Escaping HTML in Attributes or I'm Such a Boob

I’ve been building web sites for over 13 years and have been escaping HTML for years. You know, converting & to & or " to ". Easy stuff, right? Then why did I completely forget that you have to do the same within attributes? Perhaps I just never had a need or realized that it was required. It is.

Even more surprisingly, I should have known. Use an HTML validator on a URL with an ampersand in it and it may complain that the entity doesn’t exist. I’ve run into that before and quickly converted it. So, why did’t it dawn on me when a client ran into the problem when adding quotes to a picture title?

Such an easy fix that threw me for a loop. The problem was that I wasn’t quoting the attributes within an input field’s value attribute. All I had to do was a simple conversion in Perl and all was better. For those that need a visual, it should look like this:

<input name="test" type="text" value="I'm &quot;quoted&quot;">

Yes. I’m such a boob.