How do I properly escape quotes inside HTML attributes?

Asked 25/10, 2010 at 14:8 Answered 14/11, 2019 at 23:33

347

I have a drop down on a web page which is breaking when the value string contains a quote.

The value is "asd, but in the DOM it always appears as an empty string.

I have tried every way I know to escape the string properly, but to no avail.

<option value=""asd">test</option>
<option value="\"asd">test</option>
<option value="&quot;asd">test</option>
<option value="&#34;asd">test</option>

How do I render this on the page so the postback message contains the correct value?

Rennes answered 25/10, 2010 at 14:8 Comment(7)

How are you generating the page? – Tutankhamen 25/10, 2010 at 14:11

What if you use single quotes? <option value='"asd'>test</option> – Wingate 25/10, 2010 at 14:11

I have to point out none of these answers say how to properly escape strings for use inside html attributes – Nightfall 6/2, 2013 at 18:46

@Nightfall That would depend on how the HTML was being generated. The question was about quotes, so technically the accepted answer answers the question asked. As to how to properly escape strings, I don't have a link handy for the general case, but in PHP you'd use htmlentities. – Lemuelah 25/2, 2013 at 16:50

possible duplicate of how to have quotation marks in html input values – Blanchblancha 28/7, 2014 at 16:24

possible duplicate of How to escape double quotes in title attribute – Civies 9/4, 2015 at 17:4

@Rennes Can you remember what browser you were testing with when you found that those bottom two examples resulted in ""? – Belgian 10/11, 2019 at 14:57

431

" is the correct way, the third of your tests:

<option value="&quot;asd">test</option>

You can see this working below, or on jsFiddle.

alert($("option")[0].value);

<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<select>
  <option value="&quot;asd">Test</option>
</select>

Alternatively, you can delimit the attribute value with single quotes:

<option value='"asd'>test</option>

Cerebritis answered 25/10, 2010 at 14:11 Comment(8)

OP's fourth option, ", is also a valid way to escape quotes. There's a benefit to using numeric html entities over named entities, in that named entities do not cover all characters, while numeric entities do. The full HTML4 list is at w3.org/TR/html4/sgml/entities.html . – Disembody 25/10, 2010 at 14:42

@atk: yes, " maps to the same character as ", but there's no benefit of using the numeric option here because " is a defined named entity. " is also easier to remember. – Cerebritis 25/10, 2010 at 14:45

I agree. In this particular case, it's easier to use ". I intended only to point out the general case. – Disembody 25/10, 2010 at 17:5

I agree with atk's answer – Sorb 7/3, 2014 at 0:22

I tested the use of the single quotes for the html attribute, specifically in native IE8 (as this was the main html validation problem). This worked. I would suggest doing a replace in the attribute value instead though, as suggested by the first option with the named entity. Thanks! – Prefecture 22/4, 2015 at 16:6

My Question is reverse. Howto make value=""a" displayed as "a instead of "a? – Characteristically 2/1, 2017 at 23:2

@SIDU: change it to &quot;a (replace the & with &) – Cerebritis 3/1, 2017 at 13:52

^ infinite loop – Luzern 1/2, 2017 at 17:36

Per HTML syntax, and even HTML5, the following are all valid options:

<option value="&quot;asd">test</option>
<option value="&#34;asd">test</option>
<option value='"asd'>test</option>
<option value='&quot;asd'>test</option>
<option value='&#34;asd'>test</option>
<option value=&quot;asd>test</option>
<option value=&#34;asd>test</option>

Note that if you are using XML syntax the quotes (single or double) are required.

Here's a jsfiddle showing all of the above working.

Viehmann answered 19/1, 2016 at 15:43 Comment(0)

If you are using PHP, try calling htmlentities or htmlspecialchars function.

Plage answered 13/6, 2013 at 12:36 Comment(2)

just using them may not be enough, try <option value='<?php echo htmlentities("' onmouseover='alert(123);' foo='"); ?>' /> - make sure you use it with ENT_QUOTES, this is safe: <option value='<?php echo htmlentities("' onmouseover='alert(123);' foo='", ENT_QUOTES); ?>' /> , but in addition to ENT_QUOTES you should also add ENT_SUBSTITUTE and ENT_DISALLOWED, personally i've used this wrapper for years:

function hhb_tohtml(string $str):string {     return htmlentities($str, ENT_QUOTES | ENT_HTML401 | ENT_SUBSTITUTE | ENT_DISALLOWED, 'UTF-8', true); }

– Durwin 23/12, 2019 at 0:8

Don't understand this comment. – Americano 7/7, 2023 at 19:6

Another option is replacing double quotes with single quotes if you don't mind whatever it is. But I don't mention this one:

<option value='"asd'>test</option>

I mention this one:

<option value="'asd">test</option>

In my case I used this solution.

Runstadler answered 27/11, 2012 at 9:0 Comment(2)

But if the value contains single & double quotes, this will fail – Watson 10/10, 2014 at 8:29

@Watson I said if the value contains double quotes, convert them to single quotes. If the value contains single quotes, then it will be no problem. – Runstadler 12/10, 2014 at 20:23

If you are using JavaScript and Lodash, then you can use _.escape(), which escapes ", ', <, >, and &.

Sidewheel answered 14/11, 2019 at 23:33 Comment(0)

You really should only allow untrusted data into a whitelist of good attributes like: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

You really want to keep untrusted data out of javascript handlers as well as id or name attributes (they can clobber other elements in the DOM).

Also, if you are putting untrusted data into a SRC or HREF attribute, then its really a untrusted URL so you should validate the URL, make sure its NOT a javascript: URL, and then HTML entity encode.

More details on all of there here: https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet

Hypophosphite answered 20/11, 2011 at 2:12 Comment(2)

I know this is late, but almost all of those attributes are deprecated in HTML4.01 and removed in 5. It may not matter now anyway, as there are better ways to protect yourself, just pointing it out. – Overtime 15/6, 2014 at 19:41

The question is asking about data with quote characters in it, not about untrusted data. – Proleg 16/5, 2016 at 10:52

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags