relative & protocol relative url starting with a slash and not immediately having a slash after it.
2
2
2
2test
Created byRhynorater
Created Mar 28, 2026
Updated Mar 28, 2026
Detecting browser...
CategoryEntity Parsing
VisibilityPublic
TypeJS
CharsetUTF-8
$[data1] placeholderhtml_entities
Code used before fuzz:
const div = document.createElement('div')Template used:
div.innerHTML='<a href="/$[data1]example.com">';
if(div.querySelector('a').host === 'example.com') {
log('$[data1]');
}Sample payloads
div.innerHTML='<a href="/\example.com">';
if(div.querySelector('a').host === 'example.com') {
alert('\');
}div.innerHTML='<a href="//example.com">';
if(div.querySelector('a').host === 'example.com') {
alert('/');
}Fuzz results
Chrome 147.0.0.0 desktop macOS 10.15.7
Updated5 Apr 2026
Found 2 results
Loading...
Chrome 146.0.0.0 desktop Windows NT 10.0older version
Updated5 Apr 2026
Found 1 result
Loading...
Chrome 146.0.0.0 desktop Linux Unknownolder version
Updated31 Mar 2026
Found 2 results
Loading...
Chrome 146.0.0.0 desktop Windows NT 10.0older version
Updated5 Apr 2026
Found 2 results
Loading...
Firefox 150.0 desktop Windows NT 10.0
Updated4 Apr 2026
Found 2 results
Loading...
Firefox 149.0 mobile Android 16older version
Updated4 Apr 2026
Found 2 results
Loading...
Firefox 149.0 desktop macOS 10.15older version
Updated30 Mar 2026
Found 2 results
Loading...
Microsoft Edge 146.0.0.0 desktop Windows NT 10.0
Updated31 Mar 2026
Found 2 results
Loading...
Safari 26.3.1 desktop macOS 10.15.7
Updated30 Mar 2026
Found 2 results
Loading...