[whatwg] IRIs and javascript: scheme
Christian Schmidt
whatwg.org at chsc.dk
Wed Oct 18 07:33:25 PDT 2006
Most modern browsers support the following:
<a href="javascript:alert(123)">foo</a>
AFAICS "javascript:alert(123)" is not a valid IRI according to RFC 3987
(it should be "javascript:alert%28123%29" instead) and is thus not
allowed in an <input type="url"> field. This is somewhat surprising to
me, and I think it will confuse users that they now have to manually
escape their javascript: URLs when entering them in url input fields.
Would it cause any problems to somehow allow the unescaped form in url
input fields? Or is that a dangerous road to go down?
Christian
More information about the whatwg
mailing list