W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2008

[whatwg] IRIs and javascript: scheme

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 28 Oct 2008 06:14:55 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0810280607300.1237@hixie.dreamhostps.com>
On Wed, 18 Oct 2006, Christian Schmidt wrote:
>
> Most modern browsers support the following:
> <a href="javascript:alert(123)">foo</a>
> 
> AFAICS "javascript:alert(123)" is not a valid IRI according to RFC 3987 
> (it should be "javascript:alert%28123%29" instead) and is thus not 
> allowed in an <input type="url"> field. This is somewhat surprising to 
> me, and I think it will confuse users that they now have to manually 
> escape their javascript: URLs when entering them in url input fields.
>
> Would it cause any problems to somehow allow the unescaped form in url 
> input fields? Or is that a dangerous road to go down?

I've allowed the user agent to escape user input. I don't think we should 
ever submit an invalid URI or IRI.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 27 October 2008 23:14:55 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:06 UTC