Do I need to escape quotes inside of an html attribute value? What characters are allowed?
Is this valid?
<span title="This is a 'good' title.">Hi</span>
What values can I put in an HTML attribute value?
Check out the title attribute on the most recent HTML5 spec: dev.w3.org/html5/spec/Overview.html#the-title-attribute I believe the title attribute uses the CDATA type which is defined here: w3.org/TR/html401/types.html#type-cdata –
Homily
Asks about ampersand only: #3706091 (came before unfortunately, so no dupe...) –
Brickbat
If your attribute value is quoted (starts and ends with double quotes "), then any characters except for double quotes and ampersands are allowed, which must be quoted as " and & respectively (or the equivalent numeric entity references, " and &)
You can also use single quotes around an attribute value. If you do this, you may use literal double quotes within the attribute: <span title='This is a "good" title.'>...</span>. In order to escape single quotes within such an attribute value, you must use the numeric entity reference ' since some browsers don't support the named entity, ' (which was not defined in HTML 4.01).
Furthermore, you can also create attributes with no quotes, but that restricts the set of characters you can have within it much further, disallowing the use of spaces, =, ', ", <, >, ` in the attribute.
See the HTML5 spec for more details.
What is the rationale for requiring to escape the ampersands
&? What can it stand for? –
Brickbat Ah, ok, its because the ampersand itself would be parsed as an entity otherwise. –
Brickbat
Ampersand is a valid character in an attribute value. The spec forbids "ambiguous ampersand" which is combnation of (ampersand + alphanumeric characters + semicolon) where it doesn't match any of named references.
<a title="foo & bar"> - valid <a title="&foo;"> - invalid –
Welton What about fancy quotes, e.g. ” - is it ok to put those inside regular-quoted attributes? I tried it and it seems to work (in Chrome at least) and passes the w3c validator. Feels a bit dirty, admittedly! –
Daff
@Daff Curly quotes are fine. The only ones that have special meaning in HTML are the straight quotes. Feel free to use curly quotes within attribute values with either type of straight quotes as delimiters. –
Melitamelitopol
That is valid. However, if you had to put double quotes inside, you would have to escape with " like this:
<span title="This is a "good" title.">Hi</span>
The value can be anything, but you should escape quotes (", '), tag delimiters (<, >) and ampersands (&).
This doesn't look right (cf. link to the specs in the other answers). –
Haslam
it doesn't seem to disallow <, >, etc. The spec only disallows ampersands. –
Lysin
No, you do not need to escape single quotes inside of double quotes.
This page specifies valid attributes of a span tag:
http://www.w3.org/TR/html401/struct/global.html#edef-SPAN
This page specifies valid characters allowed in the title attribute:
Yes that's fine. The problem would be when you try and put a double Quote inside an attribute. like this:
<span title="This is a "bad" title.">Hi</span>
You can get around this by using HTML entities like so:
<span title="This is a "good" title">Hi</span>
Here is a validation function using a Regular expression based on Brian Campbell's answer, for worst case of an unquoted attribute.
validator: function (val) {
if (!val || val.search(/['"=<>`]+|(&\s)+/) === -1) return true;
return 'Disallowed characters in HTML attributes: \' " = < > ` &.';
},
© 2022 - 2024 — McMap. All rights reserved.