Scenario:
I would like to replace: " ' < > with " ' < > but keep the "&" character.
The string I'm dealing with is a URL and I want URL parameters to be separated by &, not &.
Example Solution:
$url = "/some/path?a=123&b=456"; // from $_SERVER["REQUEST_URI"];
$url = htmlspecialchars($url, ENT_QUOTES, 'ISO-8859-1', true);
$url = str_replace('&','&',$url);
Question:
If I use $url on my page (e.g. echo $url; inside HTML or JavaScript) can this be exploited by XSS?
Similar Questions:
There are other posts on SO covering XSS &
htmlspecialchars()but I can't find an answer around whether the "&" character (and the htmlentities it may allow) can expose you to XSS.