This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
It should probably say to replace <>& with their respective entities. This might well not be what browsers do, though. I received a complaint that they overescape, e.g., nbsp.
Hmm, maybe browsers escape any non-ASCII characters because they don't know what the encoding will be? That would make sense, although it's horribly annoying if you use many non-ASCII chars.
https://bitbucket.org/ms2ger/dom-parsing-and-serialization/changeset/01751a512fa6599ba5ec2f81be6370b7 (Note that HTML over-escapes nbsp explicitly: <http://www.whatwg.org/html/#escapingString>)