Given code like this:
<script src="http://example.com/?foo=1&bar=2"></script>
Should the value of src
be HTML-escaped as shown?
My experiments and research are showing ambiguous results.
Given code like this:
<script src="http://example.com/?foo=1&bar=2"></script>
Should the value of src
be HTML-escaped as shown?
My experiments and research are showing ambiguous results.
Yes. When you have doubts you can use the W3C validator, which says
&
must be escaped into&
in this case.Double-quotes attributes are parsed according to this rules. When a
&
is found,And the Character reference in attribute value state consists in
Therefore, it would (probably) work too if you didn't escape
&
. However, it will produce a parse error during the consumption of the character reference:Note that you should escape it if you want to be safe: