← Back to context

Comment by _micheee

6 days ago

Seems Like the recommendation changed from supporting ; and & to only using &.

Thinking about it, it is a little surprising as, if I remember correctly, in HTML source you should encode & as & right?

& as an escape character only applies to text nodes. Of course, if you want to display the URL on a page, you have to escape it, but not in the href.

  • I just found out you may - even in current HTML use entity references in attribute values, it’s just you don’t have to anymore, when the ampersand is not ambiguous.

    The spec states it as: “Attribute values are a mixture of text and character references, except with the additional restriction that the text cannot contain an ambiguous ampersand.”

    Whereas in the the days before HTML5 this has been mandatory.

    > HTML 4.01 Specification – Appendix B.2.2 “Ampersands in URI attribute values”

    https://www.w3.org/TR/html401/appendix/notes.html#h-B.2.2

    > Unfortunately, the use of the “&” character to separate form fields interacts with its use in SGML attribute values to delimit character entity references.

    • That's the same as main body text isn't it? And you have to be able to use them so you can escape " just like you have to escape < in main text.

      HTML5 standardized how to interpret formerly invalid documents because it was more important to be consistent than to be correct.

  • You're supposed to escape & anywhere in HTML, not just in text nodes. If you don't (and many don't) it'll probably work, but browser first tries to interpret it as a start of an entity anyway. Even if it is inside a href etc.

  • That is incorrect. Entities apply to attributes.

    In HTML escaping & is kind of optional and the browser just tries to figure out what you mean, but if you are doing things properly you should use &amp; in href attributes.