Shazzer logo
Login

Entities that cause an external URL before @

Chrome logo 4
Firefox logo 4
Edge logo 4
Safari logo 4

This vector shows what entities cause an external URL when used before an @

hackvertor
Created byhackvertor
Created Sep 25, 2024
Updated May 28, 2025

Tweet
Detecting browser...
CategoryEntity Parsing
VisibilityPublic
TypeXSS
CharsetUTF-8
$[data1] placeholderhtml_entities
Code used before fuzz:
const div = document.createElement('div');
Template used:
div.innerHTML=`<a href="https://psres.net$[data1]@example.com" id=x>test</a>`;
Code used after fuzz:
if(x.host !== 'example.com') {0x0D
   log('$[data1]');0x0D
}

Sample payloads

div.innerHTML=`<a href="https://psres.net&bsol;@example.com" id=x>test</a>`;
div.innerHTML=`<a href="https://psres.net&num;@example.com" id=x>test</a>`;
div.innerHTML=`<a href="https://psres.net&quest;@example.com" id=x>test</a>`;
div.innerHTML=`<a href="https://psres.net&sol;@example.com" id=x>test</a>`;

Fuzz results

Chrome logo
Chrome 145.0.0.0 desktop Windows NT 10.0
Updated16 Feb 2026
Found 4 results
Loading...
Chrome logo
Chrome 144.0.0.0 desktop macOS 10.15.7older version
Updated30 Jan 2026
Found 4 results
Loading...
Firefox logo
Firefox 147.0 desktop Windows NT 10.0
Updated31 Jan 2026
Found 4 results
Loading...
Firefox logo
Firefox 139.0 desktop macOS 10.15older version
Updated11 Jun 2025
Found 4 results
Loading...
Edge logo
Microsoft Edge 145.0.0.0 desktop Windows NT 10.0
Updated18 Feb 2026
Found 4 results
Loading...
Safari logo
Safari 18.5 desktop macOS 10.15.7
Updated11 Jun 2025
Found 4 results
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.