6

We have a code like this:

echo '<input type="text" name="myInput" value="Double " Quotes" />';

Absolutely it doesn't work because the quote after Double ends the value. We can fix it by using single quotes instead of double ones. 

echo '<input type="text" name="myInput" value=\'Double " Quotes\' />';

Now I wanna use both single and double quotes as the value. It should outputs She said:"I don't know."

Is there a way to fix it WITHOUT using HTML entities (Like &quot;), htmlentities() or similar functions?

Deduplicator
  • 44,692
  • 7
  • 66
  • 118
Programmer.zip
  • 703
  • 3
  • 6
  • 14
  • Why don't you want to use `htmlentities()` (though `htmlspecialchars()` would be enough in your case)? – ComFreek Sep 07 '13 at 20:59
  • HTML entities are the *proper* way to place reserved characters in HTML attribute *context*. Just because it often works without doesn't mean that's standards-compliant. – mario Sep 07 '13 at 21:00
  • You could also use numeric character references instead of entity references. – Gumbo Sep 07 '13 at 21:05
  • @Gumbo For extra obfuscation :) – ComFreek Sep 07 '13 at 21:06
  • you mix HTML character escaping with PHP character escaping. both are *independent* to each other. But if you output HTML with PHP, you first need to know how to write the HTML and then you need to know how to translate that into PHP. About which part is your question?, if you share that, it should be easy to give you an insightful (at least for you) answer. – hakre Sep 07 '13 at 21:07
  • `htmlspecialchars()` is the correct way to sanitize untrusted data when outputting to an HTML context. What's your reason to not use it? – Fabrício Matté Sep 07 '13 at 21:08
  • @Fabrício Matté: I'd say so as well, but I also don't understand the concrete motivation by OP to deal with it/ask *this* way. – hakre Sep 07 '13 at 21:18
  • @hakre: Do the codes have any mistakes? I don't think so.(Except the first one. And it's because of " in the attribute value). – Programmer.zip Sep 08 '13 at 09:33

2 Answers2

11

Is there a way to fix it WITHOUT using HTML entities (Like &quot;), htmlentities() or similar functions?

No, there is not. The double quote (") has special meaning inside a HTML attribute. If you want to put it into an attribute value, you must (this is not a true must but a good rule of thumb. It's a must if you use attributes delimited by double-quotes as you do in your question) write it as its entity &quot;. There is no way around it.

Actually even <tag attr='this"'> is not wrong HTML, too and most browsers can deal with that. However it doesn't help you because you're looking for both quotes - single and double - and one of these always in HTML is a delimiter of the attribute value - if you need spaces inside the attribute value (as you do).

However, do not worry about that. It works, and you can express everything you like with that, including the combination of quotes you have.

And actually PHP is there for you to take the burden of "escaping" all those characters just with the htmlspecialchars method doing all the work for you. Inside a PHP string you have the original text - with single and double quotes as you see fit - verbatim.

$myString = 'She said: "I don\'t know."';
printf('<input type="text" name="myInput" value="%s" />'
       , htmlspecialchars($myString));

Just a shortened example that should demonstrate how this works. Online demo.

