0

Given a form input field for example <input type="text" value="xxxxx" name="something"> Given a string let's say Hello I said "Your my friend" isn't that nice?

How do I safely enter the given string as the value where 'xxxxx' is in the input tag above?

Doing a straight substitution would cause this: <input type="text" value="Hello I said "Your my friend" isn't that nice?"> As you can see the end result is not coherent. The value is now Hello I said there is a bunch of improper text, than another string, not good.

How do you safely enter strings of unknown or potentially unsafe characters into these kinds of HTML attributes?

john-charles
  • 1,417
  • 4
  • 17
  • 30
  • There are several existing questions on the topic. Moreover, the issue can almost always be avoided by using proper punctuation, as per rules of human languages, e.g. `"Hello I said “Your my friend” isn’t that nice?"`. – Jukka K. Korpela Apr 14 '13 at 19:54

2 Answers2

3

Use HTML entities

<input type="text" value="Hello I said &quot;Your my friend&quot; isn't that nice?">
John Conde
  • 217,595
  • 99
  • 455
  • 496
0

There are couple solutions and you can choose the one you like:

Hack: 1. You can simply use the ' character for the outer quotes and safely use the " character for the text inside. <input type="text" value='this "should work"' name="something">

Proper way: 2. Encode the character according to HTML character references HERE

"<input type="text" value="this &quot;should work&quot;" name="something"> or <input type="text" value="this &#34;should work&#34;" name="something">

MikeL
  • 5,385
  • 42
  • 41