[whatwg] IRIs and javascript: scheme

Ian Hickson ian at hixie.ch
Mon Oct 27 23:14:55 PDT 2008

On Wed, 18 Oct 2006, Christian Schmidt wrote:
> Most modern browsers support the following:
> <a href="javascript:alert(123)">foo</a>
> AFAICS "javascript:alert(123)" is not a valid IRI according to RFC 3987 
> (it should be "javascript:alert%28123%29" instead) and is thus not 
> allowed in an <input type="url"> field. This is somewhat surprising to 
> me, and I think it will confuse users that they now have to manually 
> escape their javascript: URLs when entering them in url input fields.
> Would it cause any problems to somehow allow the unescaped form in url 
> input fields? Or is that a dangerous road to go down?

I've allowed the user agent to escape user input. I don't think we should 
ever submit an invalid URI or IRI.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list