# Bad value X for attribute “src” on element “script”: Illegal character in query: “"” is not allowed.

> Canonical HTML version: https://rocketvalidator.com/html-validation/bad-value-x-for-attribute-src-on-element-script-illegal-character-in-query-quote-is-not-allowed
> Attribution: Rocket Validator (https://rocketvalidator.com)
> License: CC BY 4.0 (https://creativecommons.org/licenses/by/4.0/)

When the browser's HTML parser encounters a `src` attribute, it expects the value between the opening and closing quotes to be a valid URL. URLs have strict rules about which characters are permitted — a literal double quote (`"`) is not one of them. If a `"` character appears inside the URL, the validator flags it as an illegal character in the query string (or other parts of the URL).

This error often doesn't stem from an intentionally embedded quote in the URL itself. Instead, it's usually a symptom of malformed HTML around the attribute. Common causes include:

- **Stray quotes after the attribute value**, such as writing `src="https://example.com/script.js"async""` instead of properly separating attributes.
- **Accidentally doubled closing quotes**, like `src="https://example.com/script.js""`.
- **Boolean attributes given empty-string values incorrectly**, such as `async""` instead of just `async`, which causes the parser to interpret the extra quotes as part of the preceding `src` value.
- **Copy-paste errors** that introduce smart quotes (`"` `"`) or extra quotation marks into the URL.

This matters for several reasons. Malformed `src` attributes can cause the script to fail to load entirely, breaking functionality on your page. It also violates the HTML specification, which can lead to unpredictable behavior across different browsers as each parser tries to recover from the error differently.

To fix the issue, carefully inspect the `<script>` tag and ensure that:

1. The `src` attribute value contains only a valid URL with no unescaped `"` characters.
2. The opening and closing quotes around the attribute value are properly balanced.
3. Attributes are separated by whitespace — not jammed together.
4. Boolean attributes like `async` and `defer` are written as bare keywords without values.

If you genuinely need a double quote character in a query string (which is rare), encode it as `%22`.

## Examples

### Incorrect — stray quotes between attributes

In this example, the `async` attribute is malformed as `async""`, which causes the parser to interpret the extra quotes as part of the `src` URL:

```html
<script src="https://example.com/js/app.js?ver=3.1" async""></script>
```

### Incorrect — doubled closing quote

Here, an extra `"` at the end of the `src` value creates an illegal character in the URL:

```html
<script src="https://example.com/js/app.js?ver=3.1""></script>
```

### Incorrect — smart quotes from copy-paste

Curly/smart quotes copied from a word processor are not valid HTML attribute delimiters and get treated as part of the URL:

```html
<script src="https://example.com/js/app.js?ver=3.1"></script>
```

### Correct — clean attributes with proper quoting

```html
<script src="https://example.com/js/app.js?ver=3.1" async></script>
```

### Correct — boolean attribute written as a bare keyword

Boolean attributes like `async` and `defer` don't need a value. Simply include the attribute name:

```html
<script src="https://example.com/js/app.js?ver=3.1" defer></script>
```

While `async="async"` is technically valid per the spec, the cleanest and most common form is the bare attribute. Avoid empty-string patterns like `async=""` placed without proper spacing, as they can lead to the exact quoting errors described here.

### Correct — full valid document

```html
<!DOCTYPE html>
<html lang="en">
  <head>
    <title>Valid Script Example</title>
    <script src="https://example.com/js/app.js?ver=3.1" async></script>
  </head>
  <body>
    <p>Page content here.</p>
  </body>
</html>
```

If you're generating `<script>` tags dynamically (through a CMS, template engine, or build tool), check the template source rather than just the rendered output. The stray quotes are often introduced by incorrect string concatenation or escaping logic in the server-side code.