I\'m using an \'&\' symbol with HTML5 and UTF-8 in my site\'s </code>. Google shows the ampersand fine on its SERPs, as do all the browse
<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<ins class="adsbygoogle"
style="display:block"
data-ad-client="ca-pub-5408099190056760"
data-ad-slot="7305827575"
data-ad-format="auto"
data-full-width-responsive="true"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script> </div>
</div>
<div class="fly-panel detail-box" id="flyReply">
<fieldset class="layui-elem-field layui-field-title" style="text-align: center;">
<legend>15条回答</legend> </fieldset>
<ul class="jieda" id="jieda">
<li data-id="111" class="jieda-daan">
<a name="item-1111111111"></a>
<div class="detail-about detail-about-reply">
<a class="fly-avatar" href="">
<img src="https://www.e-learn.cn/qa/data/avatar/000/00/01/small_000000128.jpg" alt=" 伪装坚强ぢ ">
</a>
<div class="fly-detail-user">
<a href="" class="fly-link">
<cite> 伪装坚强ぢ</cite>
</a>
<span>(楼主)</span>
</div> <div class="detail-hits">
<span>2020-11-22 15:51</span>
</div>
</div>
<div class="detail-body jieda-body photos">
<p>
<p><strong>If</strong> you're really talking about the static text</p>
<pre><code><title>Foo & Bar
stored in some file on the hard disk and served directly by a server, then yes: it probably doesn't need to be escaped.
However, since there is very little HTML content nowadays that's completely static, I'll add the following disclaimer that assumes that the HTML content is generated from some other source (database content, user input, web service call result, legacy API result, ...):
If you don't escape a simple &, then chances are you also don't escape a & or a or
