# Bad value for attribute “src” on element “iframe”: Illegal character in query: “[” is not allowed.

> Canonical HTML version: https://rocketvalidator.com/html-validation/bad-value-for-attribute-src-on-element-iframe-illegal-character-in-query-square-bracket-is-not-allowed
> Attribution: Rocket Validator (https://rocketvalidator.com)
> License: CC BY 4.0 (https://creativecommons.org/licenses/by/4.0/)

Square brackets (`[` and `]`) are reserved characters under RFC 3986, the standard that defines URI syntax. They are only permitted in the host component of a URL (specifically for IPv6 addresses) and are illegal elsewhere, including the query string. While most browsers are lenient and will load an `<iframe>` even when the `src` contains raw brackets, the W3C HTML Validator correctly flags this as an invalid URL value.

This pattern surfaces frequently when working with frameworks or APIs that use bracket notation to represent arrays or nested objects in query parameters — for example, `filters[category]=news` or `items[0]=apple`. These URLs work in a browser's address bar because browsers silently fix malformed URLs, but the raw HTML itself is technically non-conforming.

### Why it matters

- **Standards compliance:** A valid HTML document requires all attribute values that expect URLs to contain properly encoded URIs. Raw brackets violate this requirement.
- **Interoperability:** While mainstream browsers handle this gracefully, other HTML consumers — such as screen readers, web scrapers, embedded webview components, or email clients — may not be as forgiving.
- **Maintainability:** Properly encoded URLs are unambiguous and reduce the risk of subtle parsing bugs, especially when URLs are constructed dynamically or passed through multiple layers of processing.

### How to fix it

There are two main approaches:

1. **Percent-encode the brackets.** Replace every `[` with `%5B` and every `]` with `%5D` in the URL. The server will decode them back to brackets automatically, so functionality is preserved.

2. **Use alternative parameter naming.** If you control the server, switch to a naming convention that avoids brackets altogether, such as dot notation (`filters.category`) or underscores (`filters_category`). This keeps the URL valid without any encoding.

If you're generating the URL dynamically in JavaScript, you can use `encodeURIComponent()` on individual parameter keys and values, or use the `URL` and `URLSearchParams` APIs, which handle encoding automatically.

## Examples

### Incorrect — raw brackets in the query string

```html
<iframe src="https://example.com/embed?filters[category]=news&filters[tags]=web"></iframe>
```

The `[` and `]` characters in the query string make this an invalid URL value, triggering the validator error.

### Fixed — percent-encoded brackets

```html
<iframe src="https://example.com/embed?filters%5Bcategory%5D=news&filters%5Btags%5D=web"></iframe>
```

Replacing `[` with `%5B` and `]` with `%5D` produces a valid URL. The server receives the same parameter names after decoding.

### Fixed — alternative parameter naming

```html
<iframe src="https://example.com/embed?filters.category=news&filters.tags=web"></iframe>
```

If the server supports it, using dot notation eliminates the need for brackets entirely, keeping the URL clean and valid.

### Generating encoded URLs in JavaScript

```html
<iframe id="content-frame"></iframe>
<script>
  const url = new URL("https://example.com/embed");
  url.searchParams.set("filters[category]", "news");
  url.searchParams.set("filters[tags]", "web");
  document.getElementById("content-frame").src = url.href;
  // Result: https://example.com/embed?filters%5Bcategory%5D=news&filters%5Btags%5D=web
</script>
```

The `URLSearchParams` API automatically percent-encodes reserved characters, so you can write the parameter names naturally and let the browser produce a valid URL.