发表新帖
发表新帖

How do I properly escape quotes inside HTML attributes?

前端 未结
关注
6 866
遇见更好的自我
遇见更好的自我 2020-11-22 08:31

I have a drop down on a web page which is breaking when the value string contains a quote.

The value is \"asd, but in the DOM it always appears as an em

相关标签:
6条回答
  • 春和景丽
    2020-11-22 09:08

    Per HTML syntax, and even HTML5, the following are all valid options:

    <option value="&quot;asd">test</option>
<option value="&#34;asd">test</option>
<option value='"asd'>test</option>
<option value='&quot;asd'>test</option>
<option value='&#34;asd'>test</option>
<option value=&quot;asd>test</option>
<option value=&#34;asd>test</option>

    Note that if you are using XML syntax the quotes (single or double) are required.

    Here's a jsfiddle showing all of the above working.

    0 讨论(0)
  • 太阳男子
    2020-11-22 09:09

    &quot; is the correct way, the third of your tests:

    <option value="&quot;asd">test</option>

    You can see this working below, or on jsFiddle.

    alert($("option")[0].value);
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<select>
  <option value="&quot;asd">Test</option>
</select>

    Alternatively, you can delimit the attribute value with single quotes:

    <option value='"asd'>test</option>
    0 讨论(0)
  • 夕颜
    2020-11-22 09:11

    You really should only allow untrusted data into a whitelist of good attributes like: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

    You really want to keep untrusted data out of javascript handlers as well as id or name attributes (they can clobber other elements in the DOM).

    Also, if you are putting untrusted data into a SRC or HREF attribute, then its really a untrusted URL so you should validate the URL, make sure its NOT a javascript: URL, and then HTML entity encode.

    More details on all of there here: https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet

    0 讨论(0)
  • 隐瞒了意图╮
    2020-11-22 09:23

    Another option is replacing double quotes with single quotes if you don't mind whatever it is. But I don't mention this one:

    <option value='"asd'>test</option>

    I mention this one:

    <option value="'asd">test</option>

    In my case I used this solution.

    0 讨论(0)
  • 一整个雨季
    2020-11-22 09:23

    If you are using Javascript and Lodash, then you can use _.escape(), which escapes ", ', <, >, and &.

    See here: https://lodash.com/docs/#escape

    0 讨论(0)
  • 情深已故
    2020-11-22 09:25

    If you are using PHP, try calling htmlentities or htmlspecialchars function.

    0 讨论(0)
 看不清?
提交回复
热议问题