# Bad value “X” for attribute “href” on element “a”: Illegal character in query: space is not allowed.

> Canonical HTML version: https://rocketvalidator.com/html-validation/bad-value-x-for-attribute-href-on-element-a-illegal-character-in-query-space-is-not-allowed
> Attribution: Rocket Validator (https://rocketvalidator.com)
> License: CC BY 4.0 (https://creativecommons.org/licenses/by/4.0/)

URLs follow strict syntax rules defined by [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986), which does not permit literal space characters anywhere in a URI. When the W3C validator encounters a space in the `href` attribute of an `<a>` element — particularly within the query string (the part after the `?`) — it flags it as an illegal character.

While most modern browsers will silently fix malformed URLs by encoding spaces for you, relying on this behavior is problematic for several reasons:

- **Standards compliance:** The HTML specification requires that `href` values contain valid URLs. A space makes the URL syntactically invalid.
- **Interoperability:** Not all user agents, crawlers, or HTTP clients handle malformed URLs the same way. Some may truncate the URL at the first space or reject it entirely.
- **Accessibility:** Screen readers and assistive technologies may struggle to interpret or announce links with invalid URLs.
- **Link sharing and copy-pasting:** If a user copies the link from the source or if the URL is used in an API or redirect, the unencoded space can cause breakage.

To fix this issue, replace every literal space character in the URL with `%20`. Within query string values, you can also use `+` as a space encoding (this is the `application/x-www-form-urlencoded` format commonly used in form submissions). If you're generating URLs dynamically, use your programming language's URL encoding function (e.g., `encodeURIComponent()` in JavaScript, `urlencode()` in PHP, or `urllib.parse.quote()` in Python).

## Examples

### Incorrect — spaces in the query string

```html
<a href="https://example.com/search?query=hello world&lang=en">Search</a>
```

The space between `hello` and `world` is an illegal character in the URL.

### Correct — space encoded as `%20`

```html
<a href="https://example.com/search?query=hello%20world&lang=en">Search</a>
```

### Correct — space encoded as `+` in query string

```html
<a href="https://example.com/search?query=hello+world&amp;lang=en">Search</a>
```

Using `+` to represent a space is valid within query strings and is commonly seen in URLs generated by HTML forms.

### Incorrect — spaces in the path and query

```html
<a href="https://example.com/my folder/page?name=John Doe">Profile</a>
```

### Correct — all spaces properly encoded

```html
<a href="https://example.com/my%20folder/page?name=John%20Doe">Profile</a>
```

### Generating safe URLs in JavaScript

If you're building URLs dynamically, use `encodeURIComponent()` for individual parameter values:

```html
<script>
  const query = "hello world";
  const url = "https://example.com/search?query=" + encodeURIComponent(query);
  // Result: "https://example.com/search?query=hello%20world"
</script>
```

Note that `encodeURIComponent()` encodes spaces as `%20`, which is safe for use in any part of a URL. Avoid using `encodeURI()` for query values, as it does not encode certain characters like `&` and `=` that may conflict with query string syntax.