Javascript protocol fuzzer and Opera

I’ve updated my protocol fuzzer with charset support (Thanks Chris Weber for the suggestion). I tried the various browsers with the fuzzer so far nothing in IE8 yet πŸ™ but I downloaded the latest Opera and found these πŸ˜€

Update…

Opps I made a mistake, my fuzzer reported false positives because Opera reported the links correctly but when clicking them it doesn’t work. Previous versions did work using some of these entities so I’m thinking it’s something they’ve fixed but still major doh moment from me. Next time I’ll manually test the links rather than listening to my code πŸ™‚


Char:2048,Link:javascript&#2048:
Char:2304,Link:javascript&#2304:
Char:3840,Link:javascript&#3840:
Char:4096,Link:javascript&#4096:
Char:4256,Link:javascript&#4256:
Char:4352,Link:javascript&#4352:
Char:4608,Link:javascript&#4608:
Char:4864,Link:javascript&#4864:

Char:5120,Link:javascript&#5120:
Char:5376,Link:javascript&#5376:
Char:5632,Link:javascript&#5632:
Char:5888,Link:javascript&#5888:
Char:6400,Link:javascript&#6400:
Char:6656,Link:javascript&#6656:
Char:7424,Link:javascript&#7424:
Char:7936,Link:javascript&#7936:
Char:7944,Link:javascript&#7944:

Char:11520,Link:javascript&#11520:
Char:12544,Link:javascript&#12544:
Char:13312,Link:javascript&#13312:
Char:13568,Link:javascript&#13568:
Char:13824,Link:javascript&#13824:
Char:14080,Link:javascript&#14080:
Char:14336,Link:javascript&#14336:
Char:14592,Link:javascript&#14592:
Char:14848,Link:javascript&#14848:

Char:15104,Link:javascript&#15104:
Char:15360,Link:javascript&#15360:
Char:15616,Link:javascript&#15616:
Char:15872,Link:javascript&#15872:
Char:16128,Link:javascript&#16128:
Char:16384,Link:javascript&#16384:
Char:16640,Link:javascript&#16640:
Char:16896,Link:javascript&#16896:
Char:17152,Link:javascript&#17152:
Char:17408,Link:javascript&#17408:
Char:17664,Link:javascript&#17664:
Char:17920,Link:javascript&#17920:
Char:18176,Link:javascript&#18176:
Char:18432,Link:javascript&#18432:
Char:18688,Link:javascript&#18688:
Char:18944,Link:javascript&#18944:
Char:19200,Link:javascript&#19200:
Char:19456,Link:javascript&#19456:
Char:19712,Link:javascript&#19712:
Char:19968,Link:javascript&#19968:

Char:20224,Link:javascript&#20224:
Char:20480,Link:javascript&#20480:
Char:20736,Link:javascript&#20736:
Char:20992,Link:javascript&#20992:
Char:21248,Link:javascript&#21248:
Char:21504,Link:javascript&#21504:
Char:21760,Link:javascript&#21760:
Char:22016,Link:javascript&#22016:
Char:22272,Link:javascript&#22272:
Char:22528,Link:javascript&#22528:
Char:22784,Link:javascript&#22784:
Char:23040,Link:javascript&#23040:
Char:23296,Link:javascript&#23296:
Char:23552,Link:javascript&#23552:
Char:23808,Link:javascript&#23808:
Char:24064,Link:javascript&#24064:
Char:24320,Link:javascript&#24320:
Char:24576,Link:javascript&#24576:
Char:24832,Link:javascript&#24832:

Char:25088,Link:javascript&#25088:
Char:25344,Link:javascript&#25344:
Char:25600,Link:javascript&#25600:
Char:25856,Link:javascript&#25856:
Char:26112,Link:javascript&#26112:
Char:26368,Link:javascript&#26368:
Char:26624,Link:javascript&#26624:
Char:26880,Link:javascript&#26880:
Char:27136,Link:javascript&#27136:
Char:27392,Link:javascript&#27392:
Char:27648,Link:javascript&#27648:
Char:27904,Link:javascript&#27904:
Char:28160,Link:javascript&#28160:
Char:28416,Link:javascript&#28416:
Char:28672,Link:javascript&#28672:
Char:28928,Link:javascript&#28928:
Char:29184,Link:javascript&#29184:
Char:29440,Link:javascript&#29440:
Char:29696,Link:javascript&#29696:
Char:29952,Link:javascript&#29952:

Char:30208,Link:javascript&#30208:
Char:30464,Link:javascript&#30464:
Char:30720,Link:javascript&#30720:
Char:30976,Link:javascript&#30976:
Char:31232,Link:javascript&#31232:
Char:31488,Link:javascript&#31488:
Char:31744,Link:javascript&#31744:
Char:32000,Link:javascript&#32000:
Char:32256,Link:javascript&#32256:
Char:32512,Link:javascript&#32512:
Char:32768,Link:javascript&#32768:
Char:33024,Link:javascript&#33024:
Char:33280,Link:javascript&#33280:
Char:33536,Link:javascript&#33536:
Char:33792,Link:javascript&#33792:
Char:34048,Link:javascript&#34048:
Char:34304,Link:javascript&#34304:
Char:34560,Link:javascript&#34560:
Char:34816,Link:javascript&#34816:

Char:35072,Link:javascript&#35072:
Char:35328,Link:javascript&#35328:
Char:35584,Link:javascript&#35584:
Char:35840,Link:javascript&#35840:
Char:36096,Link:javascript&#36096:
Char:36352,Link:javascript&#36352:
Char:36608,Link:javascript&#36608:
Char:36864,Link:javascript&#36864:
Char:37120,Link:javascript&#37120:
Char:37376,Link:javascript&#37376:
Char:37632,Link:javascript&#37632:
Char:37888,Link:javascript&#37888:
Char:38144,Link:javascript&#38144:
Char:38400,Link:javascript&#38400:
Char:38656,Link:javascript&#38656:
Char:38912,Link:javascript&#38912:
Char:39168,Link:javascript&#39168:
Char:39424,Link:javascript&#39424:
Char:39680,Link:javascript&#39680:
Char:39936,Link:javascript&#39936:

Char:40192,Link:javascript&#40192:
Char:40448,Link:javascript&#40448:
Char:40704,Link:javascript&#40704:
Char:40960,Link:javascript&#40960:
Char:41216,Link:javascript&#41216:
Char:41472,Link:javascript&#41472:
Char:41728,Link:javascript&#41728:
Char:41984,Link:javascript&#41984:
Char:43008,Link:javascript&#43008:
Char:44032,Link:javascript&#44032:
Char:44288,Link:javascript&#44288:
Char:44544,Link:javascript&#44544:
Char:44800,Link:javascript&#44800:

Char:45056,Link:javascript&#45056:
Char:45312,Link:javascript&#45312:
Char:45568,Link:javascript&#45568:
Char:45824,Link:javascript&#45824:
Char:46080,Link:javascript&#46080:
Char:46336,Link:javascript&#46336:
Char:46592,Link:javascript&#46592:
Char:46848,Link:javascript&#46848:
Char:47104,Link:javascript&#47104:
Char:47360,Link:javascript&#47360:
Char:47616,Link:javascript&#47616:
Char:47872,Link:javascript&#47872:
Char:48128,Link:javascript&#48128:
Char:48384,Link:javascript&#48384:
Char:48640,Link:javascript&#48640:
Char:48896,Link:javascript&#48896:
Char:49152,Link:javascript&#49152:
Char:49408,Link:javascript&#49408:
Char:49664,Link:javascript&#49664:
Char:49920,Link:javascript&#49920:

Char:50176,Link:javascript&#50176:
Char:50432,Link:javascript&#50432:
Char:50688,Link:javascript&#50688:
Char:50944,Link:javascript&#50944:
Char:51200,Link:javascript&#51200:
Char:51456,Link:javascript&#51456:
Char:51712,Link:javascript&#51712:
Char:51968,Link:javascript&#51968:
Char:52224,Link:javascript&#52224:
Char:52480,Link:javascript&#52480:
Char:52736,Link:javascript&#52736:
Char:52992,Link:javascript&#52992:
Char:53248,Link:javascript&#53248:
Char:53504,Link:javascript&#53504:
Char:53760,Link:javascript&#53760:
Char:54016,Link:javascript&#54016:
Char:54272,Link:javascript&#54272:
Char:54528,Link:javascript&#54528:
Char:54784,Link:javascript&#54784:

Char:55040,Link:javascript&#55040:

2 Responses to “Javascript protocol fuzzer and Opera”

  1. Chris Weber writes:

    Hey Gareth, I can’t manually validate these that occur at position 10. I tried:

    <a href=”javascript&#7944:alert(‘works’)” >test</a>

    But that doesn’t execute in Opera. The ones at position 0 did work however. I wonder if there’s a false positive in your test:

    if(document.getElementsByTagName(‘a’).item(i).protocol == ‘javascript:’)

    or if I’m doing something wrong?

  2. Gareth Heyes writes:

    Ah looks like a false positive πŸ™
    The fuzzing code is correct, it checks the browser to see if the link protocol is javascript so Opera is reporting it is but then stops it from executing. Doh!

    <slaps self on head>