# Bad value X for attribute “href” on element “a”: Illegal character in query. “[” is not allowed.

> Canonical HTML version: https://rocketvalidator.com/html-validation/bad-value-x-for-attribute-href-on-element-a-illegal-character-in-query-is-not-allowed
> Attribution: Rocket Validator (https://rocketvalidator.com)
> License: CC BY 4.0 (https://creativecommons.org/licenses/by/4.0/)

Square brackets (`[` and `]`) are not valid characters in URLs according to RFC 3986 and must be percent-encoded in the `href` attribute of `<a>` elements.

URLs have a strict set of allowed characters. Square brackets are reserved exclusively for IPv6 addresses in the host portion of a URL (e.g., `http://[::1]/`). Anywhere else in a URL, including query strings, they must be percent-encoded: `[` becomes `%5B` and `]` becomes `%5D`.

This issue commonly appears when linking to URLs that use square brackets in query parameters, a pattern found in some PHP frameworks and APIs (e.g., `?filter[name]=value`). While most browsers handle unencoded brackets without problems, the HTML specification requires valid URLs, and the W3C validator flags the violation.

## Invalid example

```html
<a href="https://example.com/results?filter[status]=active&filter[role]=admin">
  View results
</a>
```

## Valid example

Replace `[` with `%5B` and `]` with `%5D`:

```html
<a href="https://example.com/results?filter%5Bstatus%5D=active&filter%5Brole%5D=admin">
  View results
</a>
```

The browser will decode the percent-encoded characters when sending the request, so the server receives the same query string either way.