Shazzer logo
Login

Entities in-between protocol-relative URL

Chrome logo 4
Firefox logo 4
Edge logo 4
Safari logo 4

Tests which entities are allowed in-between a protocol-relative URL

hackvertor
Created byhackvertor
Created Apr 2, 2026
Updated Apr 2, 2026

Tweet
Detecting browser...
CategoryEntity Parsing
VisibilityPublic
TypeJS
CharsetUTF-8
$[data1] placeholderhtml_entities
Code used before fuzz:
const div = document.createElement('div')
Template used:
div.innerHTML='<a href="/$[data1]/example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   log('$[data1]');0x0D
}

Sample payloads

div.innerHTML='<a href="/&bsol;/example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&bsol;');0x0D
}
div.innerHTML='<a href="/&NewLine;/example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&NewLine;');0x0D
}
div.innerHTML='<a href="/&sol;/example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&sol;');0x0D
}
div.innerHTML='<a href="/&Tab;/example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&Tab;');0x0D
}

Fuzz results

Chrome logo
Chrome 147.0.0.0 desktop macOS 10.15.7
Updated5 Apr 2026
Found 4 results
Loading...
Chrome logo
Chrome 146.0.0.0 desktop Windows NT 10.0older version
Updated5 Apr 2026
Found 4 results
Loading...
Firefox logo
Firefox 150.0 desktop Windows NT 10.0
Updated4 Apr 2026
Found 4 results
Loading...
Firefox logo
Firefox 149.0 mobile Android 16older version
Updated4 Apr 2026
Found 4 results
Loading...
Edge logo
Microsoft Edge 146.0.0.0 desktop Windows NT 10.0
Updated3 Apr 2026
Found 4 results
Loading...
Safari logo
Safari 26.3 mobile iOS 18.7
Updated3 Apr 2026
Found 4 results
Loading...
Safari logo
Safari 18.6 desktop macOS 10.15.7older version
Updated3 Apr 2026
Found 4 results
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.