[whatwg] IRIs and javascript: scheme

Christian Schmidt whatwg.org at chsc.dk
Wed Oct 18 07:33:25 PDT 2006

Most modern browsers support the following:
<a href="javascript:alert(123)">foo</a>

AFAICS "javascript:alert(123)" is not a valid IRI according to RFC 3987 
(it should be "javascript:alert%28123%29" instead) and is thus not 
allowed in an <input type="url"> field. This is somewhat surprising to 
me, and I think it will confuse users that they now have to manually 
escape their javascript: URLs when entering them in url input fields.

Would it cause any problems to somehow allow the unescaped form in url
input fields? Or is that a dangerous road to go down?


More information about the whatwg mailing list