HTML entities inside JavaScript URL

Shows which HTML entities are allowed inside the JavaScript protocol

Shazzer Elite

Created Jun 25, 2024

Updated May 28, 2025

Detecting browser...

CategoryEntity Parsing

VisibilityPublic

TypeJS

CharsetUTF-8

$[data1] placeholderhtml_entities

Code used before fuzz:

const div = document.createElement('div');

Template used:

div.innerHTML='<a href="java$[data1]script:">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && log('$[data1]')

Sample payloads

div.innerHTML='<a href="java&NewLine;script:">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && alert('&NewLine;')

div.innerHTML='<a href="java&Tab;script:">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && alert('&Tab;')