logoalt Hacker News

Sardtokyesterday at 8:58 PM3 repliesview on HN

& as an escape character only applies to text nodes. Of course, if you want to display the URL on a page, you have to escape it, but not in the href.


Replies

_micheeeyesterday at 9:23 PM

I just found out you may - even in current HTML use entity references in attribute values, it’s just you don’t have to anymore, when the ampersand is not ambiguous.

The spec states it as: “Attribute values are a mixture of text and character references, except with the additional restriction that the text cannot contain an ambiguous ampersand.”

Whereas in the the days before HTML5 this has been mandatory.

> HTML 4.01 Specification – Appendix B.2.2 “Ampersands in URI attribute values”

https://www.w3.org/TR/html401/appendix/notes.html#h-B.2.2

> Unfortunately, the use of the “&” character to separate form fields interacts with its use in SGML attribute values to delimit character entity references.

show 1 reply
bawolffyesterday at 9:41 PM

That is incorrect. Entities apply to attributes.

In HTML escaping & is kind of optional and the browser just tries to figure out what you mean, but if you are doing things properly you should use & in href attributes.

ShinyLeftPadyesterday at 9:14 PM

You're supposed to escape & anywhere in HTML, not just in text nodes. If you don't (and many don't) it'll probably work, but browser first tries to interpret it as a start of an entity anyway. Even if it is inside a href etc.