Shazzer logo
Login

HTML entities inside JavaScript URL before colon

Chrome logo 3
Firefox logo 3
Edge logo 3
Safari logo 3

Shows which HTML entities are allowed after colon with the JavaScript protocol

hackvertor
Created byhackvertor
Created Jun 25, 2024
Updated May 28, 2025

Tweet
Detecting browser...
CategoryEntity Parsing
VisibilityPublic
TypeJS
CharsetUTF-8
$[data1] placeholderhtml_entities
Code used before fuzz:
const div = document.createElement('div');
Template used:
div.innerHTML='<a href="javascript$[data1]:">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && log('$[data1]')

Sample payloads

div.innerHTML='<a href="javascript&colon;:">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && alert('&colon;')
div.innerHTML='<a href="javascript&NewLine;:">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && alert('&NewLine;')
div.innerHTML='<a href="javascript&Tab;:">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && alert('&Tab;')

Fuzz results

Chrome logo
Chrome 144.0.0.0 desktop macOS 10.15.7

Updated

Fri Jan 30 2026
Found 3 results
Loading...
Chrome logo
Chrome 142.0.0.0 desktop Windows NT 10.0older version

Updated

Tue Nov 18 2025
Found 3 results
Loading...
Firefox logo
Firefox 147.0 desktop Windows NT 10.0

Updated

Thu Jan 29 2026
Found 3 results
Loading...
Firefox logo
Firefox 127.0 desktop macOS 10.15older version

Updated

Tue Jun 25 2024
Found 3 results
Loading...
Edge logo
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0

Updated

Fri Jan 30 2026
Found 3 results
Loading...
Safari logo
Safari 17.4 desktop macOS 10.15.7

Updated

Tue Jun 25 2024
Found 3 results
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.