W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2006

[whatwg] IRIs and javascript: scheme

From: Christian Schmidt <whatwg.org@chsc.dk>
Date: Wed, 18 Oct 2006 16:33:25 +0200
Message-ID: <45363B35.5010908@chsc.dk>
Most modern browsers support the following:
<a href="javascript:alert(123)">foo</a>

AFAICS "javascript:alert(123)" is not a valid IRI according to RFC 3987 
(it should be "javascript:alert%28123%29" instead) and is thus not 
allowed in an <input type="url"> field. This is somewhat surprising to 
me, and I think it will confuse users that they now have to manually 
escape their javascript: URLs when entering them in url input fields.

Would it cause any problems to somehow allow the unescaped form in url
input fields? Or is that a dangerous road to go down?

Received on Wednesday, 18 October 2006 07:33:25 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:48 UTC