Attribute values should be escaped when generating HTML. These values can contain embedded quotes, which would break the generated HTML code or at worst allow for XSS attacks.
Note, the implementation here only escapes included html code. Attributes can also include javascript, and the escaping method here would not guard against malicious javascript injected into attributes. This may fall outside of the responsibilities of this library though.
Attribute values should be escaped when generating HTML. These values can contain embedded quotes, which would break the generated HTML code or at worst allow for XSS attacks.
Note, the implementation here only escapes included html code. Attributes can also include javascript, and the escaping method here would not guard against malicious javascript injected into attributes. This may fall outside of the responsibilities of this library though.