Headline: Don't put carriage return/linefeeds/newlines in your href attributes!

The Details

Our system sends out HTML emails to users with a few images and some links. Image my surprise when one of these emails had a link that appeared to be broken by Hotmail and no obvious Google search results as to what had happened.

The test link in the email was sent as href='' and this was also the display text. When the email arrived, it looked like this:

But when hovering over the link, the status bar showed: https://%20%20https:// which naturally was a broken link. The %20 is a space character encoded, which was strange, especially as the display text looked correct but on closer examination of the email source, I noticed a lot of =0D=0A sequences, which are encoded carriage return/line feed pairs. I expected a few of these since the HTML is built up in code using a StringBuilder and various calls to Append and AppendLine but it then became apparent that we were using AppendLine while generating each part of this email link, which produced something like:

<a href='

Which is possibly illegal HTML, certainly unusual. Since CR/LF are ignored in display text in HTML, the text was displayed correctly but the whitespace in the href attribute obviously confused something and made the link get mangled.

The moral? Generate your links properly!