Characters allowed before host name that are ignored

⚠ Browser differences

This vectors show which characters are ignored at the start of the hostname.

Created Jun 11, 2025

Updated Jun 11, 2025

Detecting browser...

CategoryURL Handling

VisibilityPublic

TypeXSS

CharsetUTF-8

Code used before fuzz:

<script>window.onerror=x=>true;</script>0x0D
<base href="https://example.com" />

Template used:

<a href="https://$[chr]example2.com" id=x></a>

Code used after fuzz:

x.host === "example2.com" && log($[i])

Sample payloads

<a href="https://0x09example2.com" id=x></a>

<a href="https://
example2.com" id=x></a>

<a href="https://0x0Dexample2.com" id=x></a>

<a href="https:///example2.com" id=x></a>

<a href="https://@example2.com" id=x></a>

<a href="https://\example2.com" id=x></a>

<a href="https://example2.com" id=x></a>

<a href="https://͏example2.com" id=x></a>

<a href="https://ᅟexample2.com" id=x></a>

<a href="https://ᅠexample2.com" id=x></a>

<a href="https://឴example2.com" id=x></a>

<a href="https://឵example2.com" id=x></a>

<a href="https://᠋example2.com" id=x></a>

<a href="https://᠌example2.com" id=x></a>

<a href="https://᠍example2.com" id=x></a>

<a href="https://᠎example2.com" id=x></a>

<a href="https://᠏example2.com" id=x></a>

<a href="https://example2.com" id=x></a>

<a href="https://⁠example2.com" id=x></a>

<a href="https://⁡example2.com" id=x></a>