What's the best practice to set html attribute via PHP?

Question

When doing this job in PHP,one may meet this kind of issue:

\">...

The problem is that if

Answer 1

To address your edit [Edit: that you have removed meanwhile]: When you place dynamically JavaScript onto your site, you should before know quite well, what it would look like. Else you open the door widely for XSS attacks. That doesn't mean you have to know every quotation mark, but you should know enough to decide how to embed it at the line where you finally output it in the HTML file.

Beyond that,

<a onclick="func(&apos;l&apos;)">

works exactly like

<a onclick="func('l')">

Answer 2

You always want to HTML-encode things inside HTML attributes, which you can do with htmlspecialchars:

<span title="<?php echo htmlspecialchars($variable); ?>">

You probably want to set the second parameter ($quote_style) to ENT_QUOTES.

The only potential risk is that $variable may already be encoded, so you may want to set the last parameter ($double_encode) to false.

Answer 3

Well, before you output any text into HTML you should escape it using htmlspecialchars(). So just make sure (double) quote is correctly changed.

Pay attention to the second parameter of that function.

Answer 4

The Bat tool has a StringTool::htmlAttributes ( $arrayOfAttributes ) method that does the job too.

https://github.com/lingtalfi/Bat/blob/master/StringTool.php