element, we can observe that the
setInnerHTML() function implementation does not present any problems. Its main purpose is to assign a property value to the JS object underneath. This can be verified by inspecting the source code of
Element:
public final native void setInnerHTML(String html) /*-{
this.innerHTML = html || '';
}-*/;
The issue arises with the browser as it obediently adheres to the guidelines outlined in the
Charset Entity References within the
HTML Document Representation specifications, parsing entities contained within attribute nodes. These entities are permitted and therefore get parsed.
According to the specification:
Authors should also use "&" in attribute values since character references are allowed within CDATA attribute values.
To resolve this, one should escape all special characters found
within attribute values, either on the server side or through a filter or designated client proxy, using the corresponding HTML entities. For example:
<a onclick=\"doit('&#39;')\">...</a>
For further reading, refer to the following resources on W3C: