masato - braves parsing finding valid attributes
195
195Trying to see what attributes are filtered
Created by: InsertScript
Created on: Sunday, August 3, 2025 at 8:25:16 AM
Updated on: Sunday, August 3, 2025 at 8:25:16 AM
Category: DOM Behavior
Vector visibility: Public
Vector type: XSS
Vector charset: UTF-8
Vector data 1: attributes
Template used:
<div id="x$[data1]"><span x="$[data1]=123>&bbb"></span></div>0x0D
<script>0x0D
window["x$[data1]"].innerHTML=window["x$[data1]"].innerHTML;0x0D
if (window["x$[data1]"].firstChild.getAttribute("$[data1]") == 123)0x0D
{0x0D
log('$[data1]')0x0D
}0x0D
</script>Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...
Sample payloads
<div id="xaccesskey"><span x="accesskey=123>&bbb"></span></div>0x0D
<script>0x0D
window["xaccesskey"].innerHTML=window["xaccesskey"].innerHTML;0x0D
if (window["xaccesskey"].firstChild.getAttribute("accesskey") == 123)0x0D
{0x0D
alert('accesskey')0x0D
}0x0D
</script><div id="xanchor"><span x="anchor=123>&bbb"></span></div>0x0D
<script>0x0D
window["xanchor"].innerHTML=window["xanchor"].innerHTML;0x0D
if (window["xanchor"].firstChild.getAttribute("anchor") == 123)0x0D
{0x0D
alert('anchor')0x0D
}0x0D
</script><div id="xautocapitalize"><span x="autocapitalize=123>&bbb"></span></div>0x0D
<script>0x0D
window["xautocapitalize"].innerHTML=window["xautocapitalize"].innerHTML;0x0D
if (window["xautocapitalize"].firstChild.getAttribute("autocapitalize") == 123)0x0D
{0x0D
alert('autocapitalize')0x0D
}0x0D
</script><div id="xautofocus"><span x="autofocus=123>&bbb"></span></div>0x0D
<script>0x0D
window["xautofocus"].innerHTML=window["xautofocus"].innerHTML;0x0D
if (window["xautofocus"].firstChild.getAttribute("autofocus") == 123)0x0D
{0x0D
alert('autofocus')0x0D
}0x0D
</script><div id="xclass"><span x="class=123>&bbb"></span></div>0x0D
<script>0x0D
window["xclass"].innerHTML=window["xclass"].innerHTML;0x0D
if (window["xclass"].firstChild.getAttribute("class") == 123)0x0D
{0x0D
alert('class')0x0D
}0x0D
</script><div id="xcontenteditable"><span x="contenteditable=123>&bbb"></span></div>0x0D
<script>0x0D
window["xcontenteditable"].innerHTML=window["xcontenteditable"].innerHTML;0x0D
if (window["xcontenteditable"].firstChild.getAttribute("contenteditable") == 123)0x0D
{0x0D
alert('contenteditable')0x0D
}0x0D
</script><div id="xdir"><span x="dir=123>&bbb"></span></div>0x0D
<script>0x0D
window["xdir"].innerHTML=window["xdir"].innerHTML;0x0D
if (window["xdir"].firstChild.getAttribute("dir") == 123)0x0D
{0x0D
alert('dir')0x0D
}0x0D
</script><div id="xdraggable"><span x="draggable=123>&bbb"></span></div>0x0D
<script>0x0D
window["xdraggable"].innerHTML=window["xdraggable"].innerHTML;0x0D
if (window["xdraggable"].firstChild.getAttribute("draggable") == 123)0x0D
{0x0D
alert('draggable')0x0D
}0x0D
</script><div id="xenterkeyhint"><span x="enterkeyhint=123>&bbb"></span></div>0x0D
<script>0x0D
window["xenterkeyhint"].innerHTML=window["xenterkeyhint"].innerHTML;0x0D
if (window["xenterkeyhint"].firstChild.getAttribute("enterkeyhint") == 123)0x0D
{0x0D
alert('enterkeyhint')0x0D
}0x0D
</script><div id="xexportparts"><span x="exportparts=123>&bbb"></span></div>0x0D
<script>0x0D
window["xexportparts"].innerHTML=window["xexportparts"].innerHTML;0x0D
if (window["xexportparts"].firstChild.getAttribute("exportparts") == 123)0x0D
{0x0D
alert('exportparts')0x0D
}0x0D
</script><div id="xhidden"><span x="hidden=123>&bbb"></span></div>0x0D
<script>0x0D
window["xhidden"].innerHTML=window["xhidden"].innerHTML;0x0D
if (window["xhidden"].firstChild.getAttribute("hidden") == 123)0x0D
{0x0D
alert('hidden')0x0D
}0x0D
</script><div id="xid"><span x="id=123>&bbb"></span></div>0x0D
<script>0x0D
window["xid"].innerHTML=window["xid"].innerHTML;0x0D
if (window["xid"].firstChild.getAttribute("id") == 123)0x0D
{0x0D
alert('id')0x0D
}0x0D
</script><div id="xinert"><span x="inert=123>&bbb"></span></div>0x0D
<script>0x0D
window["xinert"].innerHTML=window["xinert"].innerHTML;0x0D
if (window["xinert"].firstChild.getAttribute("inert") == 123)0x0D
{0x0D
alert('inert')0x0D
}0x0D
</script><div id="xinputmode"><span x="inputmode=123>&bbb"></span></div>0x0D
<script>0x0D
window["xinputmode"].innerHTML=window["xinputmode"].innerHTML;0x0D
if (window["xinputmode"].firstChild.getAttribute("inputmode") == 123)0x0D
{0x0D
alert('inputmode')0x0D
}0x0D
</script><div id="xitemid"><span x="itemid=123>&bbb"></span></div>0x0D
<script>0x0D
window["xitemid"].innerHTML=window["xitemid"].innerHTML;0x0D
if (window["xitemid"].firstChild.getAttribute("itemid") == 123)0x0D
{0x0D
alert('itemid')0x0D
}0x0D
</script><div id="xitemprop"><span x="itemprop=123>&bbb"></span></div>0x0D
<script>0x0D
window["xitemprop"].innerHTML=window["xitemprop"].innerHTML;0x0D
if (window["xitemprop"].firstChild.getAttribute("itemprop") == 123)0x0D
{0x0D
alert('itemprop')0x0D
}0x0D
</script><div id="xitemref"><span x="itemref=123>&bbb"></span></div>0x0D
<script>0x0D
window["xitemref"].innerHTML=window["xitemref"].innerHTML;0x0D
if (window["xitemref"].firstChild.getAttribute("itemref") == 123)0x0D
{0x0D
alert('itemref')0x0D
}0x0D
</script><div id="xitemscope"><span x="itemscope=123>&bbb"></span></div>0x0D
<script>0x0D
window["xitemscope"].innerHTML=window["xitemscope"].innerHTML;0x0D
if (window["xitemscope"].firstChild.getAttribute("itemscope") == 123)0x0D
{0x0D
alert('itemscope')0x0D
}0x0D
</script><div id="xitemtype"><span x="itemtype=123>&bbb"></span></div>0x0D
<script>0x0D
window["xitemtype"].innerHTML=window["xitemtype"].innerHTML;0x0D
if (window["xitemtype"].firstChild.getAttribute("itemtype") == 123)0x0D
{0x0D
alert('itemtype')0x0D
}0x0D
</script><div id="xlang"><span x="lang=123>&bbb"></span></div>0x0D
<script>0x0D
window["xlang"].innerHTML=window["xlang"].innerHTML;0x0D
if (window["xlang"].firstChild.getAttribute("lang") == 123)0x0D
{0x0D
alert('lang')0x0D
}0x0D
</script>Fuzz results
Chrome 138.0.0.0 desktop Windows NT 10.0
Updated
Sun Aug 03 2025
Found 195 results
Loading...
Microsoft Edge 138.0.0.0 desktop Windows NT 10.0
Updated
Sun Aug 03 2025
Found 195 results
Loading...
Microsoft Edge 138.0.0.0 desktop Linux Unknown
Updated
Sat Aug 16 2025
Found 195 results
Loading...