I have an anchor that has href attribute populated by my input. I am trying to input javascript, but it always renders it useless since it always appears between double quotes.
So far, I have tried many inputs including:
javascript:alert(1)
"javascript:alert(1)
"""javascript:alert(1)
" onclick=alert(1)
But, everytime the input comes inside double quotes and for javascript:alert(1) it is preceded by unsafe:. Is there anyway to bypass this?
