Shazzer logo
Login

Characters allowed before javascript URL

Chrome logo 33
Firefox logo 33
Edge logo 33
Safari logo 33

Vector to check if any characters are allowed before "javascript:" to still result in a javascript url. Note: compare this vector (JavaScript URL) with HTML DOM: https://shazzer.co.uk/vectors/661652f5c7a9004304ba5539

ThomasOrlita
Created byThomasOrlita
Created Apr 15, 2024
Updated May 23, 2025

Tweet
Detecting browser...
CategoryURL Handling
VisibilityPublic
TypeJS
CharsetUTF-8
Template used:
if (new URL(String.fromCodePoint($[i]) + "javascript:alert()").protocol=="javascript:"){log($[i])}

Sample payloads

if (new URL(String.fromCodePoint(0) + "javascript:alert()").protocol=="javascript:"){alert(0)}
if (new URL(String.fromCodePoint(1) + "javascript:alert()").protocol=="javascript:"){alert(1)}
if (new URL(String.fromCodePoint(2) + "javascript:alert()").protocol=="javascript:"){alert(2)}
if (new URL(String.fromCodePoint(3) + "javascript:alert()").protocol=="javascript:"){alert(3)}
if (new URL(String.fromCodePoint(4) + "javascript:alert()").protocol=="javascript:"){alert(4)}
if (new URL(String.fromCodePoint(5) + "javascript:alert()").protocol=="javascript:"){alert(5)}
if (new URL(String.fromCodePoint(6) + "javascript:alert()").protocol=="javascript:"){alert(6)}
if (new URL(String.fromCodePoint(7) + "javascript:alert()").protocol=="javascript:"){alert(7)}
if (new URL(String.fromCodePoint(8) + "javascript:alert()").protocol=="javascript:"){alert(8)}
if (new URL(String.fromCodePoint(9) + "javascript:alert()").protocol=="javascript:"){alert(9)}
if (new URL(String.fromCodePoint(10) + "javascript:alert()").protocol=="javascript:"){alert(10)}
if (new URL(String.fromCodePoint(11) + "javascript:alert()").protocol=="javascript:"){alert(11)}
if (new URL(String.fromCodePoint(12) + "javascript:alert()").protocol=="javascript:"){alert(12)}
if (new URL(String.fromCodePoint(13) + "javascript:alert()").protocol=="javascript:"){alert(13)}
if (new URL(String.fromCodePoint(14) + "javascript:alert()").protocol=="javascript:"){alert(14)}
if (new URL(String.fromCodePoint(15) + "javascript:alert()").protocol=="javascript:"){alert(15)}
if (new URL(String.fromCodePoint(16) + "javascript:alert()").protocol=="javascript:"){alert(16)}
if (new URL(String.fromCodePoint(17) + "javascript:alert()").protocol=="javascript:"){alert(17)}
if (new URL(String.fromCodePoint(18) + "javascript:alert()").protocol=="javascript:"){alert(18)}
if (new URL(String.fromCodePoint(19) + "javascript:alert()").protocol=="javascript:"){alert(19)}

Fuzz results

Chrome logo
Chrome 148.0.0.0 desktop Windows NT 10.0
Updated15 Mar 2026
Found 33 results
Loading...
Chrome logo
Chrome 145.0.0.0 desktop macOS 10.15.7older version
Updated12 Mar 2026
Found 33 results
Loading...
Chrome logo
Chrome 124.0.0.0 Unknown Unknownolder version
Updated30 Apr 2024
Found 33 results
Loading...
Firefox logo
Firefox 148.0 desktop Windows NT 10.0
Updated23 Feb 2026
Found 33 results
Loading...
Firefox logo
Firefox 147.0 desktop Linuxolder version
Updated1 Feb 2026
Found 33 results
Loading...
Firefox logo
Firefox 125.0 Unknown Unknownolder version
Updated30 Apr 2024
Found 33 results
Loading...
Edge logo
Microsoft Edge 145.0.0.0 desktop Windows NT 10.0
Updated18 Feb 2026
Found 33 results
Loading...
Safari logo
Safari 26.3 desktop macOS 10.15.7
Updated6 Mar 2026
Found 33 results
Loading...
Safari logo
Safari 17.4 Unknown Unknownolder version
Updated30 Apr 2024
Found 33 results
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.