| Subject: | default set of encoded entities should include apos |
In XML and HTML, both double and single quotes are acceptable for attribute quoting. Despite this, almost all entity encoders only encode " to quot, which means that when text is encoded and included as an attribute value in a template that uses ' to quote attribute values, quotes be easily tricked.
While not using single-quote delimiters can help with this problem, I don't see a strong reason why ' shouldn't be quoted to apos by default to help prevent this problem.