HTML entities before JavaScript URL

Shows which HTML entities are allowed before the JavaScript protocol

Created by: hackvertor

Created on: Tuesday, June 25, 2024 at 4:42:13 PM

Updated on: Thursday, November 21, 2024 at 10:24:31 AM

Vector type: JS

Vector charset: UTF-8

Code used before fuzz:
const div = document.createElement('div');

Template used:

div.innerHTML='<a href="$[data1]javascript:">test</a>';
div.querySelector('a').protocol === 'javascript:' && log('$[data1]')

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

div.innerHTML='<a href="&Tab;javascript:">test</a>';
div.querySelector('a').protocol === 'javascript:' && alert('&Tab;')

div.innerHTML='<a href="&NewLine;javascript:">test</a>';
div.querySelector('a').protocol === 'javascript:' && alert('&NewLine;')

Safari 17.5 mobile iOS 17.5.1

Updated

Tue Jun 25 2024

Found 2 results

Show differences only?

Filter out alphanumeric

Sort ascending

Chrome 131.0.0.0 desktop Windows NT 10.0

Updated

Sun Nov 17 2024

Found 2 results

Show differences only?

Filter out alphanumeric

Sort ascending