Do I really need to encode ‘&’ as ‘&’?

by

Yes. Just as the error said, in HTML, attributes are #PCDATA meaning they’re parsed. This means you can use character entities in the attributes. Using & by itself is wrong and if not for lenient browsers and the fact that this is HTML not XHTML, would break the parsing. Just escape it as & and everything would be fine.

HTML5 allows you to leave it unescaped, but only when the data that follows does not look like a valid character reference. However, it’s better just to escape all instances of this symbol than worry about which ones should be and which ones don’t need to be.

Keep this point in mind; if you’re not escaping & to &, it’s bad enough for data that you create (where the code could very well be invalid), you might also not be escaping tag delimiters, which is a huge problem for user-submitted data, which could very well lead to HTML and script injection, cookie stealing and other exploits.

Please just escape your code. It will save you a lot of trouble in the future.

More Related Contents:

  1. Disable validation of HTML5 form elements
  2. How to check whether a file is valid UTF-8?
  3. Is there any benefit to adding accept-charset=”UTF-8″ to HTML forms, if the page is already in UTF-8?
  4. Disable validation of HTML form elements
  5. Decoding numeric html entities via PHP
  6. How to allow only numeric (0-9) in HTML inputbox using jQuery?
  7. Cross field validation with Hibernate Validator (JSR 303)
  8. What is the difference between utf8mb4 and utf8 charsets in MySQL?
  9. Convert Unicode to ASCII without errors in Python
  10. FPDF utf-8 encoding (HOW-TO)
  11. Google ReCAPTCHA how to make required?
  12. How can I transform string to UTF-8 in C#?
  13. What’s an appropriate HTTP status code to return by a REST API service for a validation failure?
  14. How do you do dynamic / dependent drop downs in Google Sheets?
  15. HTML5 validation when the input type is not “submit”
  16. UTF-8 charset doesn’t work with javax.mail
  17. Enable/Disable submit button if checkbox is checked/unchecked?
  18. How to fix double-encoded UTF8 characters (in an utf-8 table)
  19. How to remove non UTF-8 characters from text file
  20. Default character encoding for java console output
  21. UTF-8 encoding problem in Spring MVC
  22. HTML5 input pattern search for quote
  23. How to trigger args.validationFailed in PrimeFaces oncomplete
  24. Detect file encoding in PHP
  25. HTML5 validation before ajax submit
  26. How do I style the HTML form validation error messages with CSS?
  27. Bad value X-UA-Compatible for attribute http-equiv on element meta
  28. Replacing invalid UTF-8 characters by question marks, mbstring.substitute_character seems ignored
  29. How to highlight a part part of an Input text field in HTML using Javascript or JQuery
  30. Question mark characters display within text. Why is this?

Leave a Comment