firefox and ie do not do this, and it seems risky to do so.
From my testing, it looks like this bug is not valid. One thing I noticed is that Safari will try to load "java" as the URL, whereas other browsers will just out-right fail when given java\0script:foo. I guess they are being overly cautious due to the presence of the null byte.
(In reply to comment #2)