Encoded javascript: protocol bypass
Check whether HTML entities, control characters, or casing variations bypass javascript: URL validation.
HTML payload check
This scenario tests how user input is rendered into HTML / DOM, not iframe sandbox behavior.
- Decode entities and strip control characters before validating URL attributes
- Validate against a protocol allowlist such as http, https, and mailto
- Verify that renderers and sanitizers use the same normalization rules
Payload
Payload to copy
Checks whether protocol validation happens after attribute decoding.
Preview
The preview intentionally performs unsafe rendering for learning. In a real service, this payload should be escaped as text or removed.
Log
// no logs
Explanation
- A URL filter based only on
href.startsWith("javascript:")can miss entity-encoded or control-character variants. - Normalization must happen first. Validate the same form the browser will interpret, then allow only approved protocols.
- Reuse the same URL policy across Markdown renderers, link previews, embed cards, and profile fields.