In html does the text inside the img tag's alt attribute require encoding/escaping?

Non encoded example:

<img src="myimg.png" alt="image description" />

Encoded example:

<img src="myimg.png" alt="image%20description" />

No, it does not need to be encoded like a URI. However, HTML characters must be encoded, like this...

<img src="myimg.png" alt="Me &amp; my image" />

They do not require URL encoding, but they do require, as all XHTML attributes do, XHTML entity encoding.

Incorrect:

<img src="foo.gif" alt="Ben & Jerry's" />

Correct:

<img src="foo.gif" alt="Ben &amp; Jerry's" />

You would also need to encode double-quotes within the values, even though you don't have to do that in general text.

Reference:

• http://www.w3.org/TR/xhtml1/#C_12

No it does not. Encoding is for URLs as in http://en.wikipedia.org/wiki/Dream%20Theater, which the alt string is not.

You will need to use entity-encoding to escape > as >, and " as ", though. Note that that is different from URI encoding where special characters are encoded as a percent sign plus two hex digits.

You should use HTML encoding (i.e. " becomes "), not URL encoding. If you are using ASP.NET you can achieve this with Server.HtmlEncode or better yet use the HtmlAttributeEncode method in the AntiXSS Library on CodePlex.