masato - braves parsing finding valid attributes

Trying to see what attributes are filtered

Bug Hunter

Created byInsertScript

Created Aug 3, 2025

Updated Aug 3, 2025

Detecting browser...

CategoryDOM Behavior

VisibilityPublic

TypeXSS

CharsetUTF-8

$[data1] placeholderattributes

Template used:

<div id="x$[data1]"><span x="$[data1]=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["x$[data1]"].innerHTML=window["x$[data1]"].innerHTML;0x0D
if (window["x$[data1]"].firstChild.getAttribute("$[data1]") == 123)0x0D
{0x0D
log('$[data1]')0x0D
}0x0D
</script>

Sample payloads

<div id="xaccesskey"><span x="accesskey=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xaccesskey"].innerHTML=window["xaccesskey"].innerHTML;0x0D
if (window["xaccesskey"].firstChild.getAttribute("accesskey") == 123)0x0D
{0x0D
alert('accesskey')0x0D
}0x0D
</script>

<div id="xanchor"><span x="anchor=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xanchor"].innerHTML=window["xanchor"].innerHTML;0x0D
if (window["xanchor"].firstChild.getAttribute("anchor") == 123)0x0D
{0x0D
alert('anchor')0x0D
}0x0D
</script>

<div id="xautocapitalize"><span x="autocapitalize=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xautocapitalize"].innerHTML=window["xautocapitalize"].innerHTML;0x0D
if (window["xautocapitalize"].firstChild.getAttribute("autocapitalize") == 123)0x0D
{0x0D
alert('autocapitalize')0x0D
}0x0D
</script>

<div id="xautofocus"><span x="autofocus=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xautofocus"].innerHTML=window["xautofocus"].innerHTML;0x0D
if (window["xautofocus"].firstChild.getAttribute("autofocus") == 123)0x0D
{0x0D
alert('autofocus')0x0D
}0x0D
</script>

<div id="xclass"><span x="class=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xclass"].innerHTML=window["xclass"].innerHTML;0x0D
if (window["xclass"].firstChild.getAttribute("class") == 123)0x0D
{0x0D
alert('class')0x0D
}0x0D
</script>

<div id="xcontenteditable"><span x="contenteditable=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xcontenteditable"].innerHTML=window["xcontenteditable"].innerHTML;0x0D
if (window["xcontenteditable"].firstChild.getAttribute("contenteditable") == 123)0x0D
{0x0D
alert('contenteditable')0x0D
}0x0D
</script>

<div id="xdir"><span x="dir=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xdir"].innerHTML=window["xdir"].innerHTML;0x0D
if (window["xdir"].firstChild.getAttribute("dir") == 123)0x0D
{0x0D
alert('dir')0x0D
}0x0D
</script>

<div id="xdraggable"><span x="draggable=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xdraggable"].innerHTML=window["xdraggable"].innerHTML;0x0D
if (window["xdraggable"].firstChild.getAttribute("draggable") == 123)0x0D
{0x0D
alert('draggable')0x0D
}0x0D
</script>

<div id="xenterkeyhint"><span x="enterkeyhint=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xenterkeyhint"].innerHTML=window["xenterkeyhint"].innerHTML;0x0D
if (window["xenterkeyhint"].firstChild.getAttribute("enterkeyhint") == 123)0x0D
{0x0D
alert('enterkeyhint')0x0D
}0x0D
</script>

<div id="xexportparts"><span x="exportparts=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xexportparts"].innerHTML=window["xexportparts"].innerHTML;0x0D
if (window["xexportparts"].firstChild.getAttribute("exportparts") == 123)0x0D
{0x0D
alert('exportparts')0x0D
}0x0D
</script>

<div id="xhidden"><span x="hidden=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xhidden"].innerHTML=window["xhidden"].innerHTML;0x0D
if (window["xhidden"].firstChild.getAttribute("hidden") == 123)0x0D
{0x0D
alert('hidden')0x0D
}0x0D
</script>

<div id="xid"><span x="id=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xid"].innerHTML=window["xid"].innerHTML;0x0D
if (window["xid"].firstChild.getAttribute("id") == 123)0x0D
{0x0D
alert('id')0x0D
}0x0D
</script>

<div id="xinert"><span x="inert=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xinert"].innerHTML=window["xinert"].innerHTML;0x0D
if (window["xinert"].firstChild.getAttribute("inert") == 123)0x0D
{0x0D
alert('inert')0x0D
}0x0D
</script>

<div id="xinputmode"><span x="inputmode=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xinputmode"].innerHTML=window["xinputmode"].innerHTML;0x0D
if (window["xinputmode"].firstChild.getAttribute("inputmode") == 123)0x0D
{0x0D
alert('inputmode')0x0D
}0x0D
</script>

<div id="xitemid"><span x="itemid=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xitemid"].innerHTML=window["xitemid"].innerHTML;0x0D
if (window["xitemid"].firstChild.getAttribute("itemid") == 123)0x0D
{0x0D
alert('itemid')0x0D
}0x0D
</script>

<div id="xitemprop"><span x="itemprop=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xitemprop"].innerHTML=window["xitemprop"].innerHTML;0x0D
if (window["xitemprop"].firstChild.getAttribute("itemprop") == 123)0x0D
{0x0D
alert('itemprop')0x0D
}0x0D
</script>

<div id="xitemref"><span x="itemref=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xitemref"].innerHTML=window["xitemref"].innerHTML;0x0D
if (window["xitemref"].firstChild.getAttribute("itemref") == 123)0x0D
{0x0D
alert('itemref')0x0D
}0x0D
</script>

<div id="xitemscope"><span x="itemscope=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xitemscope"].innerHTML=window["xitemscope"].innerHTML;0x0D
if (window["xitemscope"].firstChild.getAttribute("itemscope") == 123)0x0D
{0x0D
alert('itemscope')0x0D
}0x0D
</script>

<div id="xitemtype"><span x="itemtype=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xitemtype"].innerHTML=window["xitemtype"].innerHTML;0x0D
if (window["xitemtype"].firstChild.getAttribute("itemtype") == 123)0x0D
{0x0D
alert('itemtype')0x0D
}0x0D
</script>

<div id="xlang"><span x="lang=123&gt;&bbb"></span></div>0x0D
<script>0x0D
window["xlang"].innerHTML=window["xlang"].innerHTML;0x0D
if (window["xlang"].firstChild.getAttribute("lang") == 123)0x0D
{0x0D
alert('lang')0x0D
}0x0D
</script>

Distributed Fuzzing

masato - braves parsing finding valid attributes

Sample payloads

Fuzz results