6:["$","div",null,{"className":"flex flex-col lg:flex-row","children":["$","div",null,{"children":[["$","div",null,{"className":"grid grid-cols-1 md:grid-cols-2 xl:grid-cols-2 gap-3","children":[["$","div",null,{"children":[["$","div",null,{"className":"mb-4","children":[["$","h1",null,{"className":"text-3xl font-bold break-words tracking-tight","children":"Characters allowed before after onerror events"}],["$","div",null,{"className":"flex flex-col gap-2","children":[false,["$","div",null,{"className":"flex flex-row","children":[["$","div","browserIcon0",{"className":"mt-5 mr-5 relative inline-block tooltip tooltip-bottom","data-tip":"Chrome 144.0.0.0 - Updated 8d ago","children":[["$","$L16",null,{"src":"/logos/browsers/chrome.png","width":32,"height":32,"alt":"Chrome logo","className":"","priority":true}]," ",false," ",false," ",false," ",["$","span",null,{"className":"badge badge-secondary absolute top-0 right-0 translate-x-1/2 -translate-y-1/2","children":"5"}]]}],["$","div","browserIcon1",{"className":"mt-5 mr-5 relative inline-block tooltip tooltip-bottom","data-tip":"Firefox 147.0 - Updated 2d ago","children":[false," ",["$","$L16",null,{"src":"/logos/browsers/firefox.png","width":32,"height":32,"alt":"Firefox logo","className":"","priority":true}]," ",false," ",false," ",["$","span",null,{"className":"badge badge-secondary absolute top-0 right-0 translate-x-1/2 -translate-y-1/2","children":"5"}]]}],["$","div","browserIcon2",{"className":"mt-5 mr-5 relative inline-block tooltip tooltip-bottom","data-tip":"Microsoft Edge 144.0.0.0 - Updated 7d ago","children":[false," ",false," ",false," ",["$","$L16",null,{"src":"/logos/browsers/edge.png","width":32,"height":32,"alt":"Edge logo","className":"","priority":true}]," ",["$","span",null,{"className":"badge badge-secondary absolute top-0 right-0 translate-x-1/2 -translate-y-1/2","children":"5"}]]}],["$","div","browserIcon3",{"className":"mt-5 mr-5 relative inline-block tooltip tooltip-bottom","data-tip":"Safari 26.2 - Updated 3d ago","children":[false," ",false," ",["$","$L16",null,{"src":"/logos/browsers/safari.png","width":32,"height":32,"alt":"Safari logo","className":"","priority":true}]," ",false," ",["$","span",null,{"className":"badge badge-secondary absolute top-0 right-0 translate-x-1/2 -translate-y-1/2","children":"5"}]]}]]}]]}]]}],["$","p",null,{"className":"text-base-content/80 break-words leading-relaxed mb-6","children":"This XSS vector shows what characters can be used before the onerror event."}],["$","div",null,{"className":"flex items-center gap-3 mb-6 p-3 bg-base-200 rounded-lg w-fit","children":[["$","div",null,{"className":"avatar","children":["$","div",null,{"className":"w-10 rounded-full","children":["$","$L16",null,{"src":"https://avatars.githubusercontent.com/u/28710050?v=4","width":40,"height":40,"alt":"t0xodile","className":"rounded-full"}]}]}],["$","div",null,{"className":"flex flex-col","children":[["$","span",null,{"className":"text-xs text-base-content/60 uppercase tracking-wide","children":"Created by"}],["$","$L1b","66e170c4eaf537370056ad4f",{"href":"/profile?id=66e170c4eaf537370056ad4f","className":"link link-hover font-semibold","children":"t0xodile"}]]}],null]}],["$","div",null,{"className":"flex flex-wrap gap-4 text-sm text-base-content/70 mb-6","children":[["$","div",null,{"className":"flex items-center gap-2","children":[["$","svg",null,{"xmlns":"http://www.w3.org/2000/svg","className":"h-4 w-4","fill":"none","viewBox":"0 0 24 24","stroke":"currentColor","children":["$","path",null,{"strokeLinecap":"round","strokeLinejoin":"round","strokeWidth":2,"d":"M8 7V3m8 4V3m-9 8h10M5 21h14a2 2 0 002-2V7a2 2 0 00-2-2H5a2 2 0 00-2 2v12a2 2 0 002 2z"}]}],["$","span",null,{"children":["Created"," ","Oct 23, 2025"]}]]}],["$","div",null,{"className":"flex items-center