javascript: URL protocol
Check whether javascript: remains in URL attributes such as href or action and executes on user interaction.
HTML payload check
This scenario tests how user input is rendered into HTML / DOM, not iframe sandbox behavior.
- Verify that javascript: is removed from URL-bearing attributes such as href, action, and src
- Normalize case, whitespace, and entity encoding before validation
- Confirm that delayed payloads requiring a user click are also blocked
Payload
Payload to copy
URL-protocol XSS that executes after a user click.
Preview
The preview intentionally performs unsafe rendering for learning. In a real service, this payload should be escaped as text or removed.
Log
// no logs
Explanation
javascript:URLs fire on user action such as click or submit, so a render-only check can miss them.- Validate the protocol on every URL-bearing attribute:
href,src,action,formaction, and similar attributes. - Before comparing, normalize entity decoding, trim, and case.