Published 14 years 1 month ago • Last updated July 2, 2025 • ⏱️ < 1 min read
You might have seen a blog post or came to the conclusion that urls are in fact valid JavaScript such as:
http://thespanner.co.uk (label) (comment)
That's weird and cool but how do we execute JavaScript from the url? Something like:
http://thespanner.co.uk\nalert(1) (label) (comment) (newLine) (functionCall)
Trouble is the new line isn't allowed inside the browser url bar or is it? ES5 introduced in the standard that line separators and paragraph separators would act as traditional new lines in JavaScript and separate new statements. Thankfully our friend IE allows us to do this directly in the url. Using these characters allows you to create an eval'able url.
So now we don't need to do eval(location.hash.slice(1)) we can simply do eval(location) :) I found this while discussing with Mario and Yosuke Hasegawa on what the shortest HTML based XSS injection was. Using this technique it's probably 21 (without using netscape 4).
<svg onload=eval(URL)
You of course must pass your JavaScript as a non-existent query param such as:
&
alert(1)
As Stefano Di Paola points out, using hash will allow you to use this technique on Chrome and Opera.