The best answers to the question “Is it a good practice to use an empty URL for a HTML form's action attribute? (action="")” in the category Dev.
I am wondering if anyone can give a “best practices” response to using blank HTML form actions to post back to the current page.
There is a post asking what a blank HTML form action does here and some pages like this one suggest it is fine but I’d like to know what people think.
Actually, the Form Submission subsection of the current HTML5 draft does not allow
action="". It is against the spec.
formactioncontent attributes, if specified, must have a value that is a valid non-empty URL potentially surrounded by spaces. (emphasis added)
The quoted section in mercator’s answer is a requirement on implementations, not authors. Authors must follow the author requirements. To quote How to read this specification:
In particular, there are conformance requirements that apply to producers, for example authors and the documents they create, and there are conformance requirements that apply to consumers, for example Web browsers. They can be distinguished by what they are requiring: a requirement on a producer states what is allowed, while a requirement on a consumer states how software is to act.
The change from HTML4—which did allow an empty URL—was made because “browsers do weird things with an empty
action="" attribute”. Considering the reason for the change, its probably best not to do that in HTML4 either.
The best thing you can do is leave out the action attribute altogether. If you leave it out, the form will be submitted to the document’s address, i.e. the same page.
It is also possible to leave it empty, and any browser implementing HTML’s form submission algorithm will treat it as equivalent to the document’s address, which it does mainly because that’s how browsers currently work:
8.Let action be the submitter element’s action.
9.If action is the empty string, let action be the document’s address.
Note: This step is a willful violation of RFC 3986, which would require base URL processing here. This violation is motivated by a desire for compatibility with legacy content. [RFC3986]
This definitely works in all current browsers, but may not work as expected in some older browsers (“browsers do weird things with an empty action=”” attribute”), which is why the spec strongly discourages authors from leaving it empty:
formactioncontent attributes, if specified, must have a value that is a valid non-empty URL potentially surrounded by spaces.
This will validate with HTML5.
Not including the action attribute opens the page up to iframe clickjacking attacks, which involve a few simple steps:
- An attacker wraps your page in an iframe
- The iframe URL includes a query param with the same name as a form field
- When the form is submitted, the query value is inserted into the database
- The user’s identifying information (email, address, etc) has been compromised
- Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution