Overzealous character escaping most likely. It’s to prevent certain types of exploits when displaying user submitted content as users could post, for example, javascript code that would then run on the page. By “escaping” certain characters it prevents this. For example by changing & to & it will instruct the browser to change it from a literal ampersand to a display ampersand. The problem then comes when some container elements don’t use these display ampersands and just display the literal code. I’m sorry I couldn’t explain it better.
You can see exactly what I mean if you reply to this comment and type & then type it again but inside of a code block (inside of two backticks `)
Yep exactly. So when a user submits, for example, a literal ampersand (&) it will actually save that content as the phrase & and then display it as an ampersand just like normal. It does this because if it instead saved and tried to display the literal ampersand you could technically inject code directly into the page instead of displaying it. If you right-click view source on a website you will see what is meant by the content being injected into the page rather than displaying it.
It does this for a number of “special” characters that people use to code the page but they also have the dual purpose of sometimes needing to be displayed so there is a way to “escape” out of the code format.
The problem is that some “containers” don’t follow the process of taking & and converting it to a & for display and instead literally display the text &. One example of this where it’s correct is the same code block you just used! An incorrect example is in Boost when it displays the post title.
Hopefully that completely explains why it’s happening even though it is technically a bug.
Overzealous character escaping most likely. It’s to prevent certain types of exploits when displaying user submitted content as users could post, for example, javascript code that would then run on the page. By “escaping” certain characters it prevents this. For example by changing & to
&
it will instruct the browser to change it from a literal ampersand to a display ampersand. The problem then comes when some container elements don’t use these display ampersands and just display the literal code. I’m sorry I couldn’t explain it better.You can see exactly what I mean if you reply to this comment and type
&
then type it again but inside of a code block (inside of two backticks `)Well that was cool
Yep exactly. So when a user submits, for example, a literal ampersand (&) it will actually save that content as the phrase
&
and then display it as an ampersand just like normal. It does this because if it instead saved and tried to display the literal ampersand you could technically inject code directly into the page instead of displaying it. If you right-click view source on a website you will see what is meant by the content being injected into the page rather than displaying it.It does this for a number of “special” characters that people use to code the page but they also have the dual purpose of sometimes needing to be displayed so there is a way to “escape” out of the code format.
The problem is that some “containers” don’t follow the process of taking
&
and converting it to a & for display and instead literally display the text&
. One example of this where it’s correct is the same code block you just used! An incorrect example is in Boost when it displays the post title.Hopefully that completely explains why it’s happening even though it is technically a bug.
&
&