4

Let sEncodedHref represent an HttpUtility.HtmlAttributeEncode(..)'d string.

Are there any functional differences between generated html like this:

String.Format(@"<span class='blue' src='{0}'>", sEncodedHref);

vs. generated html like this:

String.Format(@"<span class=""blue"" src=""{0}"">", sEncodedHref);

I've been under the impression that the single-quoted variant is both less supported and less "safe", however I have trouble providing reasons to support that argument.

Daniel Vassallo
  • 337,827
  • 72
  • 505
  • 443
Jude Allred
  • 10,977
  • 7
  • 28
  • 27
  • See this question: http://stackoverflow.com/questions/273354/html-single-quotes-a-problem – Jared Updike Jul 26 '10 at 21:03
  • Security is a concern here: The HtmlAttributeEncode method converts only quotation marks ("), ampersands (&), and left angle brackets (<) to equivalent character entities. It is considerably faster than the HtmlEncode method. The string result from the HtmlAttributeEncode method should be used only for double-quoted attributes. Security issues might arise when using the HtmlAttributeEncode method with single-quoted attributes. [source](http://msdn.microsoft.com/en-us/library/wdek0zbf.aspx) – Jude Allred Jul 26 '10 at 22:56
  • 2020 update on the above security concern: HtmlAttributeEncode handles single quotes now. – Jude Allred Jan 30 '20 at 16:42

6 Answers6

9

There is no functional difference. Quoting the W3C on SGML and HMTL:

By default, SGML requires that all attribute values be delimited using either double quotation marks (ASCII decimal 34) or single quotation marks (ASCII decimal 39). Single quote marks can be included within the attribute value when the value is delimited by double quote marks, and vice versa.

...

In certain cases, authors may specify the value of an attribute without any quotation marks. The attribute value may only contain letters (a-z and A-Z), digits (0-9), hyphens (ASCII decimal 45), periods (ASCII decimal 46), underscores (ASCII decimal 95), and colons (ASCII decimal 58). We recommend using quotation marks even when it is possible to eliminate them.

Community
  • 1
  • 1
Daniel Vassallo
  • 337,827
  • 72
  • 505
  • 443
  • 1
    +1. And, for standard compliance's sake, omitting quotation marks is almost definitely a bad idea these days. – stakx - no longer contributing Jul 26 '10 at 21:09
  • While this is the correct answer, it's important to note that there is a fairly substantial functional difference in the example that I gave: The single-quoted version is vulnerable to XSS, and the double-quoted version is not. – Jude Allred Jul 26 '10 at 23:24
4

Absolutely no functional difference. Both are valid, although double quotes are more widely used and are preferred.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
1

From a functional perspective there are no differences. From a security perspective there are. It is easier for a hacker to do XSS when you use single quotes (when the text within those quotes comes from an untrusted source, of course). However, I wouldn't bet on only double quotes. You'd better use proper encoding on that attribute value.

Update:

Here is an example with ASP.NET:

<input type='button' 
    value='<% = HttpUtility.HtmlEncode(Request["button"]) %>' />

Because of the use of single quotes, this code snippet is easier to exploit for a hacker. Here is an example. When you put the following text in the button argument of the query string, you will have a successful* XSS exploit:

click' onclick='alert("xss")

as in:

mypage.aspx?button?click'%20onclick='alert("xss")

This attack wouldn't have been successful when we would have written the snippet with double quotes as follows:

<input type='button' 
    value="<% = HttpUtility.HtmlEncode(Request["button"]) %>" />

I hope this clears things up a bit.

*Of course, the newest browsers will detect this type of attack (which is called reflected XSS), but won't detect this, when this string didn't come directly from the browser (which is called persistent XSS).

Steven
  • 166,672
  • 24
  • 332
  • 435
  • 1
    It is not easier to perform XSS with single quotes are used. It just means that different characters have to be represented as entities. – Quentin Jul 26 '10 at 21:10
  • That's interesting. How come single quotation marks are more "dangerous"? – stakx - no longer contributing Jul 26 '10 at 21:10
  • You've misunderstood XSS - this is done by javascript... html itself can contain javascript but the html tags - especially their quotation - have nothing to do with XSS and javascript. – Andreas Rehm Jul 26 '10 at 22:02
  • I'm sorry for not explaining myself well enough. Single quotes are more 'dangerous' because a lot of encoders, such as PHP's `htmlspecialchars` method (with default configuration) and ASP.NET's `HttpUtility.HtmlEncode` method, will NOT encode single quotes. When using these methods to encode HTML attribute values, while wrapping the value in a single quote, it allows a hacker to insert a new attribute, such as an `onclick` or `onmouseover` into the HTML element. I’ve updated my answer to show an example of such. I hope this makes more sense. I hope you will reevaluate your down vote. – Steven Jul 31 '10 at 11:44
0

As far as html is concerned there is no difference. They are both supported. It's when you get into dynamically outputting it via other means that you just need to take care to escape properly etc.. but that's as far as whatever scripting language you are using is concerned, not your browser.

CrayonViolent
  • 32,111
  • 5
  • 56
  • 79
0

Using single Quote for string variables sometimes will give a "too many charactors in charactor literal" error. For example define a class in Entity Framework:

public class DevEnt()
{
public string IMEI {get; set;}
public Datetime {get; set;}
}

Then when initializing the IMEI field of an instance from this class, 

dev=new DevEnt(){
Dev_IMEI="111111",
Date=new DateTime(2015,12,1)
}

using single Quote like Dev_IMEI='111111' will give an error.

user3724163
  • 23
  • 4
-2

The standard (XHTML) is double quotes, but browsers still support the non-standard HTML pages out there so they can still understand the single quotes.

You don't have to escape the double quotes.

del.ave
  • 1,888
  • 5
  • 17
  • 23