I’ve updated my protocol fuzzer with charset support (Thanks Chris Weber for the suggestion). I tried the various browsers with the fuzzer so far nothing in IE8 yet 
but I downloaded the latest Opera and found these 
Update…
Opps I made a mistake, my fuzzer reported false positives because Opera reported the links correctly but when clicking them it doesn’t work. Previous versions did work using some of these entities so I’m thinking it’s something they’ve fixed but still major doh moment from me. Next time I’ll manually test the links rather than listening to my code 
Char:2048,Link:javascriptࠀ:
Char:2304,Link:javascriptऀ:
Char:3840,Link:javascriptༀ:
Char:4096,Link:javascriptက:
Char:4256,Link:javascriptႠ:
Char:4352,Link:javascriptᄀ:
Char:4608,Link:javascriptሀ:
Char:4864,Link:javascriptጀ:
Char:5120,Link:javascript᐀:
Char:5376,Link:javascriptᔀ:
Char:5632,Link:javascriptᘀ:
Char:5888,Link:javascriptᜀ:
Char:6400,Link:javascriptᤀ:
Char:6656,Link:javascriptᨀ:
Char:7424,Link:javascriptᴀ:
Char:7936,Link:javascriptἀ:
Char:7944,Link:javascriptἈ:
Char:11520,Link:javascriptⴀ:
Char:12544,Link:javascript:
Char:13312,Link:javascript㐀:
Char:13568,Link:javascript㔀:
Char:13824,Link:javascript㘀:
Char:14080,Link:javascript㜀:
Char:14336,Link:javascript㠀:
Char:14592,Link:javascript㤀:
Char:14848,Link:javascript㨀:
Char:15104,Link:javascript㬀:
Char:15360,Link:javascript㰀:
Char:15616,Link:javascript㴀:
Char:15872,Link:javascript㸀:
Char:16128,Link:javascript㼀:
Char:16384,Link:javascript䀀:
Char:16640,Link:javascript䄀:
Char:16896,Link:javascript䈀:
Char:17152,Link:javascript䌀:
Char:17408,Link:javascript䐀:
Char:17664,Link:javascript䔀:
Char:17920,Link:javascript䘀:
Char:18176,Link:javascript䜀:
Char:18432,Link:javascript䠀:
Char:18688,Link:javascript䤀:
Char:18944,Link:javascript䨀:
Char:19200,Link:javascript䬀:
Char:19456,Link:javascript䰀:
Char:19712,Link:javascript䴀:
Char:19968,Link:javascript一:
Char:20224,Link:javascript伀:
Char:20480,Link:javascript倀:
Char:20736,Link:javascript儀:
Char:20992,Link:javascript刀:
Char:21248,Link:javascript匀:
Char:21504,Link:javascript吀:
Char:21760,Link:javascript唀:
Char:22016,Link:javascript嘀:
Char:22272,Link:javascript圀:
Char:22528,Link:javascript堀:
Char:22784,Link:javascript夀:
Char:23040,Link:javascript娀:
Char:23296,Link:javascript嬀:
Char:23552,Link:javascript尀:
Char:23808,Link:javascript崀:
Char:24064,Link:javascript帀:
Char:24320,Link:javascript开:
Char:24576,Link:javascript怀:
Char:24832,Link:javascript愀:
Char:25088,Link:javascript戀:
Char:25344,Link:javascript挀:
Char:25600,Link:javascript搀:
Char:25856,Link:javascript攀:
Char:26112,Link:javascript昀:
Char:26368,Link:javascript最:
Char:26624,Link:javascript栀:
Char:26880,Link:javascript椀:
Char:27136,Link:javascript樀:
Char:27392,Link:javascript欀:
Char:27648,Link:javascript氀:
Char:27904,Link:javascript洀:
Char:28160,Link:javascript渀:
Char:28416,Link:javascript漀:
Char:28672,Link:javascript瀀:
Char:28928,Link:javascript焀:
Char:29184,Link:javascript爀:
Char:29440,Link:javascript猀:
Char:29696,Link:javascript琀:
Char:29952,Link:javascript甀:
Char:30208,Link:javascript瘀:
Char:30464,Link:javascript眀:
Char:30720,Link:javascript砀:
Char:30976,Link:javascript礀:
Char:31232,Link:javascript稀:
