# Bad value X for attribute “src” on element “script”: Illegal character in path segment.

> Canonical HTML version: https://rocketvalidator.com/html-validation/bad-value-x-for-attribute-src-on-element-script-illegal-character-in-path-segment-is-not-allowed
> Attribution: Rocket Validator (https://rocketvalidator.com)
> License: CC BY 4.0 (https://creativecommons.org/licenses/by/4.0/)

The `src` attribute on a `<script>` element points to a URL whose path contains a character that is not allowed there unless it is percent-encoded.

A URL path may only use a restricted set of characters. Symbols such as `^`, spaces, square brackets, and backticks have to be written in their percent-encoded form, so a caret becomes `%5E`. The validator names the exact character it rejected, so look at the path segment it points to and either encode that character or change the URL so it no longer appears.

A common source of the `^` character is a version range copied from a package manager. A specifier like `@^2` belongs in a `package.json` file, not in a CDN URL. When you load a script straight from a CDN, pin an explicit version instead.

## Invalid example

```html
<script src="https://cdn.example.com/pkg@^2/dist/app.js"></script>
```

## Valid example

```html
<script src="https://cdn.example.com/pkg@2.1.0/dist/app.js"></script>
```