Prodding...

HTML entities before JavaScript URL

Shows which HTML entities are allowed before the JavaScript protocol

Created byhackvertor

Created Jun 25, 2024

Updated May 28, 2025

Detecting browser...

CategoryEntity Parsing

VisibilityPublic

TypeJS

CharsetUTF-8

$[data1] placeholderhtml_entities

Code used before fuzz:

const div = document.createElement('div');

Template used:

div.innerHTML='<a href="$[data1]javascript:">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && log('$[data1]')

Sample payloads

div.innerHTML='<a href="&NewLine;javascript:">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && alert('&NewLine;')

div.innerHTML='<a href="&Tab;javascript:">test</a>';0x0D
div.querySelector('a').protocol === 'javascript:' && alert('&Tab;')