On Tue, Apr 15, 2003 at 06:56:23PM +0200, Frank Lichtenheld wrote: > On Tue, Apr 15, 2003 at 05:53:47PM +0200, Josip Rodin wrote: > > On Tue, Apr 15, 2003 at 04:39:23PM +0200, Denis Barbier wrote: > > > No, within plain text one writes http://foo.org/?a=1&b=2, escaping is only > > > performed for some other formats (SGML and co). > > > So unless descriptions are going to be considered as HTML text, this fix > > > is meaningful. > > > > Sorry but "don't do that" won't work if someone files a bug about it. > > I much prefer to cover the corner cases now over covering them later. > > I think, the solution presented by Andrew Shugg in #186740 is the > right way to go.
Nope, ampersnads must be escaped, period. Example: Description: escape HTML special characters in plain text EscapeHTML converts all &, < and > characters into &, < and >. There is no case where they must not be escaped. Denis
