It's only strange at first sight. If your site depends upon browser-specific features as the sole source of a security mechanism, it stands to reason that it will turn into pain for you.

This is another solid example of the lesson: if the user controls it, the input is malicious. Always.