Get to know MDN better
Warning: Using javascript: URLs on the web is discouraged as it may lead to execution of arbitrary code, similar to the ramifications of using eval(). It may also reduce accessibility because it deviates from normal link behavior.
JavaScript URLs, URLs prefixed with the javascript: scheme, are used as fake navigation targets that execute JavaScript when the browser attempts to navigate. If the URL evaluates to a string, it is treated as HTML and rendered by the browser.
The scheme of the URL.
<script>The JavaScript code to execute. The code will be parsed as a script.
javascript: URLs can be used anywhere a URL is a navigation target. This includes, but is not limited to:
Note: Some other contexts that use URLs, such as the href attribute of <link> elements, do not allow javascript: URLs, because they are resource locations, not navigation targets. For these cases, if you want to write JavaScript inline, use data: URLs with the text/javascript MIME type.
When a browser attempts to navigate to such a location, it parses and executes the script body. The script may have a completion value (not a return value), which is the same value if the script were executed with eval(). If the last statement is an expression, the completion value is the value of that expression. If this completion value is a string, that string is treated as an HTML document and the browser navigates to a new document with that content, using the same URL as the current page. No history entry is created. If the completion value is not a string, the browser only executes the code and does not navigate. Therefore, it's often recommended that if the script ends with a function call like javascript:foo(), you should prefix it with void to prevent accidental navigation if the function happens to return a string.
javascript: navigation may be blocked by content security policy settings, in particular script-src.
In this example, the href attribute of an <a> element is set to a javascript: URL that alerts a message when clicked:
Because alert() returns undefined, the browser does not navigate to a new page. This is a bad practice because the link is actually not a hyperlink. Consider making it a button instead:
In this example, the href attribute of an <a> element is set to a javascript: URL that navigates to a new page with the content "Hello, world!":
Note that because javascript: URLs do not create history entries, there's no way to go back to the previous page without refreshing.
In this example, the action attribute of a <form> element is set to a javascript: URL that alerts a message when submitted:
Instead of doing this, consider listening for the form's submit event and handling it with JavaScript:
In this example, the src attribute of an <iframe> element is set to a javascript: URL that navigates to a new page with the content "Hello, world!":
Instead of doing this, consider setting the srcdoc attribute instead:
In this example, the window.location property is set to a javascript: URL that navigates to a new page with the content "Hello, world!":
Instead of doing this, consider using DOM APIs to modify the page content. For example:
| HTML # the-javascript:-url-special-case |
This page was last modified on Jul 1, 2025 by MDN contributors.
Your blueprint for a better internet.
Visit Mozilla Corporation’s not-for-profit parent, the Mozilla Foundation.
Portions of this content are ©1998–2026 by individual mozilla.org contributors. Content available under a Creative Commons license.