Entities allowed after slashes on a protocol relative URL

Safari logo 12
Chrome logo 12
Firefox logo 12

You can place whitespace after slashes, this vector finds out what entities you can place after them.

Created by: hackvertor

Created on: Saturday, July 6, 2024 at 11:50:39 AM

Updated on: Thursday, September 26, 2024 at 1:47:05 PM

Vector type: JS

Code used before fuzz:
const div = document.createElement('div')
Template used:
div.innerHTML='<a href="//$[data1]example.com">';
if(div.querySelector('a').host === 'example.com') {
   log('$[data1]');
}
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...

Sample payloads

div.innerHTML='<a href="//&bsol;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&bsol;');
}
div.innerHTML='<a href="//&commat;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&commat;');
}
div.innerHTML='<a href="//&NegativeMediumSpace;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&NegativeMediumSpace;');
}
div.innerHTML='<a href="//&NegativeThickSpace;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&NegativeThickSpace;');
}
div.innerHTML='<a href="//&NegativeThinSpace;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&NegativeThinSpace;');
}
div.innerHTML='<a href="//&NegativeVeryThinSpace;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&NegativeVeryThinSpace;');
}
div.innerHTML='<a href="//&NewLine;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&NewLine;');
}
div.innerHTML='<a href="//&NoBreak;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&NoBreak;');
}
div.innerHTML='<a href="//&shy;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&shy;');
}
div.innerHTML='<a href="//&sol;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&sol;');
}
div.innerHTML='<a href="//&Tab;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&Tab;');
}
div.innerHTML='<a href="//&ZeroWidthSpace;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&ZeroWidthSpace;');
}

Fuzz results

Safari logo
Safari 17.5 mobile iOS 17.5.1

Updated

Sat Jul 06 2024
Found 12 results
Data
&bsol;
Data
&commat;
Data
&NegativeMediumSpace;
Data
&NegativeThickSpace;
Data
&NegativeThinSpace;
Data
&NegativeVeryThinSpace;
Data
&NewLine;
Data
&NoBreak;
Data
&shy;
Data
&sol;
Data
&Tab;
Data
&ZeroWidthSpace;
Chrome logo
Chrome 126.0.0.0 desktop macOS 10.15.7

Updated

Sat Jul 06 2024
Found 12 results
Data
&bsol;
Data
&commat;
Data
&NegativeMediumSpace;
Data
&NegativeThickSpace;
Data
&NegativeThinSpace;
Data
&NegativeVeryThinSpace;
Data
&NewLine;
Data
&NoBreak;
Data
&shy;
Data
&sol;
Data
&Tab;
Data
&ZeroWidthSpace;
Firefox logo
Firefox 127.0 desktop macOS 10.15

Updated

Sat Jul 06 2024
Found 12 results
Data
&bsol;
Data
&commat;
Data
&NegativeMediumSpace;
Data
&NegativeThickSpace;
Data
&NegativeThinSpace;
Data
&NegativeVeryThinSpace;
Data
&NewLine;
Data
&NoBreak;
Data
&shy;
Data
&sol;
Data
&Tab;
Data
&ZeroWidthSpace;