Bad value for attribute “src” on element “iframe”: Illegal character in query: “[” is not allowed.

The src attribute on an <img> element contains an invalid character, that should be properly encoded as a URI percent-encoded character.

The URL in the src attribute value for an iframe is invalid as it contains an unexpected hash (#) character.

There’s an unexpected, possibly duplicate, hash character in the URÑ.

Examples:

Incorrect:

<iframe src="https://example.com/#?secret=123#abc"></iframe>

Correct (using only the query string):

<iframe src="https://example.com/#?secret=123"></iframe>

Correct (using the query string and a hash fragment) :

<iframe src="https://example.com/?secret=123#abc"></iframe>

The src attribute contains square brackets ([ or ]) in the URL’s query string, which are not permitted in valid HTML URLs.

According to the HTML standard, attribute values such as URLs must conform to valid URI syntax. Unencoded square brackets are reserved characters in URI syntax and must be percent-encoded. Specifically, [ should be replaced with %5B and ] with %5D. This ensures the URL is correctly interpreted by browsers and validators. For example, a URL parameter like sort=[asc] should be coded as sort=%5Basc%5D.

Correct HTML Example:

<iframe src="/page?time=%5Btimestamp%5D"></iframe>

Always encode reserved characters in URLs when using them in HTML attribute values to ensure W3C compliance.

The issue arises from the space character in the src attribute value of the script element. In URLs, spaces are not allowed and should be properly encoded to avoid validation errors.

Fix

Replace spaces with %20, which is the URL-encoded representation of a space.

Example

Before:

<script src="https://example.com/media assets/app.js"></script>

After:

<script src="https://example.com/media%20assets/app.js"></script>

Explanation

In this example, the space between “media” and “assets” in the URL is replaced with %20. This change ensures that the URL conforms to standards and is correctly processed by browsers and servers. Spaces and other special characters in URLs must be encoded to ensure proper formatting and accessibility.

The href attribute of an <a> element contains an invalid character, that should be properly encoded as a URI percent-encoded character.

Square brackets ([, ]) are not allowed unescaped in the query part of an href URL value.

The href attribute in the <a> element must contain a valid URL. According to the URL standard, certain characters, including square brackets, are not permitted directly in the query component unless percent-encoded. Using unescaped square brackets in the URL can cause validation errors and unexpected behavior in browsers.

To include a square bracket in the query string, use percent encoding:

• [ encodes to %5B
• ] encodes to %5D

Incorrect usage:

<a href="search.html?q=[value]">Search</a>

Correct usage:

<a href="search.html?q=%5Bvalue%5D">Search</a>

This ensures the URL is valid and compliant with HTML standards.

The href attribute of the a element contains an invalid backslash character, which is not permitted in URLs.

According to the WHATWG HTML living standard, the href attribute must contain a valid URL. URLs use forward slashes (/) for path separators, and backslashes are not allowed as they can cause browsers and validators to misinterpret the address. Backslashes often arise when file paths are copied from Windows environments.

Correct Usage:

• Always use forward slashes / in your URLs.
• Remove any backslashes from href values.

Example of incorrect usage:

<a href="images\picture.jpg">View Picture</a>

Corrected example:

<a href="images/picture.jpg">View Picture</a>

An illegal character has been found for the “href” attribute on the “link” element.

To fix this issue, find the “link” element in question and make sure that the “href” attribute contains a valid URL without any illegal characters.

Here’s some example HTML code of a link element:

<!DOCTYPE html>
<html>
  <head>
    <title>My Webpage</title>
    <link rel="stylesheet" href="styles/main.css">
  </head>
  <body>
    <h1>Welcome to my webpage!</h1>
    <p>Here is some content...</p>
  </body>
</html>

In the above example, the link element has a valid href attribute value of styles/main.css. Make sure that your href attribute values don’t contain any illegal characters.

An <iframe> element allows to embed an HTML document inside another HTML document, and its src attribute is indicated the source URL of the embedded web page. The src attribute is a required attribute, so it cannot be blank.

Example:

<iframe src="https://example.com/map.html"></iframe>

A fragment identifier (the part after #) is not allowed in a data: URL used in an img src.

The img element accepts any valid URL in the src attribute, including data URLs per RFC 2397. However, RFC 2397 forbids fragment identifiers in data: URIs.

If you need to reference an internal fragment (e.g., an SVG symbol or id), use one of these approaches:

• Inline the SVG in the DOM and reference its ids normally.
• Put the SVG in a separate file and use a standard URL with a fragment (example.svg#icon).
• Remove the fragment from the data: URL and ensure the content renders without fragment navigation.