hakre
  • 193,403
  • 52
  • 435
  • 836
  • 1
    `` is valid HTML. Also, `` is valid HTML per W3C validator. – Fabrício Matté Sep 07 '13 at 21:18
  • Quoted attribute values' [spec](http://www.w3.org/TR/html-markup/syntax.html#syntax-attr-single-quoted) only enforces that the value cannot contain a literal quote character of the same kind as the quoting used for the given attribute value. – Fabrício Matté Sep 07 '13 at 21:21
  • it depends a bit which SGML rules you follow. But it's a good rule of thumb that you need to use `<` for `<` and `&` for `&` in HTML generally and `"` for `"` inside an attribute value as well more specifically. – hakre Sep 07 '13 at 21:21
  • Yes, I do `htmlspecialchars` all data before outputting to an HTML context, just wanted to comment that at least under HTML5 it is valid to have those values unescaped. – Fabrício Matté Sep 07 '13 at 21:22
  • for the SGML reference in HTML 4: http://www.w3.org/TR/REC-html40/intro/sgmltut.html#h-3.2.2 - SGML is a bit more complicated which is the reason HTML uses only a subset of it. The must is well suited in the context of the OPs question I'd say, not saying you're wrong. – hakre Sep 07 '13 at 21:23
  • Well, your linked spec says: "Single quote marks can be included within the attribute value when the value is delimited by double quote marks, and vice versa." so it seems valid under HTML4 as well. – Fabrício Matté Sep 07 '13 at 21:25
  • It *is* valid, but the question uses HTML attribute values with double quotes so it's entity must be used. I also edited the answer to make this difference more clear. – hakre Sep 07 '13 at 21:26
  • Oh "is not wrong", my brain bugged on the double negation sorry. `:P` +1 for the clarifications. – Fabrício Matté Sep 07 '13 at 21:28
  • Yes, that was wrong in my answer, I now fixed that :D I *thought* there was one exclusion to that in SGML, but didn't found it. You will find similar as well in the HTML 2 specs btw, it actually should be save to use, but here OP is looking to use both quote-types *and* spaces and that is just not possible to do all verbatim because the HTML wouldn't be parse-able any longer (even technically, it's ambigious). – hakre Sep 07 '13 at 21:29
  • ^ Yes I noticed that too on your updated answer, it is very clear. `=]` – Fabrício Matté Sep 07 '13 at 21:30
  • @hakre: Your last example is same to use `"`(But a bit more dynamic). Anyway, I think I should use `htmlentities()`. Accepted. – Programmer.zip Sep 08 '13 at 09:49
  • I think it is worth to differ between just having strings in PHP and outputting them as valid HTML. So that you do not mix data with the output, data is for processing and output just for outputting the results. See as well IPO Model: http://en.wikipedia.org/wiki/IPO_Model – hakre Sep 08 '13 at 10:06
0

To address the question in the title, there is no problem with using both " and ' in an attribute value. The problem arises in linearization of values, i.r. writing them in HTML markup (as opposite to generating them with client-side JavaScript). Then, if the value contains both " and ', either of them needs to be escaped, depending on which one you use as value delimiter.

You do not need to use entity references, though. The character references &#x22; and &#x27; (or the equivalent decimal references) can be used, too.

In the case of the string

She said: "I don't know."

the correct English spelling is

She said: “I don’t know.”

Using the correct punctuation marks, no markup problem arises, since you can use the Ascii quotation mark " or the Ascii apostrophe as delimiter. They are meant for use in computer languages, not in human languages.

Jukka K. Korpela
  • 195,524
  • 37
  • 270
  • 390
  • `’` is not the character I need. I'm trying to use single quotes – Programmer.zip Sep 07 '13 at 21:34
  • Are there any keyboard layouts with `’`? I haven't seen one yet. My `en-US` keyboard only has `'` and `´`. – Fabrício Matté Sep 07 '13 at 21:41
  • @Programmer.zip, if your example is real, then you need `’`. – Jukka K. Korpela Sep 07 '13 at 22:03
  • @FabrícioMatté, yes, e.g. Finnish standard keyboard layout. But that’s not really relevant; there is always some way to enter the correct characters, even if the keyboard layput has no direct entry for it. – Jukka K. Korpela Sep 07 '13 at 22:06
  • There is always some way indeed, but I doubt these would be applicable in most cases. Most English keyboard layouts do not have such character, hence it is only natural that user input may contain simple Ascii apostrophes. – Fabrício Matté Sep 07 '13 at 23:07
  • @FabrícioMatté, the `value` attribute specifies the author-provided initial (default) value for a control, not user input. – Jukka K. Korpela Sep 08 '13 at 07:59
  • @JukkaK.Korpela A very common use case for setting a `value` attribute is when presenting an editing form for an existing database record generated from user input. – Fabrício Matté Sep 08 '13 at 18:41