Can I use unencoded ampersands (&) in html? [duplicate]
-
17-06-2021 - |
Question
I'm building a website where I have to work with less then perfect masterdata (I guess I'm not the only one :-))
In my case I have to render an xml filte to html (using xsl). Sometimes the masterdata is using html-enitites allready (eg ;é
in french words) so there I have to use 'disable-output-escaping='yes') there in order to avoid double encoding.
The easiest solution is disable output escaping all together, so I never run the risk of a double encoding.
The only characters that misses encoding for this masterdata are the ampersands. But when I parse them 'raw' (so rather & than &
all browsers seem to be ok with it.
So the question : what are the consequenses of using not encoded ampersands in html?
Solution
AFAIK bare ampersands are illegal in HTML. With that out of the way, let's look at the consequences:
- You are now relying on the browser's capabilities to detect and gracefully recover from the problem. Note that in order to do this, the browser has to guess:
&
is "clearly" an ampersand followed by a space, and©
is clearly the copyright symbol. But what about the text fragmentedit©
? The browser I 'm using right now mangles it. - If you are using XHTML, or if the content is ever going to be inserted into an XML document, the result will be a hard parser error.
Since it's more difficult to detect and account for these cases manually than it is to replace all ampersands that are not part of entities (say with a regex), you should really do the latter.
OTHER TIPS
It depends
The best research I have seen on this topic can be found here
In HTML5 you should escape all of the ampersands that do not fall in the categories below:
An ambiguous ampersand is a U+0026 AMPERSAND character (&) that is followed by one or more characters in the range U+0030 DIGIT ZERO (0) to U+0039 DIGIT NINE (9), U+0061 LATIN SMALL LETTER A to U+007A LATIN SMALL LETTER Z, and U+0041 LATIN CAPITAL LETTER A to U+005A LATIN CAPITAL LETTER Z, followed by a U+003B SEMICOLON character (;), where these characters do not match any of the names given in the named character references section.
See Do I really need to encode '&' as '&'?
To summarize: Yes you can, but strictly speaking it is not legal (except in HTML5 where it is legal as long as it doesn't "look like" a character entity).