Characters allowed before host name that are ignored

This vectors show which characters are ignored at the start of the hostname.

Created by: hackvertor

Created on: Wednesday, June 11, 2025 at 11:31:53 AM

Updated on: Wednesday, June 11, 2025 at 11:33:25 AM

Vector type: XSS

Vector charset: UTF-8

Code used before fuzz:

<script>window.onerror=x=>true;</script>
<base href="https://example.com" />

Template used:
<a href="https://$[chr]example2.com" id=x></a>

Code used after fuzz:
x.host === "example2.com" && log($[i])

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

<a href="https:// example2.com" id=x></a>

<a href="https://
example2.com" id=x></a>

<a href="https://
example2.com" id=x></a>

<a href="https:///example2.com" id=x></a><a href="https://@example2.com" id=x></a><a href="https://\example2.com" id=x></a><a href="https://example2.com" id=x></a><a href="https://͏example2.com" id=x></a><a href="https://᠋example2.com" id=x></a><a href="https://᠌example2.com" id=x></a><a href="https://᠍example2.com" id=x></a><a href="https://᠏example2.com" id=x></a><a href="https://example2.com" id=x></a><a href="https://⁠example2.com" id=x></a><a href="https://⁤example2.com" id=x></a><a href="https://︀example2.com" id=x></a><a href="https://︁example2.com" id=x></a><a href="https://︂example2.com" id=x></a><a href="https://︃example2.com" id=x></a><a href="https://︄example2.com" id=x></a>

Fuzz results

Chrome 137.0.0.0 desktop macOS 10.15.7

Updated

Wed Jun 11 2025

Found 32 results

Show differences only?

Filter out alphanumeric

Sort ascending

Firefox 139.0 desktop macOS 10.15

Updated

Wed Jun 11 2025

Found 32 results

Show differences only?

Filter out alphanumeric

Sort ascending

Safari 18.5 desktop macOS 10.15.7

Updated

Wed Jun 11 2025

Found 48 results

Show differences only?

Filter out alphanumeric

Sort ascending