Shazzer logo

    HTML entities that create ASCII characters inside a JavaScript URL

    Safari logo 50
    Firefox logo 50
    Chrome logo 50

    This vector loops through all entities and assigns them to a JavaScript URL and checks if they decode to ASCII characters.

    Created by: hackvertor

    Created on: Tuesday, June 25, 2024 at 10:13:52 PM

    Updated on: Monday, March 24, 2025 at 9:40:38 AM

    Vector type: JS

    Vector charset: UTF-8

    Vector data 1: html_entities

    Code used before fuzz:
    const div = document.createElement('div');
    Template used:
    div.innerHTML='<a href="javascript:$[data1]">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && log('$[data1]='+element.href.replace(/^.+?:/,''))
    Your browser was detected as:
    Detecting... Detecting... Detecting... Detecting...

    Sample payloads

    div.innerHTML='<a href="javascript:&amp;=&">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&amp;=&='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&AMP;=&">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&AMP;=&='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&apos;='">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&apos;='='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&ast;=*">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&ast;=*='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&bne;==%E2%83%A5">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&bne;==%E2%83%A5='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&bsol;=\">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&bsol;=\='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&colon;=:">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&colon;=:='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&comma;=">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&comma;=='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&commat;=@">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&commat;=@='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&DiacriticalGrave;=`">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&DiacriticalGrave;=`='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&dollar;=$">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&dollar;=$='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&equals;==">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&equals;==='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&excl;=!">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&excl;=!='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&fjlig;=fj">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&fjlig;=fj='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&grave;=`">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&grave;=`='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&gt;=>">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&gt;=>='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&GT;=>">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&GT;=>='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&Hat;=^">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&Hat;=^='+element.href.replace(/^.+?:/,''))
    div.innerHTML='<a href="javascript:&lbrace;={">test</a>';
let element = div.querySelector('a');
(element.href==="javascript:"|/:.*[\x00-\x7f]/.test(element.href)) &&  !/^javascript:(%[a-fA-F0-9]{2})+$/.test(element.href) && alert('&lbrace;={='+element.href.replace(/^.+?:/,''))

    Fuzz results

    Safari logo
    Safari 17.4 desktop macOS 10.15.7

    Updated

    Wed Jun 26 2024
    Found 50 results
    Loading...
    Firefox logo
    Firefox 127.0 desktop macOS 10.15

    Updated

    Wed Jun 26 2024
    Found 50 results
    Loading...
    Chrome logo
    Chrome 126.0.0.0 desktop macOS 10.15.7

    Updated

    Sat Jun 29 2024
    Found 50 results
    Loading...