Char:31488,Link:javascript笀:
Char:31744,Link:javascript簀:
Char:32000,Link:javascript紀:
Char:32256,Link:javascript縀:
Char:32512,Link:javascript缀:
Char:32768,Link:javascript耀:
Char:33024,Link:javascript脀:
Char:33280,Link:javascript舀:
Char:33536,Link:javascript茀:
Char:33792,Link:javascript萀:
Char:34048,Link:javascript蔀:
Char:34304,Link:javascript蘀:
Char:34560,Link:javascript蜀:
Char:34816,Link:javascript蠀:
Char:35072,Link:javascript褀:
Char:35328,Link:javascript言:
Char:35584,Link:javascript謀:
Char:35840,Link:javascript谀:
Char:36096,Link:javascript贀:
Char:36352,Link:javascript踀:
Char:36608,Link:javascript輀:
Char:36864,Link:javascript退:
Char:37120,Link:javascript鄀:
Char:37376,Link:javascript鈀:
Char:37632,Link:javascript錀:
Char:37888,Link:javascript鐀:
Char:38144,Link:javascript销:
Char:38400,Link:javascript阀:
Char:38656,Link:javascript需:
Char:38912,Link:javascript頀:
Char:39168,Link:javascript餀:
Char:39424,Link:javascript騀:
Char:39680,Link:javascript鬀:
Char:39936,Link:javascript鰀:
Char:40192,Link:javascript鴀:
Char:40448,Link:javascript鸀:
Char:40704,Link:javascript鼀:
Char:40960,Link:javascriptꀀ:
Char:41216,Link:javascriptꄀ:
Char:41472,Link:javascriptꈀ:
Char:41728,Link:javascriptꌀ:
Char:41984,Link:javascriptꐀ:
Char:43008,Link:javascriptꠀ:
Char:44032,Link:javascript가:
Char:44288,Link:javascript관:
Char:44544,Link:javascript글:
Char:44800,Link:javascript꼀:
Char:45056,Link:javascript뀀:
Char:45312,Link:javascript넀:
Char:45568,Link:javascript눀:
Char:45824,Link:javascript대:
Char:46080,Link:javascript됀:
Char:46336,Link:javascript딀:
Char:46592,Link:javascript똀:
Char:46848,Link:javascript뜀:
Char:47104,Link:javascript렀:
Char:47360,Link:javascript뤀:
Char:47616,Link:javascript먀:
Char:47872,Link:javascript묀:
Char:48128,Link:javascript밀:
Char:48384,Link:javascript봀:
Char:48640,Link:javascript븀:
Char:48896,Link:javascript뼀:
Char:49152,Link:javascript쀀:
Char:49408,Link:javascript섀:
Char:49664,Link:javascript숀:
Char:49920,Link:javascript쌀:
Char:50176,Link:javascript쐀:
Char:50432,Link:javascript씀:
Char:50688,Link:javascript였:
Char:50944,Link:javascript윀:
Char:51200,Link:javascript저:
Char:51456,Link:javascript준:
Char:51712,Link:javascript쨀:
Char:51968,Link:javascript쬀:
Char:52224,Link:javascript찀:
Char:52480,Link:javascript촀:
Char:52736,Link:javascript츀:
Char:52992,Link:javascript케:
Char:53248,Link:javascript퀀:
Char:53504,Link:javascript턀:
Char:53760,Link:javascript툀:
Char:54016,Link:javascript팀:
Char:54272,Link:javascript퐀:
Char:54528,Link:javascript픀:
Char:54784,Link:javascript혀:
Char:55040,Link:javascript휀:
Comments 2
Hey Gareth, I can’t manually validate these that occur at position 10. I tried:
<a href=”javascriptἈ:alert(’works’)” >test</a>
But that doesn’t execute in Opera. The ones at position 0 did work however. I wonder if there’s a false positive in your test:
if(document.getElementsByTagName(’a').item(i).protocol == ‘javascript:’)
or if I’m doing something wrong?
Posted 18 Sep 2008 at 6:21 pm ¶Ah looks like a false positive
The fuzzing code is correct, it checks the browser to see if the link protocol is javascript so Opera is reporting it is but then stops it from executing. Doh!
<slaps self on head>
Posted 18 Sep 2008 at 8:01 pm ¶Post a Comment