Shazzer logo

    Entities allowed after slashes on a protocol relative URL

    Safari logo 12
    Chrome logo 12
    Firefox logo 12

    You can place whitespace after slashes, this vector finds out what entities you can place after them.

    Created by: hackvertor

    Created on: Saturday, July 6, 2024 at 11:50:39 AM

    Updated on: Thursday, September 26, 2024 at 1:47:05 PM

    Vector type: JS

    Code used before fuzz:
    const div = document.createElement('div')
    Template used:
    div.innerHTML='<a href="//$[data1]example.com">';
if(div.querySelector('a').host === 'example.com') {
   log('$[data1]');
}
    Your browser was detected as:
    Detecting... Detecting... Detecting... Detecting...

    Sample payloads

    div.innerHTML='<a href="//&bsol;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&bsol;');
}
    div.innerHTML='<a href="//&commat;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&commat;');
}
    div.innerHTML='<a href="//&NegativeMediumSpace;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&NegativeMediumSpace;');
}
    div.innerHTML='<a href="//&NegativeThickSpace;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&NegativeThickSpace;');
}
    div.innerHTML='<a href="//&NegativeThinSpace;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&NegativeThinSpace;');
}
    div.innerHTML='<a href="//&NegativeVeryThinSpace;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&NegativeVeryThinSpace;');
}
    div.innerHTML='<a href="//&NewLine;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&NewLine;');
}
    div.innerHTML='<a href="//&NoBreak;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&NoBreak;');
}
    div.innerHTML='<a href="//&shy;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&shy;');
}
    div.innerHTML='<a href="//&sol;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&sol;');
}
    div.innerHTML='<a href="//&Tab;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&Tab;');
}
    div.innerHTML='<a href="//&ZeroWidthSpace;example.com">';
if(div.querySelector('a').host === 'example.com') {
   alert('&ZeroWidthSpace;');
}

    Fuzz results

    Safari logo
    Safari 17.5 mobile iOS 17.5.1

    Updated

    Sat Jul 06 2024
    Found 12 results
    Data
    &bsol;
    Data
    &commat;
    Data
    &NegativeMediumSpace;
    Data
    &NegativeThickSpace;
    Data
    &NegativeThinSpace;
    Data
    &NegativeVeryThinSpace;
    Data
    &NewLine;
    Data
    &NoBreak;
    Data
    &shy;
    Data
    &sol;
    Data
    &Tab;
    Data
    &ZeroWidthSpace;
    Chrome logo
    Chrome 126.0.0.0 desktop macOS 10.15.7

    Updated

    Sat Jul 06 2024
    Found 12 results
    Data
    &bsol;
    Data
    &commat;
    Data
    &NegativeMediumSpace;
    Data
    &NegativeThickSpace;
    Data
    &NegativeThinSpace;
    Data
    &NegativeVeryThinSpace;
    Data
    &NewLine;
    Data
    &NoBreak;
    Data
    &shy;
    Data
    &sol;
    Data
    &Tab;
    Data
    &ZeroWidthSpace;
    Firefox logo
    Firefox 127.0 desktop macOS 10.15

    Updated

    Sat Jul 06 2024
    Found 12 results
    Data
    &bsol;
    Data
    &commat;
    Data
    &NegativeMediumSpace;
    Data
    &NegativeThickSpace;
    Data
    &NegativeThinSpace;
    Data
    &NegativeVeryThinSpace;
    Data
    &NewLine;
    Data
    &NoBreak;
    Data
    &shy;
    Data
    &sol;
    Data
    &Tab;
    Data
    &ZeroWidthSpace;