Characters allowed begin from a forward slash character in javascript protocol

Fuzz if window.location.href = `/${user_input}`; can redirect to javascript pseudo protocol.

Created bysiunam321

Created Oct 28, 2025

Updated Oct 28, 2025

Detecting browser...

CategoryURL Handling

VisibilityPublic

TypeJS

CharsetUTF-8

Template used:

const url = new URL(`/${String.fromCodePoint($[i])}javascript:alert(origin)`);0x0D
if (url.protocol === 'javascript:') {0x0D
    log($[i]);0x0D
}

Fuzz results