HTML entities that create ASCII characters inside a JavaScript URL
50
50
50
This vector loops through all entities and assigns them to a JavaScript URL and checks if they decode to ASCII characters.
Created by: hackvertor
Created on: Tuesday, June 25, 2024 at 10:13:52 PM
Updated on: Saturday, December 21, 2024 at 10:04:46 AM
Vector type: JS
Vector charset: UTF-8
Code used before fuzz:
const div = document.createElement('div');
Template used:
div.innerHTML='<a href="javascript:$[data1]">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && log('$[data1]='+element.href.replace(/^.+?:/,''))
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...
Sample payloads
div.innerHTML='<a href="javascript:&=&">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&=&='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:&=&">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&=&='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:'='">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert(''='='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:*=*">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('*=*='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:=⃥==%E2%83%A5">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('=⃥==%E2%83%A5='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:\=\">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('\=\='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript::=:">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert(':=:='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:,=">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert(',=='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:@=@">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('@=@='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:`=`">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('`=`='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:$=$">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('$=$='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:===">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('===='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:!=!">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('!=!='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:fj=fj">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('fj=fj='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:`=`">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('`=`='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:>=>">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('>=>='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:>=>">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('>=>='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:^=^">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('^=^='+element.href.replace(/^.+?:/,''))
div.innerHTML='<a href="javascript:{={">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) && !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('{={='+element.href.replace(/^.+?:/,''))
Fuzz results
Safari 17.4 desktop macOS 10.15.7
Updated
Wed Jun 26 2024
Found 50 results
Loading...
Firefox 127.0 desktop macOS 10.15
Updated
Wed Jun 26 2024
Found 50 results
Loading...
Chrome 126.0.0.0 desktop macOS 10.15.7
Updated
Sat Jun 29 2024
Found 50 results
Loading...