Entities before protocol-relative URL

Test which entities are allowed before a protocol-relative URL

Created Apr 2, 2026

Updated Apr 2, 2026

Detecting browser...

CategoryEntity Parsing

VisibilityPublic

TypeJS

CharsetUTF-8

$[data1] placeholderhtml_entities

Code used before fuzz:

const div = document.createElement('div')

Template used:

div.innerHTML='<a href="$[data1]//example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   log('$[data1]');0x0D
}

Sample payloads

div.innerHTML='<a href="&bsol;//example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&bsol;');0x0D
}

div.innerHTML='<a href="&NewLine;//example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&NewLine;');0x0D
}

div.innerHTML='<a href="&sol;//example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&sol;');0x0D
}

div.innerHTML='<a href="&Tab;//example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&Tab;');0x0D
}

Chrome 146.0.0.0 desktop macOS 10.15.7

Updated2 Apr 2026

Found 4 results

Show differences only?

Filter out alphanumeric

Sort ascending