Published 18 years 8 months ago • Last updated March 22, 2025 • ⏱️ < 1 min read
I thought this was cool whilst experimenting, I found I could use hex <strike>decimal</strike> (ooops that's what I get for posting on Monday morning) entities within a url to combine unicode strings to produce anything. The result is a truly obscure looking javascript, I've included a plain text alert to help understand what's going on, the code basically translates to javascript:x='eval' notice how it is possible to assign strings even though entities are used.
<pre lang="html"> <a href="javascript: x='\145\166\141\154',alert(x)">Test</a> </pre>