Inconsistent HTML escaping of `&` in head — `&` in attributes vs `&` in text nodes

[jsparkdev]

Astro Info

Astro                    v6.3.1
Node                     v24.15.0
System                   Linux (x64)
Package Manager          pnpm
Output                   static
Adapter                  none
Integrations             @astrojs/mdx
                         @astrojs/sitemap

If this issue only occurs in one browser, which browser is a problem?

All browsers

Describe the Bug

When rendering HTML <head> elements, the & character is escaped inconsistently depending on where it appears:

• In text nodes (e.g. <title>{title}</title>), & is escaped to & via the html-escaper library (escapeHTML).
• In attribute values (e.g. <meta name="..." content={title} />), & is escaped to & via the internal toAttributeString() function in packages/astro/src/runtime/server/render/util.ts.

Both & and & are equivalent per the HTML spec, but mixing them produces inconsistent raw HTML output. This is visible when inspecting the page source or fetching it via curl -sL.

Root cause:
The toAttributeString function uses a manual regex replacement (& → &, " → ") instead of delegating to the same escapeHTML function used for text nodes.

// packages/astro/src/runtime/server/render/util.ts
export const toAttributeString = (value: any, shouldEscape = true) =>
    shouldEscape
        ? String(value).replace(AMPERSAND_REGEX, '&').replace(DOUBLE_QUOTE_REGEX, '"')
        : value;

What's the expected result?

The & character should be consistently escaped as & across both text nodes and attribute values in the rendered HTML output.

Suggested fix in packages/astro/src/runtime/server/render/util.ts:

export const toAttributeString = (value: any, shouldEscape = true) =>
    shouldEscape
        ? String(value).replace(AMPERSAND_REGEX, '&').replace(DOUBLE_QUOTE_REGEX, '"')
        : value;

Link to Minimal Reproducible Example

1. Create any Astro page that passes a string containing & to both <title>{title}</title> and <meta content={title} />.
2. Run curl -sL http://localhost:4321 and inspect the <head> output.
3. Observe that <title> contains & while <meta content> contains &.

Participation

• I am willing to submit a pull request for this issue.

[astrobot-houston]

• Reproduced: Yes — confirmed in both astro build and astro dev on v6.3.1.
• Exploration: Yes — View branch
• Priority: P2: nice to have. This is a cosmetic inconsistency in raw HTML output only — both & and & are semantically equivalent per the HTML spec. Browsers render them identically. It primarily affects users who inspect or snapshot-test raw page source.

The root cause is that two independent escaping code paths use different entity representations: text nodes go through html-escaper (which produces &), while dynamic attribute values go through toAttributeString() in packages/astro/src/runtime/server/render/util.ts (which produces &). The numeric references were an incidental choice from when toAttributeString was first written in 2021 — there's no comment or documented rationale for preferring them over named entities.

I found a potential fix for this issue. The fix updates toAttributeString to use &/" instead of &/", aligning attribute escaping with the html-escaper library used for text nodes. It's a one-line source change plus test updates, and all 2522 unit tests pass.

Full Triage Report

Reproduction

Reproduced using a minimal Astro page that passes a &-containing string to both a text node and an attribute:

---
const title = "Tom & Jerry";
---
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <title>{title}</title>
    <meta name="description" content={title} />
  </head>
  <body>
    <h1>{title}</h1>
  </body>
</html>

Build output:

<title>Tom &amp; Jerry</title>
<meta name="description" content="Tom &#38; Jerry">

Root Cause

Two separate escaping functions produce different entity formats:

1. Text nodes use escapeHTML (from html-escaper) → & becomes &
2. Attribute values use toAttributeString() in packages/astro/src/runtime/server/render/util.ts:24-27 → & becomes &

The toAttributeString function was introduced in commit 7eaabbb0e1 ("Markdown bug bash! #1789", Nov 2021) as a quick utility. The choice of numeric character references (&, ") was incidental — no comment, PR discussion, or design rationale explains it. Later commits only optimized the regex or hardened the escaping, without addressing the inconsistency with html-escaper.

Fix

Changed toAttributeString to use named entities consistent with html-escaper:

 export const toAttributeString = (value: any, shouldEscape = true) =>
 	shouldEscape
-		? String(value).replace(AMPERSAND_REGEX, '&').replace(DOUBLE_QUOTE_REGEX, '"')
+		? String(value).replace(AMPERSAND_REGEX, '&').replace(DOUBLE_QUOTE_REGEX, '"')
 		: value;

Updated 4 test files to match the new entity format. Full unit test suite (2522 tests) passes with 0 failures.

After fix:

<title>Tom &amp; Jerry</title>
<meta name="description" content="Tom &amp; Jerry">

This report was made by an LLM. The analysis may be wrong, and the potential fix might not work, but is intended as a starting point for exploring the issue.