[whatwg] IRIs and javascript: scheme
Ian Hickson
ian at hixie.ch
Mon Oct 27 23:14:55 PDT 2008
On Wed, 18 Oct 2006, Christian Schmidt wrote:
>
> Most modern browsers support the following:
> <a href="javascript:alert(123)">foo</a>
>
> AFAICS "javascript:alert(123)" is not a valid IRI according to RFC 3987
> (it should be "javascript:alert%28123%29" instead) and is thus not
> allowed in an <input type="url"> field. This is somewhat surprising to
> me, and I think it will confuse users that they now have to manually
> escape their javascript: URLs when entering them in url input fields.
>
> Would it cause any problems to somehow allow the unescaped form in url
> input fields? Or is that a dangerous road to go down?
I've allowed the user agent to escape user input. I don't think we should
ever submit an invalid URI or IRI.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list