Do I encode ampersands in <a href...>?

Question

I'm writing code that automatically generates HTML, and I want it to encode things properly.

Say I'm generating a link to the following URL:

http://www.google.com/search?rls=en&q=stack+overflow

I'm assuming that all attribute values should be HTML-encoded. (Please correct me if I'm wrong.) So that means if I'm putting the above URL into an anchor tag, I should encode the ampersand as &, like this:

<a href="http://www.google.com/search?rls=en&amp;amp;q=stack+overflow"&gt;

Is that correct?

Answer 1

Yes, it is. HTML entities are parsed inside HTML attributes, and a stray & would create an ambiguity. That's why you should always write & instead of just & inside all HTML attributes.

That said, only & and quotes need to be encoded. If you have special characters like é in you URL, you don't need to encode those. Though, whitespaces are forbidden in URL, and should be URL-encoded as %20.

Answer 2

Yes, that is correct.