Entities after protocol-relative URL

Tests which entities are allowed after a protocol-relative URL

Created byhackvertor

Created Apr 3, 2026

Updated Apr 3, 2026

Detecting browser...

CategoryEntity Parsing

VisibilityPublic

TypeJS

CharsetUTF-8

$[data1] placeholderhtml_entities

Code used before fuzz:

const div = document.createElement('div')

Template used:

div.innerHTML='<a href="//$[data1]example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   log('$[data1]');0x0D
}

Sample payloads

div.innerHTML='<a href="//&af;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&af;');0x0D
}

div.innerHTML='<a href="//&ApplyFunction;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&ApplyFunction;');0x0D
}

div.innerHTML='<a href="//&bsol;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&bsol;');0x0D
}

div.innerHTML='<a href="//&commat;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&commat;');0x0D
}

div.innerHTML='<a href="//&ic;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&ic;');0x0D
}

div.innerHTML='<a href="//&InvisibleComma;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&InvisibleComma;');0x0D
}

div.innerHTML='<a href="//&InvisibleTimes;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&InvisibleTimes;');0x0D
}

div.innerHTML='<a href="//&it;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&it;');0x0D
}

div.innerHTML='<a href="//&NegativeMediumSpace;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&NegativeMediumSpace;');0x0D
}

div.innerHTML='<a href="//&NegativeThickSpace;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&NegativeThickSpace;');0x0D
}

div.innerHTML='<a href="//&NegativeThinSpace;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&NegativeThinSpace;');0x0D
}

div.innerHTML='<a href="//&NegativeVeryThinSpace;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&NegativeVeryThinSpace;');0x0D
}

div.innerHTML='<a href="//&NewLine;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&NewLine;');0x0D
}

div.innerHTML='<a href="//&NoBreak;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&NoBreak;');0x0D
}

div.innerHTML='<a href="//&shy;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&shy;');0x0D
}

div.innerHTML='<a href="//&sol;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&sol;');0x0D
}

div.innerHTML='<a href="//&Tab;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&Tab;');0x0D
}

div.innerHTML='<a href="//&ZeroWidthSpace;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&ZeroWidthSpace;');0x0D
}

div.innerHTML='<a href="//&zwj;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&zwj;');0x0D
}

div.innerHTML='<a href="//&zwnj;example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&zwnj;');0x0D
}

Entities after protocol-relative URL

Sample payloads

Fuzz results

Distributed Fuzzing