{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 裙下三千臣 的问题《How to properly escape quotes inside html attribut》','https://www.manongdao.com/q-9418.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a drop down on a web page which is breaking when the value string contains a quote.
The value is "asd but in the DOM always appears as an empty string.
I have tried every way I know to escape the string properly but to no avail.
<option value=""asd">test</option>
<option value="\"asd">test</option>
<option value=""asd">test</option>
<option value=""asd">test</option>
Any idea how to render this on the page so the postback message contains the correct value?
If you are using PHP, try calling
htmlentitiesorhtmlspecialcharsfunction.Another option is replacing double quotes with single quotes if you don't mind whatever it is. But I don't mention this one:
I mention this one:
In my case I used this solution.
You really should only allow untrusted data into a whitelist of good attributes like: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
You really want to keep untrusted data out of javascript handlers as well as id or name attributes (they can clobber other elements in the DOM).
Also, if you are putting untrusted data into a SRC or HREF attribute, then its really a untrusted URL so you should validate the URL, make sure its NOT a javascript: URL, and then HTML entity encode.
More details on all of there here: https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet
There is no way to escape quotes in the value of a input text... but you can use javascript (or jquery):
Per HTML syntax, and even HTML5, the following are all valid options:
Note that if you are using XML syntax the quotes (single or double) are required.
Here's a jsfiddle showing all of the above working.
"is the correct way, the third of your tests:You can see this working below, or on jsFiddle.
Alternatively, you can delimit the attribute value with single quotes: