44

I have the following problem - from the server side I get a string like 'hoschi"brother'.

I want to put this string into a <input value"MYSTRING" />. This results in something like <input value"hoschi" brother" /> which obviously does not work.

Is there a workarounds for this?

Does escaping the " character with &quot; work within the value tag?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
tobi
  • 443
  • 1
  • 4
  • 4

3 Answers3

80

Yes, using &quot; works:

<input type="text" name="last_name" value="&quot;My quote!&quot;" />
Dominic Rodger
  • 97,747
  • 36
  • 197
  • 212
  • 4
    doesn't work if it's made via embeddedjs :( – Sirber Nov 11 '11 at 17:40
  • http://code.google.com/p/embeddedjavascript/issues/detail?id=19&thanks=19&ts=1321033418 – Sirber Nov 11 '11 at 17:45
  • 4
    It will store the &quote; in database table instead. I would like to insert it ". – Bajrang Nov 06 '12 at 07:34
  • 1
    @Sirber Using the DOM API does not require escaping the double quote character. The `"` HTML entity is required only when directly embedding the content in the HTML, to avoid rendering errors and prevent [XSS attacks](http://en.wikipedia.org/wiki/Cross-site_scripting). – Boaz May 21 '14 at 15:43
  • @Sirber then how you solved it – Sumit Feb 25 '20 at 07:16
15

does escaping the " character with &quot; work within the value tag?

Yes. (This isn't a workaround though. It is how HTML is designed to work.)

Alternatively, if the value contains only single quotes or only double quotes, then you can use the other to delimit the attribute instead.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
1

As it's a form field, folks will type anything they like in there which may or may not include a nice mixture of double and single quotes. Adding these to the database is easy, escape them with " / ' etc.

Nicely enough if you put " in the value clause of an input, it displays " on the screen as you want it to. Single quotes are a doddle, they can be as is if need be as their within doubles.

Terry
  • 19
  • 1
  • 3
    Could you include a sample of the escaping using the user's example data--this will improve your answer. – DWright Dec 24 '12 at 18:39