Url parsing diff b/w anchor.href and new URL

Safari logo 280

.

Created by: Sudistark

Created on: Monday, May 26, 2025 at 7:19:37 AM

Updated on: Wednesday, May 28, 2025 at 5:06:18 PM


Vector type: JS

Vector charset: UTF-8

Code used before fuzz:
const anchor = document.createElement('a');
Template used:
char = String.fromCodePoint($[i])
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){log($[i])}
}
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...

Sample payloads

char = String.fromCodePoint(60)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(60)}
}
char = String.fromCodePoint(62)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(62)}
}
char = String.fromCodePoint(64)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(64)}
}
char = String.fromCodePoint(91)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(91)}
}
char = String.fromCodePoint(92)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(92)}
}
char = String.fromCodePoint(93)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(93)}
}
char = String.fromCodePoint(94)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(94)}
}
char = String.fromCodePoint(124)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(124)}
}
char = String.fromCodePoint(65536)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(65536)}
}
char = String.fromCodePoint(65545)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(65545)}
}
char = String.fromCodePoint(65546)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(65546)}
}
char = String.fromCodePoint(65549)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(65549)}
}
char = String.fromCodePoint(65568)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(65568)}
}
char = String.fromCodePoint(65571)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(65571)}
}
char = String.fromCodePoint(65583)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(65583)}
}
char = String.fromCodePoint(65594)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(65594)}
}
char = String.fromCodePoint(65596)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(65596)}
}
char = String.fromCodePoint(65598)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(65598)}
}
char = String.fromCodePoint(65599)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(65599)}
}
char = String.fromCodePoint(65600)
url = "javascript://google.com"+char

try {
    new URL(url)
}
catch(e){
    anchor.href=url
    if(anchor.protocol !== ':'){alert(65600)}
}

Fuzz results

Safari logo
Safari 18.5 mobile iOS 18.5

Updated

Wed Jul 02 2025
Found 280 results
Loading...