I am about to send an html email in code that may contain unsafe user input. I have noticed that if I html escape the subject, GMail will then display the escaped content (so if my subject is "This & That"
, which I sanitize as "This & That"
, Gmail shows the latter). The same goes for Thunderbird. Is it safe to assume that all email clients do not need the subject html escaped?
No need to encode HTML entities in a subject line. The reason for encoding in the HTML body is if you're using XHTML which, because it derives from XML, treats &
as a reserved character.
However, the subject line of an email is not in HTML, XML, or XHTML. It's just pure text. Because of this, you don't need to encode an ampersand as &
. If you do encode it, because it's not being parsed as HTML, it will be displayed as encoded.
If you want to include non-ASCII characters (e.g. £
), then you need to encode the whole 'envelope' (including the email body) as UTF-8.
So, in code, the following will be shown as:
| Subject Line | Body
====================================
& | & | &
& | & | &
UTF-8 £ | £ | £
ASCII £ | n/a | n/a
£ | £ | £
NB: Microsoft Office has a weird implementation of UTF-8, so not all UTF-8 characters will work.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With