gap-2","children":[["$","svg",null,{"xmlns":"http://www.w3.org/2000/svg","className":"h-4 w-4","fill":"none","viewBox":"0 0 24 24","stroke":"currentColor","children":["$","path",null,{"strokeLinecap":"round","strokeLinejoin":"round","strokeWidth":2,"d":"M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15"}]}],["$","span",null,{"children":["Updated"," ","Oct 23, 2025"]}]]}]]}],["$","div",null,{"className":"space-y-4","children":[["$","div",null,{"className":"flex flex-wrap gap-2","children":[["$","$L1c",null,{"data1":"","data2":"","end":65535,"initCode":"","afterCode":"","template":"","mode":"XSS","csrfToken":"AAi6DM1vdIt5mYGzjjoSenBMJ5lWCXxhCfH5GzyS","charset":"UTF-8"}],["$","$L1d",null,{"start":0,"end":65535,"autofuzz":false,"template":"","vectorType":"XSS","fuzzToken":"9421b358dd8b20e796aafe6808ca230e","initCode":"","afterCode":"","data1":"","data2":"","csrfToken":"AAi6DM1vdIt5mYGzjjoSenBMJ5lWCXxhCfH5GzyS","id":"68fa0bc6b20bad559739a1ea","doRedirect":true,"charset":"UTF-8"}]]}],["$","div",null,{"className":"divider my-2"}],["$","div",null,{"className":"flex flex-wrap items-center gap-2","children":[["$","button",null,{"type":"button","className":"btn btn-secondary","disabled":true,"children":[["$","svg",null,{"xmlns":"http://www.w3.org/2000/svg","className":"h-4 w-4","fill":"none","viewBox":"0 0 24 24","stroke":"currentColor","children":["$","path",null,{"strokeLinecap":"round","strokeLinejoin":"round","strokeWidth":2,"d":"M11 5H6a2 2 0 00-2 2v11a2 2 0 002 2h11a2 2 0 002-2v-5m-1.414-9.414a2 2 0 112.828 2.828L11.828 15H9v-2.828l8.586-8.586z"}]}],"Edit"]}],["$","$L1b",null,{"href":"/vectors/new/?id=68fa0bc6b20bad559739a1ea","children":["$","button",null,{"type":"button","className":"btn btn-secondary","children":[["$","svg",null,{"xmlns":"http://www.w3.org/2000/svg","className":"h-4 w-4","fill":"none","viewBox":"0 0 24 24","stroke":"currentColor","children":["$","path",null,{"strokeLinecap":"round","strokeLinejoin":"round","strokeWidth":2,"d":"M8 16H6a2 2 0 01-2-2V6a2 2 0 012-2h8a2 2 0 012 2v2m-6 12h8a2 2 0 002-2v-8a2 2 0 00-2-2h-8a2 2 0 00-2 2v8a2 2 0 002 2z"}]}],"Fork"]}]}],["$","$L1e",null,{"fuzzToken":"9421b358dd8b20e796aafe6808ca230e"}],["$","$L1f",null,{"text":"Characters allowed before after onerror events"}],["$","$L20",null,{"disabled":true,"toggleLike":"$h21","id":"68fa0bc6b20bad559739a1ea","likeCount":1,"currentLikeStatus":false,"csrfToken":"AAi6DM1vdIt5mYGzjjoSenBMJ5lWCXxhCfH5GzyS"}]]}]]}]]}],["$","div",null,{"children":[["$","div",null,{"className":"mb-5","children":["$","$L22",null,{}]}],["$","div",null,{"className":"bg-base-200 rounded-lg p-4 mb-5","children":["$","div",null,{"className":"flex flex-wrap gap-3 lg:grid lg:grid-cols-2 justify-items-start","children":[["$","div",null,{"className":"flex flex-col","children":[["$","span",null,{"className":"text-xs text-base-content/60 uppercase tracking-wide mb-1","children":"Category"}],["$","span",null,{"className":"badge badge-primary","children":"HTML Parsing"}]]}],["$","div",null,{"className":"flex flex-col","children":[["$","span",null,{"className":"text-xs text-base-content/60 uppercase tracking-wide mb-1","children":"Visibility"}],["$","span",null,{"className":"badge badge-primary","children":"Public"}]]}],["$","div",null,{"className":"flex flex-col","children":[["$","span",null,{"className":"text-xs text-base-content/60 uppercase tracking-wide mb-1","children":"Type"}],["$","span",null,{"className":"badge badge-primary","children":"XSS"}]]}],["$","div",null,{"className":"flex flex-col","children":[["$","span",null,{"className":"text-xs text-base-content/60 uppercase tracking-wide mb-1","children":"Charset"}],["$","span",null,{"className":"badge badge-primary","children":"UTF-8"}]]}],"",""]}]}],"",["$","div",null,{"className":"mb-5","children":["Template used:",["$","br",null,{}],["$","$L23",null,{"code":"","language":"markup","maxHeight":"300px"}]]}],""]}]]}],["$","div",null,{"className":"mt-5 