Almost browsers prevent to XSS that is using javascript:
protocol.
<a href=javascript:alert(location.origin) traget=_blank>XSS</a>
Demo: https://nuvjcp.csb.app/
Brower | Work? | Detail |
---|---|---|
Chrome | No | about:blank#blocked |
Microsoft Edge(Chromium) | No | about:blank#blocked |
Firefox | Yes | location.origin is null . It is safe. |
Safari | No | |
Mobile Safari | No | Show warning dialog |