There’s a thread on the forums where Kyran describes an error message that Opera popped up when he attempted to put HTML into the URI field. I was amazed because I hadn’t seen any browser even start to deal that that issue. From an XSS prevention standpoint it seems like a very forward thinking idea. However, alas, it was just some weirdness.
When the url http://<BR> is entered Opera responds with the following text:
The URL http://<BR> contains characters that are not valid in the location they are found.
The reason for their presence may be a mistyped URL, but the URL may also be an attempt to trick you into visiting a website which you might mistakenly think is a site you trust.
So anyway, it’s just some weirdness, and it doesn’t apply to you entering HTML as a query string (something that actually IS a security risk), but it’s still an interesting concept. One thing is sure, despite all the best tools, developers just don’t understand the problem yet. Why not take it out of their hands and put the onus on the browser community to fix the problem on their behalf? Of course this would break a ton of applications in the same way that it did when Internet Explorer turned off support for basic authentication in the URL field to slow down Phishing schemes. But is it worth it?