This sort of thing is sometimes used in so-called "scriptless xss" attacks, where if you can force the website to have an unclosed url, you can capture part of the page contents (hopefully containing secrets) and exfiltrate it.
You’re a braver coder than me if you trade off potential errors in a massive pipeline of browsers, DNS, cache servers and proxies just so your code looks a bit neater! (EDIT: But this is a welcome, interesting post, just to be clear!)
Yeah "You can use newline or tab characters in the HREF attribute and the browser will throw a validation error, remove the offending character, try again, then succeed" would be a more accurate title.
Validation errors aren't really "exceptions" to be thrown, they are indicators for authors that something is probably wrong but they make no visible difference in the output. I'm not sure if any browser even tracks them (and if one did, the best it could do is complain in the dev tools).
Also, this is not limited to HREF, it's defined in URL[0] so you can also put newlines in new URL("...") etc.
> the title is referring to inside html attributes, where they will be removed hence not affect where the link points.
I thought so too, until I read the URL definition in RFC 1738
In some cases, extra whitespace (spaces, linebreaks, tabs, etc.) may need to be added to break long URLs across lines. The whitespace should be ignored when extracting the URL.
No whitespace should be introduced after a hyphen ("-") character. Because some typesetters and printers may (erroneously) introduce a hyphen at the end of line when breaking a line, the interpreter of a URL containing a line break immediately after a hyphen should ignore all unencoded whitespace around the line break, and should be aware that the hyphen may or may not actually be part of the URL.
Somewhat relatedly, GitHub Pages does support using URL-encoded newline characters %0A to reference file names with newlines,[0] but GitHub itself will omit the file from the web UI's tree view.
After I read this, I started to look at the Wikipedia article on Base64 and eventually got to the article for the data URI scheme. That's where I found a sentence that seems to a little bit at odds with the blogpost. The Wikipedia article mentions that "whitespace characters are not permitted in data URIs".
But then I suppose it goes back to the main thrust of the blogpost because it says that in the context of HTML 4 and 5, that linefeeds within an attribute value are ignored. So possibly there are some other contexts where whitespace might not be ignored.
They are not, but you can encode them, if you encode whitespace characters, you included whitespace in a URL.
One of the requirement of URLs is that it needs to be transmissible over paper or aural media, so arbitrary octets and the unused portion of ASCII are not legal either.
I try to use "_" instead of whitespace in filenames. Means no need to URI-encode them ever. If you have a space you don't know whether it's a tab or space. Or maybe two spaces. Also when you tell somebody what the file-name is, you don't prnounce spaces.
- Everyone of them gives me a 404, can you kindly add some page on your blog form where I can just see the titles of all the articles quickly?
- Most blogs posted on HN are not user friendly in this regard, sometimes the reader wants a quick glimpse of everything on 1 page so that they can quickly pick interesting stuff
He had a blog post that seemed just weird and out of left field. Like it was clearly a response to something but what? What was the motivation for it?
When asked he said y'know. He just thinks about stuff and writes and that's what he does.
Turns out the blog post was a post he also made on social media. And said post was a response to something. And I guess he thought it was pretty good writing and should go on his blog, too.
Nothing wrong with that on it's own but I feel like most people would preface a post like that with "I saw this thing." And when directly asked like... He just straight up lied?
He doesn't owe OP an answer, but he also shouldn't lie if he chooses to answer OP.
And looking at those comments, it's possible he misunderstood the question, but the way he doubled down when OP found and linked the twitter version comes across pretty badly. Even if OP was being rude.
The most generous interpretation I can make is that he missed the "Is this in response to something?" sentence when he first replied, and then when OP came back later with the twitter link he spent zero seconds double checking the context before fighting rude with more rude.
I don't think it's worth holding a grudge over, and OP should drop it, but it does look like he was overall in the wrong there.
Looking back I'm still perplexed about why he never just linked to the original thing he was responding to.
I mean listen I understand - I'm not owed anything. If he wants to take posts from elsewhere and share them to his blog with all context and background removed that's his business. And he doesn't have to respond to any comments he doesn't want to.
But if he gets a question he doesn't want to answer... He could just not answer it. Just leave my comment hanging. Hell - he could delete it even. I'd be perplexed but would probably shrug it off.
The whole lying thing is what bothers me. I'd rather somebody just not respond than try to feed me bullshit.
To the point where chrome stopped allowing newlines in some circumstances https://chromestatus.com/feature/5735596811091968
the title is referring to inside html attributes, where they will be removed hence not affect where the link points.
Also, this is not limited to HREF, it's defined in URL[0] so you can also put newlines in new URL("...") etc.
[0]: https://url.spec.whatwg.org/#concept-basic-url-parser
I thought so too, until I read the URL definition in RFC 1738
[0]: https://sheeptester.github.io/hello-world/test/%20%0A%20%0A/...
But then I suppose it goes back to the main thrust of the blogpost because it says that in the context of HTML 4 and 5, that linefeeds within an attribute value are ignored. So possibly there are some other contexts where whitespace might not be ignored.
One of the requirement of URLs is that it needs to be transmissible over paper or aural media, so arbitrary octets and the unused portion of ASCII are not legal either.
Somwhere after DNS IP and SMTP, but still before HTTP(1.0).
Still, not a bright idea.
HTTP 200 EVERYTHINGISFINEISWEAR
“You got URLs in my new lines!”
- https://lemire.me/posts
- https://lemire.me/archive
- https://lemire.me/archives
- Everyone of them gives me a 404, can you kindly add some page on your blog form where I can just see the titles of all the articles quickly?
- Most blogs posted on HN are not user friendly in this regard, sometimes the reader wants a quick glimpse of everything on 1 page so that they can quickly pick interesting stuff
He had a blog post that seemed just weird and out of left field. Like it was clearly a response to something but what? What was the motivation for it?
When asked he said y'know. He just thinks about stuff and writes and that's what he does.
Turns out the blog post was a post he also made on social media. And said post was a response to something. And I guess he thought it was pretty good writing and should go on his blog, too.
Nothing wrong with that on it's own but I feel like most people would preface a post like that with "I saw this thing." And when directly asked like... He just straight up lied?
That whole thing just rubbed me the wrong way.
For full context https://lemire.me/blog/2025/10/17/research-results-are-cultu...
In the comments I turned into kind of a dick. I was pretty upset about being lied to.
Anyways between that and articles like this that are honestly useless and kinda misleading - I'm not really the biggest fan.
And looking at those comments, it's possible he misunderstood the question, but the way he doubled down when OP found and linked the twitter version comes across pretty badly. Even if OP was being rude.
The most generous interpretation I can make is that he missed the "Is this in response to something?" sentence when he first replied, and then when OP came back later with the twitter link he spent zero seconds double checking the context before fighting rude with more rude.
I don't think it's worth holding a grudge over, and OP should drop it, but it does look like he was overall in the wrong there.
I mean listen I understand - I'm not owed anything. If he wants to take posts from elsewhere and share them to his blog with all context and background removed that's his business. And he doesn't have to respond to any comments he doesn't want to.
But if he gets a question he doesn't want to answer... He could just not answer it. Just leave my comment hanging. Hell - he could delete it even. I'd be perplexed but would probably shrug it off.
The whole lying thing is what bothers me. I'd rather somebody just not respond than try to feed me bullshit.
This seems less like you were being lied to and more like you are kind of being delusional.