Should src be HTML-escaped in script tags in HTML?

1.3k views Asked by At

Given code like this:

<script src="http://example.com/?foo=1&amp;bar=2"></script>

Should the value of src be HTML-escaped as shown?

My experiments and research are showing ambiguous results.

1

There are 1 answers

0
Oriol On BEST ANSWER

Yes. When you have doubts you can use the W3C validator, which says & must be escaped into &amp; in this case.

Double-quotes attributes are parsed according to this rules. When a & is found,

Switch to the character reference in attribute value state, with the additional allowed character being U+0022 QUOTATION MARK (").

And the Character reference in attribute value state consists in

Attempt to consume a character reference.

If nothing is returned, append a U+0026 AMPERSAND character (&) to the current attribute's value.

Otherwise, append the returned character tokens to the current attribute's value.

Finally, switch back to the attribute value state that switched into this state.

Therefore, it would (probably) work too if you didn't escape &. However, it will produce a parse error during the consumption of the character reference:

If no match can be made, then no characters are consumed, and nothing is returned. In this case, if the characters after the U+0026 AMPERSAND character (&) consist of a sequence of one or more alphanumeric ASCII characters followed by a U+003B SEMICOLON character (;), then this is a parse error.

Note that you should escape it if you want to be safe:

Certain points in the parsing algorithm are said to be parse errors. The error handling for parse errors is well-defined (that's the processing rules described throughout this specification), but user agents, while parsing an HTML document, may abort the parser at the first parse error that they encounter for which they do not wish to apply the rules described in this specification.