overflow-x-visible overflow-y-auto max-h-[300px] w-full border-t border-slate-700 p-5","children":[["$","h2",null,{"className":"text-xl font-bold mb-3","children":"Sample payloads"}],["$","div",null,{"className":"flex gap-2","children":[["$","$L24",null,{"text":"Copy payloads to clipboard","data":"\n\n\n\n"}],["$","$L25",null,{"vector":{"id":"68fa0bc6b20bad559739a1ea","visibility":"Public","privatePrefixToken":"081c498969","category":"HTML Parsing","initCode":"","afterCode":"","description":"This XSS vector shows what characters can be used before the onerror event.","name":"Characters allowed before after onerror events","type":"XSS","data1":"","data2":"","charset":"UTF-8","vector":"","viewed":0,"fuzzToken":"9421b358dd8b20e796aafe6808ca230e","createdAt":"$D2025-10-23T11:04:38.055Z","updatedAt":"$D2025-10-23T11:04:38.055Z","userId":"66e170c4eaf537370056ad4f","User":{"id":"66e170c4eaf537370056ad4f","name":"Thomas Stacey","username":"t0xodile","image":"https://avatars.githubusercontent.com/u/28710050?v=4"}},"payloads":["","","","",""]}]]}],["$","div",null,{"className":"grid grid-cols-1 md:grid-cols-2 xl:grid-cols-2 gap-3 mt-5","children":["$","$L26",null,{"vector":"$27","fuzzResults":[{"id":"697de84fb33bb98bbc57f8df","vectorId":"68fa0bc6b20bad559739a1ea","charset":"UTF-8","browser":"Firefox","version":"147.0","platform":"mobile","os":"Android 16","characters":"9,10,12,13,32","userId":"66e170c4eaf537370056ad4f","createdAt":"$D2026-01-31T11:32:31.845Z","updatedAt":"$D2026-01-31T11:32:31.845Z"},{"id":"697c0df982c5fe70d5a2363c","vectorId":"68fa0bc6b20bad559739a1ea","charset":"UTF-8","browser":"Safari","version":"26.2","platform":"desktop","os":"macOS 10.15.7","characters":"9,10,12,13,32","userId":"66e170c4eaf537370056ad4f","createdAt":"$D2026-01-30T01:48:41.500Z","updatedAt":"$D2026-01-30T01:48:41.500Z"},{"id":"697c02cd82c5fe70d5a2363b","vectorId":"68fa0bc6b20bad559739a1ea","charset":"UTF-8","browser":"Safari","version":"0","platform":"tablet","os":"iOS 18.7.3","characters":"9,10,12,13,32","userId":"66e170c4eaf537370056ad4f","createdAt":"$D2026-01-30T01:01:01.374Z","updatedAt":"$D2026-01-30T01:01:01.374Z"},{"id":"6976f34901041020b898062b","vectorId":"68fa0bc6b20bad559739a1ea","charset":"UTF-8","browser":"Microsoft Edge","version":"144.0.0.0","platform":"desktop","os":"Windows NT 10.0","characters":"9,10,12,13,32","userId":"66e170c4eaf537370056ad4f","createdAt":"$D2026-01-26T04:53:29.294Z","updatedAt":"$D2026-01-26T04:53:29.294Z"},{"id":"6976119f2dfe61fd07b96bd9","vectorId":"68fa0bc6b20bad559739a1ea","charset":"UTF-8","browser":"Chrome","version":"144.0.0.0","platform":"desktop","os":"macOS 10.15.7","characters":"9,10,12,13,32","userId":"66e170c4eaf537370056ad4f","createdAt":"$D2026-01-25T12:50:39.889Z","updatedAt":"$D2026-01-25T12:50:39.889Z"},{"id":"69010f4790c4c9adb10478e3","vectorId":"68fa0bc6b20bad559739a1ea","charset":"UTF-8","browser":"Firefox","version":"135.0","platform":"desktop","os":"Linux Unknown","characters":"9,10,12,13,32","userId":"66e170c4eaf537370056ad4f","createdAt":"$D2025-10-28T18:45:27.506Z","updatedAt":"$D2025-10-28T18:45:27.506Z"},{"id":"68fa0bccb20bad559739a1eb","vectorId":"68fa0bc6b20bad559739a1ea","charset":"UTF-8","browser":"Chrome","version":"139.0.0.0","platform":"desktop","os":"Linux Unknown","characters":"9,10,12,13,32","userId":"66e170c4eaf537370056ad4f","createdAt":"$D2025-10-23T11:04:44.841Z","updatedAt":"$D2025-10-23T11:04:44.841Z"}],"limit":20}]}]]}],["$","div",null,{"className":"mt-5 border-t border-slate-700 p-5","children":[["$","h2",null,{"className":"text-xl font-bold mb-3","children":"Fuzz results"}],["$","$L29",null,{"fuzzResults":"$2a","highlights":[],"vector":"$27"}]]}]]}]}]

Characters allowed before after onerror events

Sample payloads

Fuzz results

Distributed Fuzzing