9

I have been using slim, and suddenly noticed that it escapes everything by default. So the anchor tag looks something like this:

<a href="&#47;users&#47;lyann&#47;followers">
<img class="user-image" src="http:&#47;&#47;adasdasdasd.cloudfront.net&#47;users&# 47;2011&#47;05&#47;24&#47;4asdasd&#47;asdasd.jpg" />

Is it okay for the href and src attributes to be escaped like this? Are there any other implications? All browsers seems to render it without a problem, though.

Gaurav Shah
  • 5,223
  • 7
  • 43
  • 71
  • 1
    The specific form of escaping here is [Character (aka HTML) entities](http://en.wikipedia.org/wiki/Character_entity_reference). This differs from, say, URI escaping. –  Sep 16 '12 at 05:39

1 Answers1

7

Yes, it's perfectly fine. Character references are valid inside attributes, too, and will be treated as character references just the same.

For reference, see:

  • 1
    There are exceptions for [elements containing CDATA](http://stackoverflow.com/questions/4227895/html-entities-inside-script-tag-not-converted). Also I do not know the rules for entities occurring outside of text nodes and outside of attribute nodes (but still "inside or outside of attributes" which means "everywhere" because it is a tautology). E.g. can the quotes of an attribute be HTML-entity encoded? –  Sep 16 '12 at 05:44
  • @pst: No, that's not what I meant I'll rephrase if you like. –  Sep 16 '12 at 14:01
  • @GauravShah: I added some references to the HTML5 specification. –  Sep 16 '12 at 14:05