HTML entities inside JavaScript URL before colon

Shows which HTML entities are allowed after colon with the JavaScript protocol

Created Jun 25, 2024

Updated May 28, 2025

Detecting browser...

CategoryEntity Parsing

VisibilityPublic

TypeJS

CharsetUTF-8

$[data1] placeholderhtml_entities

Code used before fuzz:

const div = document.createElement('div');

Template used:

div.innerHTML='<a href="javascript$[data1]:">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && log('$[data1]')

div.innerHTML='<a href="javascript&colon;:">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && alert('&colon;')

div.innerHTML='<a href="javascript&NewLine;:">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && alert('&NewLine;')

div.innerHTML='<a href="javascript&Tab;:">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && alert('&Tab;')