Comment by Sardtok
6 days ago
& as an escape character only applies to text nodes. Of course, if you want to display the URL on a page, you have to escape it, but not in the href.
6 days ago
& as an escape character only applies to text nodes. Of course, if you want to display the URL on a page, you have to escape it, but not in the href.
I just found out you may - even in current HTML use entity references in attribute values, it’s just you don’t have to anymore, when the ampersand is not ambiguous.
The spec states it as: “Attribute values are a mixture of text and character references, except with the additional restriction that the text cannot contain an ambiguous ampersand.”
Whereas in the the days before HTML5 this has been mandatory.
> HTML 4.01 Specification – Appendix B.2.2 “Ampersands in URI attribute values”
https://www.w3.org/TR/html401/appendix/notes.html#h-B.2.2
> Unfortunately, the use of the “&” character to separate form fields interacts with its use in SGML attribute values to delimit character entity references.
That's the same as main body text isn't it? And you have to be able to use them so you can escape " just like you have to escape < in main text.
HTML5 standardized how to interpret formerly invalid documents because it was more important to be consistent than to be correct.
You're supposed to escape & anywhere in HTML, not just in text nodes. If you don't (and many don't) it'll probably work, but browser first tries to interpret it as a start of an entity anyway. Even if it is inside a href etc.
That is incorrect. Entities apply to attributes.
In HTML escaping & is kind of optional and the browser just tries to figure out what you mean, but if you are doing things properly you should use & in href attributes.