- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 28 Oct 2008 06:14:55 +0000 (UTC)
On Wed, 18 Oct 2006, Christian Schmidt wrote: > > Most modern browsers support the following: > <a href="javascript:alert(123)">foo</a> > > AFAICS "javascript:alert(123)" is not a valid IRI according to RFC 3987 > (it should be "javascript:alert%28123%29" instead) and is thus not > allowed in an <input type="url"> field. This is somewhat surprising to > me, and I think it will confuse users that they now have to manually > escape their javascript: URLs when entering them in url input fields. > > Would it cause any problems to somehow allow the unescaped form in url > input fields? Or is that a dangerous road to go down? I've allowed the user agent to escape user input. I don't think we should ever submit an invalid URI or IRI. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 27 October 2008 23:14:55 UTC