Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have always been very confused with URL/HTML Escaping. More recently I looked deeper into it. Then looking at the PHP Docs for urlencode
$query_string = 'foo=' . urlencode($foo) . '&bar=' . urlencode($bar);
echo '<a href="mycgi?' . htmlentities($query_string) . '">';
I then realized that theres & in most query strings that seems like should be escaped. But it seems to work without escaping. I wonder why, and if its actually required.
Escaping
&into&is required in HTML, but it works in most browsers anyway. If it wouldn’t, 90% of the Internet would break. 🙂 It still is good style to escape ampersands, and it is required for the document to pass validation.See this W3C document for some good background why (the text focuses on a specific behaviour of PHP, but that doesn’t really matter): Ampersands, PHP Sessions and Valid HTML. Money quote (emphasis mine):