Shazzer logo

    Chars in href that will not default to full URL

    Chrome logo 2.1k

    test

    Created by: joaxcar

    Created on: Saturday, November 16, 2024 at 10:35:16 PM

    Updated on: Tuesday, May 27, 2025 at 1:56:30 PM


    Vector visibility: Public

    Vector type: XSS

    Vector charset: UTF-8

    Vector data 1: html_entities

    Template used:
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="$[data1]<>";window.a.href.includes("http") ? false : log("$[data1]")</script>
    Your browser was detected as:
    Detecting... Detecting... Detecting... Detecting...

    Sample payloads

    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&aacute;<>";window.a.href.includes("http") ? false : alert("&aacute;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&Abreve;<>";window.a.href.includes("http") ? false : alert("&Abreve;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&abreve;<>";window.a.href.includes("http") ? false : alert("&abreve;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&ac;<>";window.a.href.includes("http") ? false : alert("&ac;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&acd;<>";window.a.href.includes("http") ? false : alert("&acd;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&acE;<>";window.a.href.includes("http") ? false : alert("&acE;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&Acirc;<>";window.a.href.includes("http") ? false : alert("&Acirc;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&acirc;<>";window.a.href.includes("http") ? false : alert("&acirc;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&acute;<>";window.a.href.includes("http") ? false : alert("&acute;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&Acy;<>";window.a.href.includes("http") ? false : alert("&Acy;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&acy;<>";window.a.href.includes("http") ? false : alert("&acy;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&AElig;<>";window.a.href.includes("http") ? false : alert("&AElig;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&aelig;<>";window.a.href.includes("http") ? false : alert("&aelig;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&af;<>";window.a.href.includes("http") ? false : alert("&af;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&Afr;<>";window.a.href.includes("http") ? false : alert("&Afr;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&afr;<>";window.a.href.includes("http") ? false : alert("&afr;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&Agrave;<>";window.a.href.includes("http") ? false : alert("&Agrave;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&agrave;<>";window.a.href.includes("http") ? false : alert("&agrave;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&alefsym;<>";window.a.href.includes("http") ? false : alert("&alefsym;")</script>
    <base href="http://test.se"><a id="a"></a>
<script>window.a.href="&aleph;<>";window.a.href.includes("http") ? false : alert("&aleph;")</script>

    Fuzz results

    Chrome logo
    Chrome 130.0.0.0 desktop macOS 10.15.7

    Updated

    Sat Nov 16 2024
    Found 2124 results
    Loading...