Shazzer logo

    HTML entities that create ASCII characters inside a JavaScript URL

    This vector loops through all entities and assigns them to a JavaScript URL and checks if they decode to ASCII characters.

    Created by: hackvertor

    Created on: Tuesday, June 25, 2024 at 10:13:52 PM

    Updated on: Thursday, September 26, 2024 at 3:58:13 PM

    Vector type: JS

    Code used before fuzz:
    const div = document.createElement('div');
    Template used:
    div.innerHTML='<a href="javascript:$[data1]">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && log('$[data1]='+element.href.replace(/^.+?:/,''))
    Your browser was detected as:
    Detecting... Detecting... Detecting... Detecting...

    Sample payloads

    div.innerHTML='<a href="javascript:&amp;=&">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&amp;=&='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&AMP;=&">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&AMP;=&='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&apos;='">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&apos;='='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&ast;=*">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&ast;=*='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&bne;==%E2%83%A5">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&bne;==%E2%83%A5='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&bsol;=\">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&bsol;=\='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&colon;=:">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&colon;=:='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&comma;=">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&comma;=='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&commat;=@">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&commat;=@='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&DiacriticalGrave;=`">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&DiacriticalGrave;=`='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&dollar;=$">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&dollar;=$='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&equals;==">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&equals;==='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&excl;=!">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&excl;=!='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&fjlig;=fj">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&fjlig;=fj='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&grave;=`">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&grave;=`='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&gt;=>">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&gt;=>='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&GT;=>">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&GT;=>='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&Hat;=^">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&Hat;=^='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&lbrace;={">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&lbrace;={='+element.href.replace(/^.+?:/,''))

    Fuzz results

    Chrome logo
    Chrome 126.0.0.0 desktop macOS 10.15.7
    Sat Jun 29 2024
    Found 50 results
    Data
    Data
    &amp;=&
    Data
    &AMP;=&
    Data
    &apos;='
    Data
    &ast;=*
    Data
    &bne;==%E2%83%A5
    Data
    &bsol;=\
    Data
    &colon;=:
    Data
    &comma;=
    Data
    &commat;=@
    Data
    &DiacriticalGrave;=`
    Data
    &dollar;=$
    Data
    &equals;==
    Data
    &excl;=!
    Data
    &fjlig;=fj
    Data
    &grave;=`
    Data
    &gt;=>
    Data
    &GT;=>
    Data
    &Hat;=^
    Data
    &lbrace;={
    Data
    &lbrack;=[
    Data
    &lcub;={
    Data
    &lowbar;=_
    Data
    &lpar;=(
    Data
    &lsqb;=[
    Data
    &lt;=<
    Data
    &LT;=<
    Data
    &midast;=*
    Data
    &NewLine;=
    Data
    &num;=#
    Data
    &nvgt;=>%E2%83%92
    Data
    &nvlt;=<%E2%83%92
    Data
    &percnt;=%
    Data
    &period;=.
    Data
    &plus;=+
    Data
    &quest;=?
    Data
    &quot;="
    Data
    &QUOT;="
    Data
    &rbrace;=}
    Data
    &rbrack;=]
    Data
    &rcub;=}
    Data
    &rpar;=)
    Data
    &rsqb;=]
    Data
    &semi;=;
    Data
    &sol;=/
    Data
    &Tab;=
    Data
    &UnderBar;=_
    Data
    &verbar;=|
    Data
    &vert;=|
    Data
    &VerticalLine;=|
    Firefox logo
    Firefox 127.0 desktop macOS 10.15
    Wed Jun 26 2024
    Found 50 results
    Data
    Data
    &amp;=&
    Data
    &AMP;=&
    Data
    &apos;='
    Data
    &ast;=*
    Data
    &bne;==%E2%83%A5
    Data
    &bsol;=\
    Data
    &colon;=:
    Data
    &comma;=
    Data
    &commat;=@
    Data
    &DiacriticalGrave;=`
    Data
    &dollar;=$
    Data
    &equals;==
    Data
    &excl;=!
    Data
    &fjlig;=fj
    Data
    &grave;=`
    Data
    &gt;=>
    Data
    &GT;=>
    Data
    &Hat;=^
    Data
    &lbrace;={
    Data
    &lbrack;=[
    Data
    &lcub;={
    Data
    &lowbar;=_
    Data
    &lpar;=(
    Data
    &lsqb;=[
    Data
    &lt;=<
    Data
    &LT;=<
    Data
    &midast;=*
    Data
    &NewLine;=
    Data
    &num;=#
    Data
    &nvgt;=>%E2%83%92
    Data
    &nvlt;=<%E2%83%92
    Data
    &percnt;=%
    Data
    &period;=.
    Data
    &plus;=+
    Data
    &quest;=?
    Data
    &quot;="
    Data
    &QUOT;="
    Data
    &rbrace;=}
    Data
    &rbrack;=]
    Data
    &rcub;=}
    Data
    &rpar;=)
    Data
    &rsqb;=]
    Data
    &semi;=;
    Data
    &sol;=/
    Data
    &Tab;=
    Data
    &UnderBar;=_
    Data
    &verbar;=|
    Data
    &vert;=|
    Data
    &VerticalLine;=|
    Safari logo
    Safari 17.4 desktop macOS 10.15.7
    Wed Jun 26 2024
    Found 50 results
    Data
    Data
    &amp;=&
    Data
    &AMP;=&
    Data
    &apos;='
    Data
    &ast;=*
    Data
    &bne;==%E2%83%A5
    Data
    &bsol;=\
    Data
    &colon;=:
    Data
    &comma;=
    Data
    &commat;=@
    Data
    &DiacriticalGrave;=`
    Data
    &dollar;=$
    Data
    &equals;==
    Data
    &excl;=!
    Data
    &fjlig;=fj
    Data
    &grave;=`
    Data
    &gt;=>
    Data
    &GT;=>
    Data
    &Hat;=^
    Data
    &lbrace;={
    Data
    &lbrack;=[
    Data
    &lcub;={
    Data
    &lowbar;=_
    Data
    &lpar;=(
    Data
    &lsqb;=[
    Data
    &lt;=<
    Data
    &LT;=<
    Data
    &midast;=*
    Data
    &NewLine;=
    Data
    &num;=#
    Data
    &nvgt;=>%E2%83%92
    Data
    &nvlt;=<%E2%83%92
    Data
    &percnt;=%
    Data
    &period;=.
    Data
    &plus;=+
    Data
    &quest;=?
    Data
    &quot;="
    Data
    &QUOT;="
    Data
    &rbrace;=}
    Data
    &rbrack;=]
    Data
    &rcub;=}
    Data
    &rpar;=)
    Data
    &rsqb;=]
    Data
    &semi;=;
    Data
    &sol;=/
    Data
    &Tab;=
    Data
    &UnderBar;=_
    Data
    &verbar;=|
    Data
    &vert;=|
    Data
    &VerticalLine;=|