Characters allowed in colon entity

This vector shows if a character is allowed in an entity. Firefox did that in the past

Created by: InsertScript

Created on: Thursday, September 19, 2024 at 11:07:03 AM

Updated on: Tuesday, May 27, 2025 at 8:15:10 AM

Detecting browser...

Category: Entity Parsing

Vector visibility: Public

Vector type: XSS

Vector charset: UTF-8

Template used:

<a href="javascript&colo$[chr]n;abcd" id="x">f</a>0x0D

Code used after fuzz:

try{0x0D
if(x.protocol == "javascript:")log($[i])0x0D
}catch(e){}

Sample payloads

<a href="javascript&colo0x00n;abcd" id="x">f</a>0x0D

Chrome 144.0.0.0 desktop Windows NT 10.0

Updated

Sun Jan 25 2026

Found 1 result

Show differences only?

Filter out alphanumeric

Sort ascending

Microsoft Edge 144.0.0.0 desktop Windows NT 10.0

Updated

Sat Jan 31 2026

Found 1 result

Show differences only?

Filter out alphanumeric

Sort ascending