masato - braves parsing finding valid characters

Chrome logo 70
Edge logo 70

Trying to see what cahracters are allowed

Created by: InsertScript

Created on: Sunday, August 3, 2025 at 9:17:09 AM

Updated on: Sunday, August 3, 2025 at 9:17:09 AM


Vector type: XSS

Vector charset: UTF-8

Template used:
<div id="x$[i]"><span x="href=$[chr]&gt;&bbb"></span></div>
<script>
window["x$[i]"].innerHTML=window["x$[i]"].innerHTML;
if (window["x$[i]"].firstChild.getAttribute("href") != null)
{
log($[i])
}
</script>
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...

Sample payloads

<div id="x9"><span x="href=	&gt;&bbb"></span></div>
<script>
window["x9"].innerHTML=window["x9"].innerHTML;
if (window["x9"].firstChild.getAttribute("href") != null)
{
alert(9)
}
</script>
<div id="x10"><span x="href=
&gt;&bbb"></span></div>
<script>
window["x10"].innerHTML=window["x10"].innerHTML;
if (window["x10"].firstChild.getAttribute("href") != null)
{
alert(10)
}
</script>
<div id="x12"><span x="href=&gt;&bbb"></span></div>
<script>
window["x12"].innerHTML=window["x12"].innerHTML;
if (window["x12"].firstChild.getAttribute("href") != null)
{
alert(12)
}
</script>
<div id="x13"><span x="href=
&gt;&bbb"></span></div>
<script>
window["x13"].innerHTML=window["x13"].innerHTML;
if (window["x13"].firstChild.getAttribute("href") != null)
{
alert(13)
}
</script>
<div id="x32"><span x="href= &gt;&bbb"></span></div>
<script>
window["x32"].innerHTML=window["x32"].innerHTML;
if (window["x32"].firstChild.getAttribute("href") != null)
{
alert(32)
}
</script>
<div id="x45"><span x="href=-&gt;&bbb"></span></div>
<script>
window["x45"].innerHTML=window["x45"].innerHTML;
if (window["x45"].firstChild.getAttribute("href") != null)
{
alert(45)
}
</script>
<div id="x48"><span x="href=0&gt;&bbb"></span></div>
<script>
window["x48"].innerHTML=window["x48"].innerHTML;
if (window["x48"].firstChild.getAttribute("href") != null)
{
alert(48)
}
</script>
<div id="x49"><span x="href=1&gt;&bbb"></span></div>
<script>
window["x49"].innerHTML=window["x49"].innerHTML;
if (window["x49"].firstChild.getAttribute("href") != null)
{
alert(49)
}
</script>
<div id="x50"><span x="href=2&gt;&bbb"></span></div>
<script>
window["x50"].innerHTML=window["x50"].innerHTML;
if (window["x50"].firstChild.getAttribute("href") != null)
{
alert(50)
}
</script>
<div id="x51"><span x="href=3&gt;&bbb"></span></div>
<script>
window["x51"].innerHTML=window["x51"].innerHTML;
if (window["x51"].firstChild.getAttribute("href") != null)
{
alert(51)
}
</script>
<div id="x52"><span x="href=4&gt;&bbb"></span></div>
<script>
window["x52"].innerHTML=window["x52"].innerHTML;
if (window["x52"].firstChild.getAttribute("href") != null)
{
alert(52)
}
</script>
<div id="x53"><span x="href=5&gt;&bbb"></span></div>
<script>
window["x53"].innerHTML=window["x53"].innerHTML;
if (window["x53"].firstChild.getAttribute("href") != null)
{
alert(53)
}
</script>
<div id="x54"><span x="href=6&gt;&bbb"></span></div>
<script>
window["x54"].innerHTML=window["x54"].innerHTML;
if (window["x54"].firstChild.getAttribute("href") != null)
{
alert(54)
}
</script>
<div id="x55"><span x="href=7&gt;&bbb"></span></div>
<script>
window["x55"].innerHTML=window["x55"].innerHTML;
if (window["x55"].firstChild.getAttribute("href") != null)
{
alert(55)
}
</script>
<div id="x56"><span x="href=8&gt;&bbb"></span></div>
<script>
window["x56"].innerHTML=window["x56"].innerHTML;
if (window["x56"].firstChild.getAttribute("href") != null)
{
alert(56)
}
</script>
<div id="x57"><span x="href=9&gt;&bbb"></span></div>
<script>
window["x57"].innerHTML=window["x57"].innerHTML;
if (window["x57"].firstChild.getAttribute("href") != null)
{
alert(57)
}
</script>
<div id="x62"><span x="href=>&gt;&bbb"></span></div>
<script>
window["x62"].innerHTML=window["x62"].innerHTML;
if (window["x62"].firstChild.getAttribute("href") != null)
{
alert(62)
}
</script>
<div id="x65"><span x="href=A&gt;&bbb"></span></div>
<script>
window["x65"].innerHTML=window["x65"].innerHTML;
if (window["x65"].firstChild.getAttribute("href") != null)
{
alert(65)
}
</script>
<div id="x66"><span x="href=B&gt;&bbb"></span></div>
<script>
window["x66"].innerHTML=window["x66"].innerHTML;
if (window["x66"].firstChild.getAttribute("href") != null)
{
alert(66)
}
</script>
<div id="x67"><span x="href=C&gt;&bbb"></span></div>
<script>
window["x67"].innerHTML=window["x67"].innerHTML;
if (window["x67"].firstChild.getAttribute("href") != null)
{
alert(67)
}
</script>

Fuzz results

Chrome logo
Chrome 138.0.0.0 desktop Windows NT 10.0

Updated

Sun Aug 03 2025
Found 70 results
Loading...
Edge logo
Microsoft Edge 138.0.0.0 desktop Windows NT 10.0

Updated

Sun Aug 03 2025
Found 70 results
Loading...