Closed aysiscore closed 2 years ago
Escaping entities produces correct HTML and no problems when rendering. You could submit a PR to optionally only escape &
when it could be mistaken for an entity reference (note there are many ways those can be formed), or just use a separate tool to replace those in the conditions you deem safe after using sanitize-html. But it's not a bug.
(The HTML5 spec encourages always escaping & for avoidance of confusion.)
If I run sanitize-html on input from a text field containing a string like
Porsche & Ferrari
, the ampersand is getting encoded as&
making the stringPorsche & Ferrari
.How can this be prevented so that the encoding does not take place?