Shazzer logo

    Characters allowed javascript and colon copy2

    Chrome logo 4
    Safari logo 4

    Vector to check if any characters are allowed between javascript and : to still result in a javascript url.

    Created by: avlidienbrunn

    Created on: Sunday, September 29, 2024 at 3:23:28 PM

    Updated on: Wednesday, May 28, 2025 at 5:06:21 PM


    Category: URL Handling

    Vector visibility: Public

    Vector type: JS

    Vector charset: UTF-8

    Template used:
    if (new URL("javascript"+String.fromCodePoint(parseInt($[i]..toString(16),16))+":alert()").protocol=="javascript:"){log($[i])}
    Your browser was detected as:
    Detecting... Detecting... Detecting... Detecting...

    Sample payloads

    if (new URL("javascript"+String.fromCodePoint(parseInt(9..toString(16),16))+":alert()").protocol=="javascript:"){alert(9)}
    if (new URL("javascript"+String.fromCodePoint(parseInt(10..toString(16),16))+":alert()").protocol=="javascript:"){alert(10)}
    if (new URL("javascript"+String.fromCodePoint(parseInt(13..toString(16),16))+":alert()").protocol=="javascript:"){alert(13)}
    if (new URL("javascript"+String.fromCodePoint(parseInt(58..toString(16),16))+":alert()").protocol=="javascript:"){alert(58)}

    Fuzz results

    Chrome logo
    Chrome 128.0.0.0 desktop Linux

    Updated

    Sun Sep 29 2024
    Found 4 results
    Loading...
    Safari logo
    Safari 18.5 mobile iOS 18.5

    Updated

    Wed Jul 02 2025
    Found 4 results
    Loading...
    Safari logo
    Safari 18.5 desktop macOS 10.15.7

    Updated

    Fri Aug 01 2025
    Found 4 results
    Loading...