Is it a good practice to use an empty URL for a HTML form s action attribute action

Question

I am wondering if anyone can give a  best practices  response to using blank HTML form actions to post back to the current page   There is a post asking what a blank HTML form action does here and some pages like this one suggest it is fine but I d like to know what people think

User · Answer

I use to do not specify action attribute at all  It is actually how my framework is designed all pages get submitted back exact to same address  But today I discovered problem  Sometimes I borrow action attribute value to make some background call  I guess some people name them AJAX   So I found that IE keeps action attribute value as empty if action attribute wasn t specified  It is a bit odd in my understanding  since if no action attribute specified  the JavaScript counterpart has to be at least undefined  Anyway  my point is before you choose best practice you need to understand more context  like will you use the attribute in JavaScript or not

User · Answer

This will validate with HTML5    lt form action     gt

User · Answer

I used to do this a lot when I worked with Classic ASP  Usually I used it when server-side validation was needed of some sort for the input  before the days of AJAX   The main draw back I see is that it doesn t separate programming logic from the presentation  at the file level

User · Answer

Just use           lt form action     method  post  enctype  multipart form-data  name  myForm  id  myForm  gt    It doesn t violate HTML5 standards

User · Answer

Actually  the Form Submission subsection of the current HTML5 draft does not allow action     It is against the spec      The action and formaction content attributes  if specified  must have a value that is a valid non-empty URL potentially surrounded by spaces   emphasis added    The quoted section in mercator s answer is a requirement on implementations  not authors  Authors must follow the author requirements  To quote How to read this specification      In particular  there are conformance requirements that apply to producers  for example authors and the documents they create  and there are conformance requirements that apply to consumers  for example Web browsers  They can be distinguished by what they are requiring  a requirement on a producer states what is allowed  while a requirement on a consumer states how software is to act    The change from HTML4   which did allow an empty URL   was made because    browsers do weird things with an empty action    attribute     Considering the reason for the change  its probably best not to do that in HTML4 either

User · Answer

I think it s best to explicitly state where the form posts  If you want to be totally safe  enter the same URL the form is on in the action attribute if you want it to submit back to itself  Although mainstream browsers evaluate    to the same page  you can t guarantee that non-mainstream browsers will   And of course  the entire URL including GET data like Juddling points out

User · Answer

The best thing you can do is leave out the action attribute altogether  If you leave it out  the form will be submitted to the document s address  i e  the same page  It is also possible to leave it empty  and any browser implementing HTML s form submission algorithm will treat it as equivalent to the document s address  which it does mainly because that s how browsers currently work   8  Let action be the submitter element s action  9  If action is the empty string  let action be the document s address  Note  This step is a willful violation of RFC 3986  which would require base URL processing here  This violation is motivated by a desire for compatibility with legacy content   RFC3986   This definitely works in all current browsers  but may not work as expected in some older browsers   quot browsers do weird things with an empty action  quot  quot  attribute quot    which is why the spec strongly discourages authors from leaving it empty   The action and formaction content attributes  if specified  must have a value that is a valid non-empty URL potentially surrounded by spaces

User · Answer

Not including the action attribute opens the page up to iframe clickjacking attacks  which involve a few simple steps    An attacker wraps your page in an iframe The iframe URL includes a query param with the same name as a form field When the form is submitted  the query value is inserted into the database The user s identifying information  email  address  etc  has been compromised   References   Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution

User · Answer

IN HTML 5 action    IS NOT SUPPORTED SO DON T DO THIS  BAD PRACTICE   If instead you completely negate action altogether it will submit to the same page by default  I believe this is the best practice    lt form gt This will submit to the current page lt  form gt    If you are sumbitting the form using php you may want to consider the following  read more about it here    lt form method  post  action   lt  php echo htmlspecialchars   SERVER  PHP SELF      gt   gt    Alternatively you could use   bear in mind though that this will act like an anchor and scroll to the top of the page    lt form action     gt

User · Answer

I normally use action     which is XHTML valid and retains the GET data in the URL

User · Answer

When you put empty action then some security filtration consider it malicious or phishing  Hence they can block your page  So its advisable not to keep action  blank

[forms] Is it a good practice to use an empty URL for a HTML form's action attribute? (action="")

Examples related to forms

Examples related to web-standards

Examples related to string

Examples related to html