HTML entities inside JavaScript URL before colon
3
3
3Shows which HTML entities are allowed after colon with the JavaScript protocol
Created by: hackvertor
Created on: Tuesday, June 25, 2024 at 11:58:34 AM
Updated on: Wednesday, May 28, 2025 at 5:08:10 PM
Category: Entity Parsing
Vector visibility: Public
Vector type: JS
Vector charset: UTF-8
Vector data 1: html_entities
Code used before fuzz:
const div = document.createElement('div');Template used:
div.innerHTML='<a href="javascript$[data1]:">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && log('$[data1]')Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...
Sample payloads
div.innerHTML='<a href="javascript::">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && alert(':')div.innerHTML='<a href="javascript
:">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && alert('
')div.innerHTML='<a href="javascript	:">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && alert('	')Fuzz results
Chrome 143.0.0.0 desktop macOS 10.15.7
Updated
Wed Jan 28 2026
Found 3 results
Loading...
Chrome 142.0.0.0 desktop Windows NT 10.0older version
Updated
Tue Nov 18 2025
Found 3 results
Loading...
Firefox 127.0 desktop macOS 10.15
Updated
Tue Jun 25 2024
Found 3 results
Loading...
Safari 17.4 desktop macOS 10.15.7
Updated
Tue Jun 25 2024
Found 3 results
Loading...