Characters allowed before javascript URL

Vector to check if any characters are allowed before "javascript:" to still result in a javascript url. Note: compare this vector (JavaScript URL) with HTML DOM: https://shazzer.co.uk/vectors/661652f5c7a9004304ba5539

Created byThomasOrlita

Created Apr 15, 2024

Updated May 23, 2025

Detecting browser...

CategoryURL Handling

VisibilityPublic

TypeJS

CharsetUTF-8

Template used:

if (new URL(String.fromCodePoint($[i]) + "javascript:alert()").protocol=="javascript:"){log($[i])}

Sample payloads

if (new URL(String.fromCodePoint(0) + "javascript:alert()").protocol=="javascript:"){alert(0)}

if (new URL(String.fromCodePoint(1) + "javascript:alert()").protocol=="javascript:"){alert(1)}

if (new URL(String.fromCodePoint(2) + "javascript:alert()").protocol=="javascript:"){alert(2)}

if (new URL(String.fromCodePoint(3) + "javascript:alert()").protocol=="javascript:"){alert(3)}

if (new URL(String.fromCodePoint(4) + "javascript:alert()").protocol=="javascript:"){alert(4)}

if (new URL(String.fromCodePoint(5) + "javascript:alert()").protocol=="javascript:"){alert(5)}

if (new URL(String.fromCodePoint(6) + "javascript:alert()").protocol=="javascript:"){alert(6)}

if (new URL(String.fromCodePoint(7) + "javascript:alert()").protocol=="javascript:"){alert(7)}

if (new URL(String.fromCodePoint(8) + "javascript:alert()").protocol=="javascript:"){alert(8)}

if (new URL(String.fromCodePoint(9) + "javascript:alert()").protocol=="javascript:"){alert(9)}

if (new URL(String.fromCodePoint(10) + "javascript:alert()").protocol=="javascript:"){alert(10)}

if (new URL(String.fromCodePoint(11) + "javascript:alert()").protocol=="javascript:"){alert(11)}

if (new URL(String.fromCodePoint(12) + "javascript:alert()").protocol=="javascript:"){alert(12)}

if (new URL(String.fromCodePoint(13) + "javascript:alert()").protocol=="javascript:"){alert(13)}

if (new URL(String.fromCodePoint(14) + "javascript:alert()").protocol=="javascript:"){alert(14)}

if (new URL(String.fromCodePoint(15) + "javascript:alert()").protocol=="javascript:"){alert(15)}

if (new URL(String.fromCodePoint(16) + "javascript:alert()").protocol=="javascript:"){alert(16)}

if (new URL(String.fromCodePoint(17) + "javascript:alert()").protocol=="javascript:"){alert(17)}

if (new URL(String.fromCodePoint(18) + "javascript:alert()").protocol=="javascript:"){alert(18)}

if (new URL(String.fromCodePoint(19) + "javascript:alert()").protocol=="javascript:"){alert(19)}

Fingerprinting...

Characters allowed before javascript URL

Sample payloads

Fuzz results

Characters allowed before javascript URL

Sample payloads

Fuzz results

Characters allowed before javascript URL

Sample payloads

Fuzz results

Distributed Fuzzing

Characters allowed before javascript URL

Sample payloads

Fuzz results