0D
{0x0D
alert('contenteditable')0x0D
}0x0D
</script>

<div id="xdir"><span x="dir=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xdir"].innerHTML=window["xdir"].innerHTML;0x0D
if (window["xdir"].firstChild.getAttribute("dir") == 123)0x0D
{0x0D
alert('dir')0x0D
}0x0D
</script>

<div id="xdraggable"><span x="draggable=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xdraggable"].innerHTML=window["xdraggable"].innerHTML;0x0D
if (window["xdraggable"].firstChild.getAttribute("draggable") == 123)0x0D
{0x0D
alert('draggable')0x0D
}0x0D
</script>

<div id="xenterkeyhint"><span x="enterkeyhint=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xenterkeyhint"].innerHTML=window["xenterkeyhint"].innerHTML;0x0D
if (window["xenterkeyhint"].firstChild.getAttribute("enterkeyhint") == 123)0x0D
{0x0D
alert('enterkeyhint')0x0D
}0x0D
</script>

<div id="xexportparts"><span x="exportparts=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xexportparts"].innerHTML=window["xexportparts"].innerHTML;0x0D
if (window["xexportparts"].firstChild.getAttribute("exportparts") == 123)0x0D
{0x0D
alert('exportparts')0x0D
}0x0D
</script>

<div id="xhidden"><span x="hidden=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xhidden"].innerHTML=window["xhidden"].innerHTML;0x0D
if (window["xhidden"].firstChild.getAttribute("hidden") == 123)0x0D
{0x0D
alert('hidden')0x0D
}0x0D
</script>

<div id="xid"><span x="id=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xid"].innerHTML=window["xid"].innerHTML;0x0D
if (window["xid"].firstChild.getAttribute("id") == 123)0x0D
{0x0D
alert('id')0x0D
}0x0D
</script>

<div id="xinert"><span x="inert=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xinert"].innerHTML=window["xinert"].innerHTML;0x0D
if (window["xinert"].firstChild.getAttribute("inert") == 123)0x0D
{0x0D
alert('inert')0x0D
}0x0D
</script>

<div id="xinputmode"><span x="inputmode=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xinputmode"].innerHTML=window["xinputmode"].innerHTML;0x0D
if (window["xinputmode"].firstChild.getAttribute("inputmode") == 123)0x0D
{0x0D
alert('inputmode')0x0D
}0x0D
</script>

<div id="xitemid"><span x="itemid=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xitemid"].innerHTML=window["xitemid"].innerHTML;0x0D
if (window["xitemid"].firstChild.getAttribute("itemid") == 123)0x0D
{0x0D
alert('itemid')0x0D
}0x0D
</script>

<div id="xitemprop"><span x="itemprop=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xitemprop"].innerHTML=window["xitemprop"].innerHTML;0x0D
if (window["xitemprop"].firstChild.getAttribute("itemprop") == 123)0x0D
{0x0D
alert('itemprop')0x0D
}0x0D
</script>

<div id="xitemref"><span x="itemref=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xitemref"].innerHTML=window["xitemref"].innerHTML;0x0D
if (window["xitemref"].firstChild.getAttribute("itemref") == 123)0x0D
{0x0D
alert('itemref')0x0D
}0x0D
</script>

<div id="xitemscope"><span x="itemscope=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xitemscope"].innerHTML=window["xitemscope"].innerHTML;0x0D
if (window["xitemscope"].firstChild.getAttribute("itemscope") == 123)0x0D
{0x0D
alert('itemscope')0x0D
}0x0D
</script>

<div id="xitemtype"><span x="itemtype=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xitemtype"].innerHTML=window["xitemtype"].innerHTML;0x0D
if (window["xitemtype"].firstChild.getAttribute("itemtype") == 123)0x0D
{0x0D
alert('itemtype')0x0D
}0x0D
</script>

<div id="xlang"><span x="lang=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xlang"].innerHTML=window["xlang"].innerHTML;0x0D
if (window["xlang"].firstChild.getAttribute("lang") == 123)0x0D
{0x0D
alert('lang')0x0D
}0x0D
</script>

masato - braves parsing finding valid attributes

Sample payloads

Fuzz results

Distributed Fuzzing