Entry

why does "&" display differently when alerted from a button and from a function

Oct 13th, 2003 01:47
Mister Sokrates, Russ Locke,

I'm really just looking for some clarity here. I've solved my problem 
but it doesn't make sense why this is happening in the first place.
Here is an example of what I'm seeing:
<html>
<head>
<script langauge="javascript">
  function testit() {
    alert("testit~&~&");
  }
</script>
</head>
<body>
<button onclick="alert('testit~&~&');">test in button</button>
<button onclick="testit();">test in function</button>
</body>
-------------------------
The alert from within the button will display "testit~&~&"
The alert from within the function will display "testit~&~&"
-------------------------
Of what I can test, this is true for browser versions IE 5.0+ and NS 6+
###############################
Ok, lets bring some clarity here.
Everything ('bad' chars) INSIDE html params, in this case onclick event 
handler code... should be "html escaped", so actually this:
 <button onclick="alert('testit~&~&');"....
is illegal pice of code.
It should be:
 <button onclick="alert('testit~&~&');"....
or even ...
 <button onclick="alert('testit~&amp;~&');"....
Depends how did you wanted to show it. 
This kind of _illegal_ behaviour has been _widley_ practised.
Actually also urls should be escaped. ie. 
<a href="http://site.com/index.php?show&news">News</a>
is wrong and correcto is 
<a href="http://site.com/index.php?show&news">News</a>
Read more at http://www.w3.org/TR/html4/appendix/notes.html