Characters after https URI scheme which prevent URL parsing of href

12.7k

These characters make the URI scheme parsing break and return plaintext instead of the parsed URL.

Created by: Cillian-Collins

Created on: Monday, October 27, 2025 at 1:30:48 AM

Updated on: Monday, October 27, 2025 at 1:30:48 AM

Vector type: XSS

Vector charset: UTF-8

Template used:
<a id="user_id" href="https:$[chr]blah/../../"></a>

Code used after fuzz:

var user_id = document.getElementById("user_id");
var url = user_id.toString();

if(url.indexOf("../") != -1) log($[i]);

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

<a id="user_id" href="https:#blah/../../"></a><a id="user_id" href="https:%blah/../../"></a><a id="user_id" href="https::blah/../../"></a><a id="user_id" href="https:<blah/../../"></a><a id="user_id" href="https:[blah/../../"></a><a id="user_id" href="https:|blah/../../"></a><a id="user_id" href="https:΋blah/../../"></a><a id="user_id" href="https:΍blah/../../"></a><a id="user_id" href="https:΢blah/../../"></a><a id="user_id" href="https:Ӏblah/../../"></a><a id="user_id" href="https:԰blah/../../"></a><a id="user_id" href="https:؈blah/../../"></a><a id="user_id" href="https:؋blah/../../"></a><a id="user_id" href="https:؍blah/../../"></a><a id="user_id" href="https:঩blah/../../"></a><a id="user_id" href="https:঱blah/../../"></a><a id="user_id" href="https:৞blah/../../"></a><a id="user_id" href="https:਩blah/../../"></a><a id="user_id" href="https:਱blah/../../"></a>

Fuzz results

Chrome 141.0.0.0 desktop Windows NT 10.0

Updated

Mon Oct 27 2025

Found 12785 results

Show differences only?

Filter out alphanumeric

Sort ascending