Level 7: The Unsafe URI

MISSION: The system strictly denies 'javascript:' links. Find a way to bypass the filter and execute code when the link is clicked.

[VIEW AVATAR]
/// SOURCE CODE INSPECTOR ///

const params = new URLSearchParams(window.location.search);
const url = params.get('payload');

if (url) {
    if (url.toLowerCase().startsWith('javascript:')) {
        document.getElementById('avatar-link').href = 'about:blank';
        console.error("VIOLATION: javascript: scheme blocked.");
    } else {
        document.getElementById('avatar-link').href = url;
    }
}

/// DECRYPTION COMPLETE ///

If your payload isn't working, you are likely falling into a classic encoding trap! If you paste %09javascript:alert(1) into the text box, the browser encodes the % sign. The server sees literal characters, not a tab.

Method 1 (The Input Box Space):

Type a single physical spacebar hit, followed by javascript:alert(1) directly into the text box and submit. The startsWith() check fails because of the space, but the browser strips the space and executes the JS.

Method 2 (The URL Bar Injection):

Bypass the HTML form entirely. Manually edit the URL in your browser's address bar to include the URL-encoded tab (%09) or newline (%0a):

?payload=%09javascript:alert(1)

After loading the page, click the [VIEW AVATAR] link to trigger the alert.