Characters after https URI scheme which prevent URL parsing of href

12.7k

12.8k

12.7k

These characters make the URI scheme parsing break and return plaintext instead of the parsed URL.

Created by: Cillian-Collins

Created on: Monday, October 27, 2025 at 1:30:48 AM

Updated on: Monday, October 27, 2025 at 1:30:48 AM

Category: URL Handling

Vector visibility: Public

Vector type: XSS

Vector charset: UTF-8

Template used:
<a id="user_id" href="https:$[chr]blah/../../"></a>

Code used after fuzz:

var user_id = document.getElementById("user_id");
var url = user_id.toString();

if(url.indexOf("../") != -1) log($[i]);

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

<a id="user_id" href="https:#blah/../../"></a><a id="user_id" href="https:%blah/../../"></a><a id="user_id" href="https::blah/../../"></a><a id="user_id" href="https:<blah/../../"></a><a id="user_id" href="https:[blah/../../"></a><a id="user_id" href="https:|blah/../../"></a><a id="user_id" href="https:¨blah/../../"></a><a id="user_id" href="https:¯blah/../../"></a><a id="user_id" href="https:´blah/../../"></a><a id="user_id" href="https:¸blah/../../"></a><a id="user_id" href="https:΋blah/../../"></a><a id="user_id" href="https:΍blah/../../"></a><a id="user_id" href="https:΢blah/../../"></a><a id="user_id" href="https:԰blah/../../"></a><a id="user_id" href="https:؈blah/../../"></a><a id="user_id" href="https:؋blah/../../"></a><a id="user_id" href="https:؍blah/../../"></a><a id="user_id" href="https:঩blah/../../"></a><a id="user_id" href="https:঱blah/../../"></a>

Characters after https URI scheme which prevent URL parsing of href

Sample payloads

Fuzz results