13

So with the most recent Facebook phishing scandal1, Google Chrome (and, I assume, other browsers) disabled the ability to paste javascript directly into your URL bar. Well, it still lets you, but it strips the javascript: part.

I'm trying to find a work around to be able to directly paste javascript into the URL. Test it out for yourself:

javascript: alert('Hello World');

instantly (for me at least) strips the "javascript:" part of the code only in Google Chrome.

1 Facebook Phishing Scandal - It's when people where copy-paste that JavaScript code into their URL and it'd invite all their friends to an event OR post something malicious on every friend's wall.

Oleg Valter is with Ukraine
  • 9,619
  • 8
  • 37
  • 59
Evan Hantverk
  • 163
  • 1
  • 6
  • 1
    facebook phishing scandal? where?what? – genesis Oct 08 '11 at 16:04
  • 3
    Citations needed! Prove that Chrome allowed this previously, and describe the scandal. Also, work around for what? What are you trying to accomplish? Why not F12? – bzlm Oct 08 '11 at 16:05
  • Workaround for... what? Pops up an alert for me in Chrome. But JavaScripting your friends is kind of douchey. – Dave Newton Oct 08 '11 at 16:14
  • 1
    Unfortunately there's no option for this in chrome://flags/ either. Notably in particular chrome://flags/#enable-javascript-harmony does not change this behaviour. – Aaron Thoma Apr 06 '15 at 17:19
  • i miss internet explorer 6... – Dmytro Apr 19 '18 at 20:24

6 Answers6

12

Next best thing workaround: Leave out the leading j when copying the snippet and add only that character manually:

  1. mark (w/ mouse) from avascript:…
  2. Ctrl+C
  3. Ctrl+L
  4. j
  5. Ctrl+V
  6. Enter
Aaron Thoma
  • 3,820
  • 1
  • 37
  • 34
5

When coding a little yourself, you may find yourself needing to frequently prepend javascript: into the address bar.

Here are two ways to speed this up:

Add a search engine keyword entry with the keyword j and the URL javascript:%s.

Then you can do:

  1. Ctrl+L
  2. j
  3. Space
  4. Ctrl+V

(It also works like a charm, when you already have JS code in the address bar:

  1. Home
  2. j
  3. Space

)

Autocompletion can save you a few keystrokes, if you don't want to create a search engine keyword entry.

It requires a quick preparation: Feed javascript into the address bar:

  1. Ctrl+L
  2. javascript
  3. Enter

From then on, this shortcut is available:

  1. Ctrl+L
  2. j
    (javascript should be proposed as completion. Otherwise repeat submitting javascript in the address bar, until your browser promotes it to default completion for j.)
  3. End
  4. :
  5. Ctrl+V
Aaron Thoma
  • 3,820
  • 1
  • 37
  • 34
4

Yes. Use normal developer console.

genesis
  • 50,477
  • 20
  • 96
  • 125
3

It is so in any version of Chrome. As I think they are trying to protect you from execution of dangerous code. There are some ways of solving it:

  • Paste then type javascript: by hand
  • Press F12, open console and execute the code (without javascript:) from there
  • Add javascript link to favourites and execute just by clicking
  • Make an extension or use some suitable one
Qwertiy
  • 19,681
  • 15
  • 61
  • 128
3

Simply bookmark the bookmarklet (that's the term for javascript:...). Create an anchor which links to the bookmarklet, and ask the user to bookmark this link.

Example:

<a href="javascript:alert(0)">Bookmark this by dragging it on your bookmark bar</a>

I've just tested it in FF7, and it works like a charm.

Aaron Thoma
  • 3,820
  • 1
  • 37
  • 34
Rob W
  • 341,306
  • 83
  • 791
  • 678
  • There is no option to bookmark a link, so whatever do you mean? I'm googling like crazy and cannot find another solution than simply pressing CTRL+D and adding the JS manually. So if you mean that you have the ability to make a bookmark from a link directly, please do share how. – Streching my competence Nov 17 '18 at 16:48
  • @Strechingmycompetence Drag the link right to the bookmarks bar? – miike3459 Jan 09 '19 at 23:59
3

So with the most recent facebook phishing scandal, google chrome(and i assume other browsers) disabled the ability to paste javascript directly into your URL bar. Well it still lets you, but it strips the "javascript: " part.

IE9 and FF added this "protection" too... only Opera holds, for now. Still, it became even easier. Just trick your user to paste code into console. Same effect as with old snippets.

c69
  • 19,951
  • 7
  • 52
  • 82
  • Elaborate a tiny bit, your comment intrigued me. – Evan Hantverk Oct 08 '11 at 16:20
  • `Ctrl+Shift+I` in Opera / Chrome, `F12` in IE, `Ctrl+Shift+J` in Firefox - will show developer tools. And from there you can get to the console. – c69 Oct 08 '11 at 16:23
  • I see, darn. I was hoping there was an easier way to catch people now :( I guess more people would be abusing it if there were. – Evan Hantverk Oct 08 '11 at 16:31
  • Moral of the story: You can't protect users from themselves. Please, for the love of all that is my sanity, stop trying. It only makes my work less convenient. – Dan Bechard Feb 21 '14 at 19:43
  • Chrome also has `F12` which opens the DevTools where they last were, exactly like `Ctrl+Shift+I`. And `Ctrl+Shift+J` opens them on the console tab directly. – Aaron Thoma Mar 06 '22 at 22:07