javascript – XSS with Template Literals

I suspect I have a potential XSS vulnerability at a client-side level, however, I’m not able to exploit it successfully.

The URL I’m using consists of three parameters that reflect back to the user and it is as follows:


The HTTP headers of the (potential) vulnerable page are:

HTTP/1.1 200 OK
Connection: close
Content-Length: 6573
Cache-Control: max-age=3600
Content-Type: text/html; charset=utf-8
Last-Modified: (REDACTED)
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31556926
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
Accept-Ranges: bytes
X-Served-By: (REDACTED)
X-Cache: MISS
X-Cache-Hits: 0
Vary: x-fh-requested-host, accept-encoding

The (potential) affected HTML code is:

<!DOCTYPE html>
<html lang="en">
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta name="description" content="">
         <div class= "col-md-8 offset-md-2">
            <p class="lead mb-4">To complete the email verification process, tap on the button below.</p>
            <a id="completeVerification" class="btn btn-primary" href="">Complete the verification</a>
    window.onload = function() {
      // Choose environment
      const host =
      const environment =
        host === '' ? 'development' :
        host === '' ? 'staging' :
      // Build deep link with received params
      const urlParams = new URLSearchParams(;
      const key = urlParams.get('key');
      const code = urlParams.get('code');
      const mode = urlParams.get('mode');
      const a = document.getElementById('completeVerification');
      a.href = `com.application.${environment}://auth?key=${key}&code=${code}&mode=${mode}`;

After a few tests I can see that it is allowing many characters such as ‘,$,{,},<,>,/,*. The only character that is being HTML encoded is “.

I’ve tried, without success, sending the following XSS Template Literal payloads through the reflecting parameters:


Any insights on why this is not executing are appreciated. Thanks for reading.