Is it a good practice to use an empty URL for a HTML form's action attribute? (action="")

html

best-practices

responsive-design

security

byAlex Kataev·Aug 24, 2024

A form self-submitting setup with an action="" could make the server-side workflow on the current page more streamlined. However, using explicit action paths is a better practice for clarity and understanding. Thus, go for:

<form action="#" method="post">
  <!-- inputs -->
  <input type="submit" value="Submit">
</form>

Remember to enforce robust server validation to protect the data.

It's often recommended to omit the action attribute, making the form submit to the current document's address. Yet, keep in mind that older browsers may not support this, requiring valid, non-empty URLs instead. In the context of self-referencing forms, consider using this PHP snippet:

<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
  <!-- inputs -->
  <input type="submit" value="Submit">
</form>

This method circumvents potential security risks like clickjacking, as this can occur when action is omitted on sensitive pages.

The 'Action' Attribute Dissected

When Omitting is a Good Option

An omitted action simply leads to submission to the existing page, or in technical terms, the document's address. The HTML specification advises using non-empty URLs.

Drawbacks Worth Considering

Although handier, an empty action (action="") could lead to discrepancies across browsers, particularly the legacy ones. It's also worth pointing out that this violates the URI syntax defined by RFC 3986, leading the HTML5 specification to prohibit it altogether for enhanced security.

In some cases, you may try Action="#", but this makes the page bounce to the top after form submission. This sudden jump might impact the user experience.

Securing Form Actions

Dodging Security Pitfalls

An empty or absent action can potentially expose the form data to clickjacking attacks. Abiding by current web standards and security practices ensures data protection.

Essential Security Resources

Get to know more about secure form handling from this great resource.

Explicit Over Implicit - A Worthy Practice

Clarity, as we know, is often favored over convenience. Assigning a specific redirect URL to the action gives your code more transparency, ensuring no room for confusion or unexpected behavior. For both people and parsing machines reading your code, assigning a specific URL to the action attribute defines your form's intent more clearly.

Developer Standpoint

The consensus among experts suggests favoring non-empty action attributes. Keeping in mind both the coding practices and user expectations provides a well-rounded view.

Deploying the 'Action' Attribute Wisely

Lean Towards Explicit URLs

In HTML5, it is invariably better to use a specific URL in the action attribute. This emphasizes clarity and aids in understanding the form's behavior by both users and developers.

Don't Ignore Browser Behavior

It is worth acknowledging the variation in browser's reaction towards an empty action. Be sure to test your forms on different browsers to ensure uniform functionalities.

Prioritizing Security

Never overlook security. Always validate your inputs on the server-side even if you are submitting to the same page. Avoid exposing sensitive forms to cross-site request forgery (CSRF) and clickjacking.

explain-codes / Html / Is it a good practice to use an empty URL for a HTML form's action attribute? (action="")

Linked

When submitting a GET form, the query string is removed from the action URL



Difference between `` and ``



Can I make a `` not submit a form?



How to make an input type=button act like a hyperlink and redirect using a GET request?



Open link in new tab or window

