Characters allowed before the JavaScript protocol colon

This tests for chars allowed before the colon in a Javascript uri format.

Created on: Monday, March 3, 2025 at 3:24:55 PM

Updated on: Monday, April 28, 2025 at 7:27:33 AM

Vector type: XSS

Vector charset: UTF-8

Code used before fuzz:

<script>window.onerror=x=>true;</script>
<base href="https://example.com" />

Template used:
<a href="javascript$[chr]:" id=x></a>

Code used after fuzz:
x.protocol === 'javascript:' && log($[i])

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

<a href="javascript :" id=x></a>

<a href="javascript
:" id=x></a>

<a href="javascript
:" id=x></a>

<a href="javascript::" id=x></a>

Firefox 135.0 desktop macOS 10.15

Updated

Mon Mar 03 2025

Found 4 results

Show differences only?

Filter out alphanumeric

Sort ascending