Escaping HTML in Attributes or I'm Such a Boob


Iíve been building web sites for over 13 years and have been escaping HTML for years…

Iíve been building web sites for over 13 years and have been escaping HTML for years. You know, converting & to & or " to ". Easy stuff, right? Then why did I completely forget that you have to do the same within attributes? Perhaps I just never had a need or realized that it was required. It is.

Even more surprisingly, I should have known. Use an HTML validator on a URL with an ampersand in it and it may complain that the entity doesnít exist. Iíve run into that before and quickly converted it. So, why didít it dawn on me when a client ran into the problem when adding quotes to a picture title?

Such an easy fix that threw me for a loop. The problem was that I wasnít quoting the attributes within an input fieldís value attribute. All I had to do was a simple conversion in Perl and all was better. For those that need a visual, it should look like this:

<input name="test" type="text" value="I'm &quot;quoted&quot;">

Yes. Iím such a boob.



Comments on this article:

No comments so far.

Write a comment:

Type The Letters You See.
[captcha image][captcha image][captcha image][captcha image][captcha image][captcha image]
not case sensitive