html decoding/encoding cant help in this, I tested this on most of the web application (like Atlassian JIRA, Slack) all were allowing this and it was being printed in html page. This tag will only work i following cases: if it is being printed in href attribute-

html解码/编码无法帮助,我在大多数Web应用程序(如Atlassian JIRA,Slack)上测试了这一点,所有这些都允许这个并且它是在html页面中打印的。此标记仅适用于以下情况:如果正在以href属性打印 -

<a href="javascript:alert(document.cookie)">Test</a>

in Onclick attribute

在Onclick属性中

<a href=# onclick="javascript:alert(document.cookie)" >test</a>

So make sure that you are not printing anything directly in href or onClick attribute, if you are doing than add any filter there which can manually detect javascript or dont forgot to append http:// before the link.

因此,请确保您没有直接在href或onClick属性中打印任何内容,如果您要在其中添加任何可以手动检测javascript的过滤器,或者不要忘记在链接之前附加http://。

Someone entering javascript:alert(document.cookie) in the address bar is not a vulnerability.

有人在地址栏中输入javascript:alert(document.cookie)不是漏洞。

If an attacker put a href in their website linking to javascript:alert(document.cookie) then it would simply show the cookies on the attacker's site.

如果攻击者在他们的网站上放置一个链接到javascript:alert(document.cookie)的href,那么它只会在攻击者的网站上显示cookie。

Only the user can enter the code in their own browser. This is known as Self-XSS.

只有用户可以在自己的浏览器中输入代码。这称为Self-XSS。

If this is not what you mean, please update your question with an example of a working URL (you could change your domain to example.com for privacy), and then add a comment to let me know and I'll update my answer to help.

如果这不是您的意思,请使用工作URL的示例更新您的问题(您可以将您的域名更改为example.com以获取隐私),然后添加评论以告知我,我将更新我的答案救命。