http://msdn2.microsoft.com/en-us/library/aa767914.aspx

So Microsoft is right in saying they can’t fix the problem … not without potentially breaking third-party software that depends on the documented behavior.

Of course decoding the URI before passing it to the registered handler is a silly thing to do, but it’s probably too late to change now.

That is, when the user clicks on the link – whether it is embedded in static HTML, generated by Javascript, or whatever – IE could simply advise the user that the link is invalid and refuse to attempt to follow it.

As far as I’m concerned, Windows/IE should not hand an illegal URI (such as one containing unencoded quote marks or spaces) to a registered URI handler; that’s just common sense.

I agree 100% that the recipient should validate the data, however as I said I don’t see a reason why you can’t have multi-tiered defense and the one passing the data can’t do the same. It may be undesirable but I see potential benefits in this case.

Sure, software that creates data is responsible for creating correct data. But the URI specification is pretty broad, and it’s not even clear that the interface in question isn’t more liberal than the RFC.

Any software that accepts data from another source is responsible for insuring that the data doesn’t cause a failure or a security vulnerability. Nothing that any standards group might say could reduce that responsibility.

“Normalization” of URIs in some circumstances is quite undesirable, and should be avoided until it’s necessary, preferably at the endpoints of the communication (when it is constructed and when it is parsed) rather than several times during intermediate phases.