javascript – XSS with Template Literals

I suspect I have a potential XSS vulnerability at a client-side level, however, I’m not able to exploit it successfully.

The URL I’m using consists of three parameters that reflect back to the user and it is as follows:

https://host/email_url?key=(ENTRYPOINT1)&code=(ENTRYPOINT2)&mode=(ENTRYPOINT3)

The HTTP headers of the (potential) vulnerable page are:

HTTP/1.1 200 OK
Connection: close
Content-Length: 6573
Cache-Control: max-age=3600
Content-Type: text/html; charset=utf-8
Etag: (REDACTED)
Last-Modified: (REDACTED)
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31556926
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
Accept-Ranges: bytes
Date: (REDACTED)
X-Served-By: (REDACTED)
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: (REDACTED)
Vary: x-fh-requested-host, accept-encoding

The (potential) affected HTML code is:

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta name="description" content="">
    (...)
         <div class= "col-md-8 offset-md-2">
            <p class="lead mb-4">To complete the email verification process, tap on the button below.</p>
            <a id="completeVerification" class="btn btn-primary" href="">Complete the verification</a>
          </div>
    (...)
   <script>
    window.onload = function() {
      // Choose environment
      const host = window.location.host
      const environment =
        host === 'redacted-dev.firebaseapp.com' ? 'development' :
        host === 'redacted-stg.firebaseapp.com' ? 'staging' :
        'production';
      // Build deep link with received params
      const urlParams = new URLSearchParams(window.location.search);
      const key = urlParams.get('key');
      const code = urlParams.get('code');
      const mode = urlParams.get('mode');
      const a = document.getElementById('completeVerification');
      a.href = `com.application.${environment}://auth?key=${key}&code=${code}&mode=${mode}`;
    };
    </script>

After a few tests I can see that it is allowing many characters such as ‘,$,{,},<,>,/,*. The only character that is being HTML encoded is “.

I’ve tried, without success, sending the following XSS Template Literal payloads through the reflecting parameters:

alert(1)
${alert(1)}
alert(1);
${alert(1)};
`alert(1)`
`${alert(1)}`
`${alert(1)}`;
alert(1);
${alert(1)}/*

Any insights on why this is not executing are appreciated. Thanks for reading.