HTML Checking for Large Sites

The seamless attribute was proposed to be included in the HTML5 spec, but it wasn’t finally accepted, so it’s not a valid attribute for <iframe>.

There is an iframe tag inside a noscript tag that is itself inside the head section of the HTML document. This is not allowed because an iframe cannot be nested inside the head section.

To fix this issue, you may move the noscript section that contains the iframe tag outside of the head section, and ensure that it is placed within the body section of the HTML document.

For example, this is invalid HTML because the head section cannot contain iframe elements:

<!DOCTYPE html>
<html lang="en">
  <head>
    <title>My webpage</title>
    <noscript>
      <p>Please enable JavaScript to view this website</p>
      <iframe src="https://example.com/"></iframe>
    </noscript>
    <!-- Other meta tags and styles go here -->
  </head>
  <body>
    <!-- Rest of your webpage content goes here -->
  </body>
</html>

Moving the noscript inside the body section fixes the issue, as that’s where iframe elements belong:

<!DOCTYPE html>
<html lang="en">
  <head>
    <title>My webpage</title>
    <!-- Other meta tags and styles go here -->
  </head>
  <body>
    <noscript>
      <p>Please enable JavaScript to view this website</p>
      <iframe src="https://example.com/"></iframe>
    </noscript>
    <!-- Rest of your webpage content goes here -->
  </body>
</html>

All HTML elements may have the hidden boolean attribute set. When specified on an element, it indicates that the element is not yet, or is no longer, relevant, so browsers won’t render it.

Boolean attributes don’t accept values, its presence represents the true value and its absence represents the false value.

<!-- This is invalid because the hidden attribute should not have a value set -->
<div hidden="false"></div>

<!-- The correct way to hide a div is like this -->
<div hidden>This will be hidden</div>

<!-- And to show the element, we just don't hide it -->
<div>This won't be hidden</div>

An <iframe> element allows to embed an HTML document inside another HTML document, and its src attribute is indicated the source URL of the embedded web page. The src attribute is a required attribute, so it cannot be blank.

Example:

<iframe src="https://example.com/map.html"></iframe>

The attributes width and height of <iframe> elements expect a non-negative integer, so an empty string is not allowed. Either define the correct dimension, or remove this attribute.

The multiple attribute is used to indicate that multiple options can be selected in a <select> element. As a boolean attribute, it should only be declared without any value.

Instead of:

<select multiple="true">

You should use:

<select multiple>

Here is an example of the correct usage of the multiple attribute:

<label for="colors">Select your favorite colors:</label>
<select id="colors" name="colors" multiple>
  <option value="red">Red</option>
  <option value="green">Green</option>
  <option value="blue">Blue</option>
  <option value="yellow">Yellow</option>
</select>

The selected attribute on option elements is boolean, so it should not have any value associated.

To fix this issue, simply remove the value assigned to the selected attribute.

Instead of this:

<select>
  <option selected="true">Option 1</option>
  <option>Option 2</option>
  <option>Option 3</option>
</select>

Use this:

<select>
  <option selected>Option 1</option>
  <option>Option 2</option>
  <option>Option 3</option>
</select>

In the example above, we’ve removed the value assigned to the selected attribute on the first option element. This will specify that “Option 1” is the default option to be selected in the dropdown list.

The <iframe> element, used to embed another document inside the current document, accepts both attributes width and height which must be valid non-negative integers. Percentages are not allowed for these attributes.

The sandbox attribute is used with the iframe element to isolate the content of the embedded document from the rest of the page. It helps prevent malicious code from running on your website. However, the value assigned to the sandbox attribute in your iframe element includes both the allow-scripts and allow-same-origin options. This combination essentially removes all the protections that the sandbox attribute provides and allows the embedded document to break out of the sandbox.

To fix this issue, you should remove the allow-scripts and allow-same-origin values from the sandbox attribute. Instead, you should explicitly enable only the permissions that the embedded document requires.

Here’s an example iframe element with the proper use of sandbox:

<iframe src="https://example.com" sandbox="allow-forms allow-popups"></iframe>

This iframe element loads the https://example.com URL and has its sandbox attribute set to only allow-forms and allow-popups. This explicitly enables only the permissions that the embedded document may need, while also retaining the protections of the sandbox attribute.

An <iframe> element allows to embed an HTML document inside another HTML document, and its src attribute is indicated the source URL of the embedded web page. The query part of that URL contains one or more space characters, which are not allowed, for example:

<iframe src="https://maps.google.it/maps?q=2700 6th Avenue"></iframe>

You should properly escape all space characters as %20 like this:

<iframe src="https://maps.google.it/maps?q=2700%206th%20Avenue"></iframe>