Shazzer logo
Login

Url parsing diff b/w anchor.href and new URL

⚠ Browser differences
Chrome logo 1
Firefox logo 1
Edge logo 1
Safari logo 280

.

Sudistark
Created bySudistark
Created May 26, 2025
Updated May 28, 2025

Tweet
Detecting browser...
CategoryURL Handling
VisibilityPublic
TypeJS
CharsetUTF-8
Code used before fuzz:
const anchor = document.createElement('a');0x0D
Template used:
char = String.fromCodePoint($[i])0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){log($[i])}0x0D
}

Sample payloads

char = String.fromCodePoint(0)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(0)}0x0D
}
char = String.fromCodePoint(60)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(60)}0x0D
}
char = String.fromCodePoint(62)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(62)}0x0D
}
char = String.fromCodePoint(64)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(64)}0x0D
}
char = String.fromCodePoint(91)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(91)}0x0D
}
char = String.fromCodePoint(92)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(92)}0x0D
}
char = String.fromCodePoint(93)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(93)}0x0D
}
char = String.fromCodePoint(94)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(94)}0x0D
}
char = String.fromCodePoint(124)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(124)}0x0D
}
char = String.fromCodePoint(65536)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(65536)}0x0D
}
char = String.fromCodePoint(65545)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(65545)}0x0D
}
char = String.fromCodePoint(65546)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(65546)}0x0D
}
char = String.fromCodePoint(65549)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(65549)}0x0D
}
char = String.fromCodePoint(65568)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(65568)}0x0D
}
char = String.fromCodePoint(65571)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(65571)}0x0D
}
char = String.fromCodePoint(65583)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(65583)}0x0D
}
char = String.fromCodePoint(65594)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(65594)}0x0D
}
char = String.fromCodePoint(65596)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(65596)}0x0D
}
char = String.fromCodePoint(65598)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(65598)}0x0D
}
char = String.fromCodePoint(65599)0x0D
url = "javascript://google.com"+char0x0D
0x0D
try {0x0D
    new URL(url)0x0D
}0x0D
catch(e){0x0D
    anchor.href=url0x0D
    if(anchor.protocol !== ':'){alert(65599)}0x0D
}

Fuzz results

Chrome logo
Chrome 144.0.0.0 desktop Windows NT 10.0

Updated

Sun Jan 25 2026
Found 1 result
Loading...
Firefox logo
Firefox 147.0 desktop Windows NT 10.0

Updated

Tue Jan 27 2026
Found 1 result
Loading...
Edge logo
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0

Updated

Mon Jan 26 2026
Found 1 result
Loading...
Safari logo
Safari 18.5 mobile iOS 18.5

Updated

Wed Jul 02 2025
Found 280 results
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.