Characters allowed begin from a forward slash character in javascript protocol

Fuzz if window.location.href = `/${user_input}`; can redirect to javascript pseudo protocol.

Created by: siunam321

Created on: Tuesday, October 28, 2025 at 3:29:19 PM

Updated on: Tuesday, October 28, 2025 at 3:29:19 PM

Vector visibility: Public

Vector type: JS

Vector charset: UTF-8

Template used:

const url = new URL(`/${String.fromCodePoint($[i])}javascript:alert(origin)`);
if (url.protocol === 'javascript:') {
    log($[i]);
}

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Fuzz results

No results found.