Both FireFox and Chrome have been preventing that since around 2011; the pasted url is stripped of the "javascript:" part. But now the malicious instructions tell users to press "j" before pasting the url (which is missing the "j" at the start), which prevents the browsers from detecting and stripping the protocol, thus allowing the script execution.