It will escape the ampersands in the URL if the response content type is XHTML,
otherwise, it will leave them as is, which is, as far as I can tell, perfectly
acceptable.

Okay, this may be my understanding, but if I go to...

http://validator.w3.org/#validate_by_input

...and enter...

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>Foo</title></head>
<body>
<a href="foo?bar=baz&abc=def">Foo</a>
</body>
</html>

...then I get errors (note the DOCTYPE is HTML, not XHTML). But if I escape the
ampersand then W3C validator is happy.

So this would seem to suggest unescaped ampersands are not valid HTML?

Well the initial gripe about the unescaped ampersand is a warning.

We can look into changing the renderers to make the validator happy.

As I said, if you want to do that now, use XHTML transitional for your response
content type.

Okay, so how do I set my response content type to XHTML? My JSP page contains
an XHTML DOCTYPE and an XHTML Content-Type meta tag. Do I have to set it on the
HttpResponse itself using a Filter or something?

I tried...

<context-param>
<param-name>com.sun.faces.preferXHTML</param-name>
<param-value>true</param-value>
</context-param>

...but I still get an unescaped ampersand.

Using JSP you can set the content type by specifying the contentType attribute
on a page directive. Not elegant as you have to do that for every page.

So it sounds like setting the content type in a Filter is probably the easiest
solution.

Just to clarify the 'com.sun.faces.preferXHTML' option. That's there for
processing the accept header. Specifically when HTML and XHTML are weighted the
same. When the config option is true, we'll give preference to XHTML.

Well, given how inelegant it is to work around this problem, could I request
the fix be applied to the 1.2 branch?

Your comment that 'the unescaped ampersand is only a warning' seems a bit
disingenuous. It is invalid HTML, as per the spec:

http://www.w3.org/TR/html401/charset.html#h-5.3.2

...where is says...

"Authors should also use "&" in attribute values since character references
are allowed within CDATA attribute values"

>Well, given how inelegant it is to work around this problem, could I request
>the fix be applied to the 1.2 branch?

I previously stated that we'd look into it.

>Your comment that 'the unescaped ampersand is only a warning' seems a bit
>disingenuous. It is invalid HTML, as per the spec:

It wasn't at all. The validator said it was a warning. A warning is not an
error.

> http://www.w3.org/TR/html401/charset.html#h-5.3.2
>
>...where is says...
>
>"Authors should also use "&" in attribute values since character
>references are allowed within CDATA attribute values"

'should' is not 'must'.

That said, I think this section is probably more relevant:

http://www.w3.org/TR/html4/appendix/notes.html#ampersands-in-uris

> I previously stated that we'd look into it.

Great, thanks.

> That said, I think this section is probably more relevant

Agreed. And, in fact, in that section it really does say 'must', not 'should':

"For example, to use the URI "http://host/?x=1&y=2" as a linking URI, it must
be written ... <A href="http://host/?x=1&y=2">"

Look forward to your decision regarding 1.2/2.0. Thanks for your time and all
your hard work.

Assigned.

Created an attachment (id=710)
Proposed Changes (ver. 1)

Awesome. Thanks guys.

Richard.

Changes applied to 1.2 and 2.0.

Closing issue out