Entities allowed inside host

⚠ Browser differences

This vector shows which entities are ignored inside the host name.

Created byhackvertor

Created Jul 6, 2024

Updated May 27, 2025

Detecting browser...

CategoryEntity Parsing

VisibilityPublic

TypeJS

CharsetUTF-8

$[data1] placeholderhtml_entities

Code used before fuzz:

const div = document.createElement('div')

Template used:

div.innerHTML='<a href="//exam$[data1]ple.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   log('$[data1]');0x0D
}

Sample payloads

div.innerHTML='<a href="//exam&af;ple.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&af;');0x0D
}

div.innerHTML='<a href="//exam&ApplyFunction;ple.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&ApplyFunction;');0x0D
}

div.innerHTML='<a href="//exam&ic;ple.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&ic;');0x0D
}

div.innerHTML='<a href="//exam&InvisibleComma;ple.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&InvisibleComma;');0x0D
}

div.innerHTML='<a href="//exam&InvisibleTimes;ple.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&InvisibleTimes;');0x0D
}

div.innerHTML='<a href="//exam&it;ple.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&it;');0x0D
}

div.innerHTML='<a href="//exam&NegativeMediumSpace;ple.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&NegativeMediumSpace;');0x0D
}

div.innerHTML='<a href="//exam&NegativeThickSpace;ple.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&NegativeThickSpace;');0x0D
}

div.innerHTML='<a href="//exam&NegativeThinSpace;ple.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&NegativeThinSpace;');0x0D
}

div.innerHTML='<a href="//exam&NegativeVeryThinSpace;ple.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&NegativeVeryThinSpace;');0x0D
}

div.innerHTML='<a href="//exam&NewLine;ple.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&NewLine;');0x0D
}

div.innerHTML='<a href="//exam&NoBreak;ple.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&NoBreak;');0x0D
}

div.innerHTML='<a href="//exam&shy;ple.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&shy;');0x0D
}

div.innerHTML='<a href="//exam&Tab;ple.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&Tab;');0x0D
}

div.innerHTML='<a href="//exam&ZeroWidthSpace;ple.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&ZeroWidthSpace;');0x0D
}

Entities allowed inside host

Sample payloads

Fuzz results

Distributed Fuzzing