Characters allowed javascript and colon

Vector to check if any characters are allowed between javascript and : to still result in a javascript url.

Created byrenniepak

Created Apr 9, 2024

Updated May 28, 2025

Detecting browser...

CategoryURL Handling

VisibilityPublic

TypeJS

CharsetUTF-8

Template used:

if (new URL("javascript$[chr]:alert()").protocol=="javascript:"){log($[i])}

Sample payloads

if (new URL("javascript0x09:alert()").protocol=="javascript:"){alert(9)}

if (new URL("javascript::alert()").protocol=="javascript:"){alert(58)}

if (new URL("javascript\:alert()").protocol=="javascript:"){alert(92)}