"This function parses a URL and returns an associative array containing any of the various components of the URL that are present.
This function is not meant to validate the given URL, it only breaks it up into the above listed parts. Partial URLs are also accepted, parse_url() tries its best to parse them correctly. "
It seems like parse_url is not designed for filtering javascript. Since it came out in front-end, it seems that Facebook initially accepted the embedded javascript in the link.
In essence, Facebook was checking the "scheme" return value and blocking any URLs where the scheme was "javascript". By adding a space, the scheme ended up blank and the URL slipped through. Facebook has never allowed FBML apps to use javascript: URLs in links.
This function is not meant to validate the given URL, it only breaks it up into the above listed parts. Partial URLs are also accepted, parse_url() tries its best to parse them correctly. "
http://au2.php.net/manual/en/function.parse-url.php
It seems like parse_url is not designed for filtering javascript. Since it came out in front-end, it seems that Facebook initially accepted the embedded javascript in the link.