I think the important thing is not so much policing the names of things, but correctly enclosing things. (the same as the issue with little Bobby Tables).
So javascript:whatever isn't an issue as long as when it's included in a link, it's actually href="html:relative_url", not href="relative_url_or_anything", and properly html encoded so it can't break out of the quote jail.
Similarly, it's not an issue in normal text (like the page title) as long as is encoded to the point that that's what appears on the page.
Obviously, you also may want to prohibit a -few- things (specifically, ../ due to the dual meaning), but that's still basically an enclosure issue, not putting something ambiguous into the uri.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
(no subject)
Date: 2013-12-20 11:58 pm (UTC)So javascript:whatever isn't an issue as long as when it's included in a link, it's actually href="html:relative_url", not href="relative_url_or_anything", and properly html encoded so it can't break out of the quote jail.
Similarly, it's not an issue in normal text (like the page title) as long as is encoded to the point that that's what appears on the page.
Obviously, you also may want to prohibit a -few- things (specifically, ../ due to the dual meaning), but that's still basically an enclosure issue, not putting something ambiguous into the uri.