HTML Guides for href
Learn how to identify and fix common HTML validation errors flagged by the W3C Validator — so your pages are standards-compliant and render correctly across every browser. Also check our Accessibility Guides.
An href attribute on an a element contains an invalid URL that has space characters in the domain.
The domain in a URL cannot contain space characters, for example the following are invalid:
<a href="http://my domain.com">link</a>
<a href="http://my%20domain.com">link</a>In the structure of a URL, the @ symbol has a special meaning: it separates the userinfo component (username and password) from the host. A URL with credentials follows this pattern:
scheme://username:password@hostname/pathWhen the username or password itself contains an @ character — for example, an email address used as a username — the browser or URL parser may not be able to determine where the credentials end and the hostname begins. For instance, in http://user@name:pass@example.com, it’s unclear whether the host is name or example.com.
The URL Standard (maintained by WHATWG) requires that any @ appearing within the userinfo component be percent-encoded as %40. Percent-encoding replaces the literal character with a % followed by its hexadecimal ASCII code (40 for @). This removes the ambiguity and ensures all parsers interpret the URL identically.
While modern browsers may attempt to handle ambiguous URLs, the behavior is not guaranteed to be consistent across all user agents, link checkers, or HTTP clients. Properly encoding these characters ensures reliable behavior everywhere and keeps your HTML valid.
Note: Including credentials directly in URLs is generally discouraged for security reasons, as they may be exposed in browser history, server logs, and referrer headers. Consider alternative authentication methods when possible.
Examples
❌ Incorrect: unencoded @ in the username
<a href="http://user@name:password@example.com/path">Login</a>Here, the parser cannot reliably distinguish user@name as the username from the @ that separates credentials from the host.
✅ Correct: percent-encoded @ in the username
<a href="http://user%40name:password@example.com/path">Login</a>The @ within the username is encoded as %40, leaving only one literal @ to serve as the delimiter before the hostname.
❌ Incorrect: unencoded @ in the password
<a href="http://admin:p@ss@example.com/dashboard">Dashboard</a>✅ Correct: percent-encoded @ in the password
<a href="http://admin:p%40ss@example.com/dashboard">Dashboard</a>❌ Incorrect: email address used as username without encoding
<a href="ftp://joe@example.org:secret@ftp.example.com/files">Files</a>✅ Correct: email address with @ percent-encoded
<a href="ftp://joe%40example.org:secret@ftp.example.com/files">Files</a>To fix this issue, identify every @ character that appears before the final @ in the authority section of the URL and replace it with %40. The last @ in the authority is the actual delimiter and must remain as a literal character.
An href attribute with the value http:// is not a valid URL because the host section is missing.
The href attribute in the area element must contain a valid URL. A URL requires a scheme (http or https), followed by ://, and then a valid host (such as example.com). The value http:// lacks a host, making it invalid according to URL standards and resulting in a validation error. If you don’t want the area to navigate anywhere, you can use href="#" for a placeholder or omit the href attribute entirely. To link to an actual location, provide the complete URL, including the host.
Invalid example:
<map name="myMap">
<area shape="rect" coords="30,23,183,191" href="http://" alt="" >
</map>Valid example with a real host:
<map name="myMap">
<area shape="rect" coords="30,23,183,191" href="http://example.com/" alt="" >
</map>Valid example with a placeholder, no navigation:
<map name="myMap">
<area shape="rect" coords="30,23,183,191" href="#" alt="" >
</map>Replace http:// with a full URL or a suitable placeholder as needed for your application.
The href attribute on an element <link> contains a character that is not allowed, and should be encoded.
Some typical examples include the pipe character | that should be replaced by its encoded alternative %7C , and the left square bracket [ that needs to be encoded as %5B.
The <a> element requires either a href attribute, or a role attribute.
An a element with an href attribute provides a link to a resource, so adding the link role to it is redundant.
When not using semantic HTML for its intended purpose, interactive features must be re-implemented. For example, when role="link" is added to an element, the tab key should enable giving focus to the link and the enter key should execute the link when focused.
Ready to validate your sites?
Start your free trial today.