Chars in href that will not default to full URL

⚠ Browser differences

test

Created byjoaxcar

Created Nov 16, 2024

Updated May 27, 2025

Detecting browser...

CategoryURL Handling

VisibilityPublic

TypeXSS

CharsetUTF-8

$[data1] placeholderhtml_entities

Template used:

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="$[data1]<>";window.a.href.includes("http") ? false : log("$[data1]")</script>

Sample payloads

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&aacute;<>";window.a.href.includes("http") ? false : alert("&aacute;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&Abreve;<>";window.a.href.includes("http") ? false : alert("&Abreve;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&abreve;<>";window.a.href.includes("http") ? false : alert("&abreve;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&ac;<>";window.a.href.includes("http") ? false : alert("&ac;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&acd;<>";window.a.href.includes("http") ? false : alert("&acd;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&acE;<>";window.a.href.includes("http") ? false : alert("&acE;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&Acirc;<>";window.a.href.includes("http") ? false : alert("&Acirc;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&acirc;<>";window.a.href.includes("http") ? false : alert("&acirc;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&acute;<>";window.a.href.includes("http") ? false : alert("&acute;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&Acy;<>";window.a.href.includes("http") ? false : alert("&Acy;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&acy;<>";window.a.href.includes("http") ? false : alert("&acy;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&AElig;<>";window.a.href.includes("http") ? false : alert("&AElig;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&aelig;<>";window.a.href.includes("http") ? false : alert("&aelig;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&af;<>";window.a.href.includes("http") ? false : alert("&af;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&Afr;<>";window.a.href.includes("http") ? false : alert("&Afr;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&afr;<>";window.a.href.includes("http") ? false : alert("&afr;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&Agrave;<>";window.a.href.includes("http") ? false : alert("&Agrave;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&agrave;<>";window.a.href.includes("http") ? false : alert("&agrave;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&alefsym;<>";window.a.href.includes("http") ? false : alert("&alefsym;")</script>

<base href="http://test.se"><a id="a"></a>0x0D
<script>window.a.href="&aleph;<>";window.a.href.includes("http") ? false : alert("&aleph;")</script>

Chars in href that will not default to full URL

Sample payloads

Fuzz results

Distributed Fuzzing