Shazzer logo
Login

Characters allowed javascript and colon copy2

Chrome logo 4
Firefox logo 4
Edge logo 4
Safari logo 4

Vector to check if any characters are allowed between javascript and : to still result in a javascript url.

avlidienbrunn
Created byavlidienbrunn
Created Sep 29, 2024
Updated May 28, 2025

Tweet
Detecting browser...
CategoryURL Handling
VisibilityPublic
TypeJS
CharsetUTF-8
Template used:
if (new URL("javascript"+String.fromCodePoint(parseInt($[i]..toString(16),16))+":alert()").protocol=="javascript:"){log($[i])}

Sample payloads

if (new URL("javascript"+String.fromCodePoint(parseInt(9..toString(16),16))+":alert()").protocol=="javascript:"){alert(9)}
if (new URL("javascript"+String.fromCodePoint(parseInt(10..toString(16),16))+":alert()").protocol=="javascript:"){alert(10)}
if (new URL("javascript"+String.fromCodePoint(parseInt(13..toString(16),16))+":alert()").protocol=="javascript:"){alert(13)}
if (new URL("javascript"+String.fromCodePoint(parseInt(58..toString(16),16))+":alert()").protocol=="javascript:"){alert(58)}

Fuzz results

Chrome logo
Chrome 145.0.0.0 desktop Windows NT 10.0
Updated16 Feb 2026
Found 4 results
Loading...
Chrome logo
Chrome 144.0.0.0 desktop macOS 10.15.7older version
Updated30 Jan 2026
Found 4 results
Loading...
Chrome logo
Chrome 128.0.0.0 desktop Linuxolder version
Updated29 Sept 2024
Found 4 results
Loading...
Firefox logo
Firefox 147.0 desktop Windows NT 10.0
Updated26 Jan 2026
Found 4 results
Loading...
Edge logo
Microsoft Edge 145.0.0.0 desktop Windows NT 10.0
Updated18 Feb 2026
Found 4 results
Loading...
Safari logo
Safari 18.5 desktop macOS 10.15.7
Updated1 Aug 2025
Found 4 results
Loading...
Safari logo
Safari 18.5 mobile iOS 18.5
Updated2 Jul 2025
Found 4 results
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.