logoalt Hacker News

ShinyLeftPadyesterday at 9:14 PM0 repliesview on HN

You're supposed to escape & anywhere in HTML, not just in text nodes. If you don't (and many don't) it'll probably work, but browser first tries to interpret it as a start of an entity anyway. Even if it is inside a href etc.