I am trying to create a query string of variable assignments separated by the & symbol (ex: "var1=x&var2=y&..."). I plan to pass this string into an embedded flash file.

I am having trouble getting an & symbol to show up in XSLT.

Here is a runnable, short and complete demo how to produce such URL:

<xsl:stylesheet version="1.0"  xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 <xsl:output method="text"/>

 <xsl:variable name="vX" select="'x'"/>
 <xsl:variable name="vY" select="'y'"/>
 <xsl:variable name="vZ" select="'z'"/>

  <xsl:template match="/">
    <xsl:value-of select=
"concat('http://www.myUrl.com/?vA=a&amp;vX=', $vX, '&amp;vY=', $vY, '&amp;vZ=', $vZ)"/>
  </xsl:template>
</xsl:stylesheet>

When this transformation is applied on any source XML document (ignored):

<t/>

the wanted, correct result is produced:

http://www.myUrl.com/?vA=a&vX=x&vY=y&vZ=z

As for the other issues raised in the question:

If I type & with no tags around it, then the output of the document is & with no change.

The above statement simply isn't true ... Just run the transformation above and look at the result.

What really is happening:

The result you are seeing is absolutely correct, however your output method is html or xml (the default value for method=), therefore the serializer of the XSLT processor must represent the correct result -- the string http://www.myUrl.com/?vA=a&vX=x&vY=y&vZ=z -- as (part of) a text node in a well-formed XML document or in an HTML tree.

By definition in a well-formed XML document a literal ampersand must be escaped by a character reference, such as the built-in & or &, or &

Remember: A string that is represented as (part of) an XML text node, or within an HTML tree, may not look like the same string when represented as text. Nevertheless, these are two different representations of the same string.

To better understand this simple fact, do the following:

Take the above transformation and replace the xsl:output declaration:

 <xsl:output method="text"/>

with this one:

 <xsl:output method="xml"/>

Also, surround the output in a single XML element. You may also try to use different escapes for the ampersand. The transformation may now look like this:

<xsl:stylesheet version="1.0"  xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 <xsl:output omit-xml-declaration="yes" method="xml"/>

 <xsl:variable name="vX" select="'x'"/>
 <xsl:variable name="vY" select="'y'"/>
 <xsl:variable name="vZ" select="'z'"/>

  <xsl:template match="/">
        <t>
            <xsl:value-of select=
 "concat('http://www.myUrl.com/?vA=a&amp;vX=', $vX, '&#38;vY=', $vY, '&#x26;vZ=', $vZ)"/>
        </t>
  </xsl:template>
</xsl:stylesheet>

And the result is:

<t>http://www.myUrl.com/?vA=a&amp;vX=x&amp;vY=y&amp;vZ=z</t>

You will get the same result with output method html.

Question:

Is the URL that is output different (or even "damaged") than the one output in the first transformation?

Answer:

No, in both cases the same string was output -- however in each case a different representation of the string was used.

Question:

Must I use the DOE (disable-output-escaping="yes") attribute in order to output the wanted URL?

Answer:

No, as shown in the first transformation.

Question:

Is it recommended to use the DOE (disable-output-escaping="yes") attribute in order to output the wanted URL?

Answer:

No, using DOE is a bad practice in XSLT and usually a signal that the programmer doesn't have a good grasp of the XSLT processing model. Also, DOE is only an optional feature of XSLT 1.0 and it is possible that your XSLT processor doesn't implement DOE, or even if it does, you could have problems running the same transformation with another XSLT processor.

Question

I came from a different problem to the question i made a bounty for. My problem: i try to generate this onclick method:

    <input type="submit" 
onClick="return confirm('are you sure?') && confirm('seriously?');" />

what i can make is: i can place the confirms in a function ... but its buggin me that i can not make a & inside a attribute! The solve of this question is the solve of my problem i think.

Answer

Actually, you can specify the && Boolean operation inside a JavaScript expression inside an attribute, by representing it as &&

Here is a complete example, that everyone can run, as I did on three browsers: Chrome, Firefox 41.1.01 and IE11:

HTML:

<!DOCTYPE html> 

    <html> 
      <head> 
        <link rel="stylesheet" href="style.css"> 
        <script src="script.js"></script> 
      </head> 
      <body> 
        <h1>Hello Plunker!</h1> 
        <input type="submit" 
onClick="alert(confirm('are you sure?') &amp;&amp; confirm('seriously?'));" /> 
      </body> 
    </html>

JavaScript (script.js):

function confirm(message) { 
  alert(message); 
  return message === 'are you sure?'; 

}

When you run this, you'll first get this alert:

Then, after clicking the OK button, you'll get the second alert:

And after clicking OK you'll finally get the alert that produces the result of the && operation:

You may play with this code by varying the values of the arguments passed to the confirm() function and you will verify that the produced results are those of using the && operator.

For example, if you change the <input> element to this:

<input type="submit" 
onClick="alert(confirm('really sure?') &amp;&amp; confirm('seriously?'));" /> 

You'll get first this alert:

And when you click OK, you'll immediately get the final result of the && operation:

The second alert is skipped, because the 1st operand of the && operation was false and JavaScript is shortcutting an && where the 1st operand is false.

To summarize:

It is easy to use the && operator inside an attribute, in an HTML document generated by XSLT, by specifying the && operand as &&

If you are creating a query string as part of a larger URL in an attribute of some other tag (like "embed"), then you actually want the & to be escaped as &. While all browsers will figure out what you mean and Do The Right Thing, if you were to pass your generated doc to a validator it would flag the un-escaped & in the attribute value.

Are you expressing the URI in HTML or XHTML? e.g. <tag attr="http://foo.bar/?key=value&amp;key2=value2&amp;..."/> If so, "&" is the correct way to express an ampersand in an attribute value, even if it looks different from than literal URI you want. Browsers will decode "&" and any other character entity reference before either loading them or passing them to Flash. To embed a literal, lone "&" directly in HTML or XHTML is incorrect.

I also personally recommend learning more about XML in order to think about these kinds of things in a clearer way. For instance, try using the W3C DOM more (for more than just trivial Javascript); even if you don't use it day-to-day, learning the DOM helped me think about the tree structure of XML correctly and how to think about correctly encoding attributes and elements.

Disable output escaping will do the job......as this attribute is supported for a text only you can manipulate the template also eg:

 <xsl:variable name="replaced">

    <xsl:call-template name='app'>
      <xsl:with-param name='name'/>       
    </xsl:call-template>
  </xsl:variable>


<xsl:value-of select="$replaced" disable-output-escaping="yes"/>

---> Wrapped the template call in a variable and used disable-output-escaping="yes"..

Just replace & with

<![CDATA[&]]>

in the data. EX: Data XML

<title>Empire <![CDATA[&]]> Burlesque</title>

XSLT tag:

<xsl:value-of select="title" />

Output: Empire & Burlesque

You can combine disable-output-escaping with a CDATA section. Try this:

<xsl:text disable-output-escaping="yes"><![CDATA[&]]></xsl:text>