HTMLSanitizer: href attr ampersands incorrectly sanitized

[nicholasserra]

Hello. Not sure if my implementation is incorrect or if I found a bug, but i've noticed that ampersands within anchor href attributes are being converted to &, their html special characters equivalent.

Here is how i'm sanitizing:

def escape_text(self, text):
    """Use html5lib to escape evil html tags."""

    parser = html5lib.HTMLParser(tokenizer=HTMLSanitizer)
    walker = html5lib.treewalkers.getTreeWalker('etree')
    stream = walker(parser.parseFragment(text))
    serializer = HTMLSerializer(quote_attr_values=True, omit_optional_tags=False,
                                    alphabetical_attributes=True)

    return serializer.render(stream)

Input: <p><a class="linked-url" target="_blank" href="https://sprint.ly/?one=1&two=2">https://sprint.ly/?one=1&two=2</a></p>

Output: <p><a class="linked-url" href="https://sprint.ly/?one=1&amp;two=2" target="_blank">https://sprint.ly/?one=1&amp;two=2</a></p>

thanks!

[nicholasserra]

Got some more info via IRC that this isn't really an issue since the browser will parse the html special characters correctly, but it still seems odd that any URL attrs are sanitized.

[nicholasserra]

Closing as this is probably a wontfix. Still curious about opinions from the authors if anyone wants to chime in.

[gsnedders]

"Ambiguous ampersands" as the spec calls them are a bit annoying, as it means that new entities being introduced an change the semantics of existing code. It doesn't really hurt to go for the unambiguous option of escaping the ampersand.