Do I need to escape quotes inside of an html attribute value? What characters are allowed?
Is this valid?
<span title="This is a 'good' title.">Hi</span>
Asked
Active
Viewed 2.3k times
30
-
Check out the title attribute on the most recent HTML5 spec: http://dev.w3.org/html5/spec/Overview.html#the-title-attribute I believe the title attribute uses the CDATA type which is defined here: http://www.w3.org/TR/html401/types.html#type-cdata – Bryan Downing Mar 16 '11 at 02:01
-
Asks about ampersand only: http://stackoverflow.com/questions/3705591/do-i-encode-ampersands-in-a-href (came before unfortunately, so no dupe...) – Ciro Santilli OurBigBook.com Feb 13 '14 at 11:37
6 Answers
46
If your attribute value is quoted (starts and ends with double quotes "), then any characters except for double quotes and ampersands are allowed, which must be quoted as " and & respectively (or the equivalent numeric entity references, " and &)
You can also use single quotes around an attribute value. If you do this, you may use literal double quotes within the attribute: <span title='This is a "good" title.'>...</span>. In order to escape single quotes within such an attribute value, you must use the numeric entity reference ' since some browsers don't support the named entity, ' (which was not defined in HTML 4.01).
Furthermore, you can also create attributes with no quotes, but that restricts the set of characters you can have within it much further, disallowing the use of spaces, =, ', ", <, >, ` in the attribute.
See the HTML5 spec for more details.
Community
- 1
- 1
Brian Campbell
- 322,767
- 57
- 360
- 340
-
1What is the rationale for requiring to escape the ampersands `&`? What can it stand for? – Ciro Santilli OurBigBook.com Feb 13 '14 at 11:23
-
5Ah, ok, its because the ampersand itself would be parsed as an entity otherwise. – Ciro Santilli OurBigBook.com Feb 13 '14 at 11:39
-
5Ampersand is a valid character in an attribute value. The spec forbids "ambiguous ampersand" which is combnation of (ampersand + alphanumeric characters + semicolon) where it doesn't match any of named references. `` - valid `` - invalid – Semra Jan 10 '15 at 22:20
-
What about fancy quotes, e.g. ” - is it ok to put those inside regular-quoted attributes? I tried it and it seems to work (in Chrome at least) and passes the w3c validator. Feels a bit dirty, admittedly! – Codemonkey Jun 25 '15 at 14:21
-
1@Codemonkey Curly quotes are fine. The only ones that have special meaning in HTML are the straight quotes. Feel free to use curly quotes within attribute values with either type of straight quotes as delimiters. – Brian Campbell Jun 25 '15 at 20:53
4
That is valid. However, if you had to put double quotes inside, you would have to escape with " like this:
<span title="This is a "good" title.">Hi</span>
Peter Olson
- 139,199
- 49
- 202
- 242
3
The value can be anything, but you should escape quotes (", '), tag delimiters (<, >) and ampersands (&).
casablanca
- 69,683
- 7
- 133
- 150
-
This doesn't look right (cf. link to the specs in the other answers). – Christophe Jan 13 '13 at 01:09
-
it doesn't seem to disallow <, >, etc. The spec only disallows ampersands. – arviman Feb 13 '18 at 12:57
3
No, you do not need to escape single quotes inside of double quotes.
This page specifies valid attributes of a span tag:
http://www.w3.org/TR/html401/struct/global.html#edef-SPAN
This page specifies valid characters allowed in the title attribute:
Adam Ayres
- 8,732
- 1
- 32
- 25
1
Yes that's fine. The problem would be when you try and put a double Quote inside an attribute. like this:
<span title="This is a "bad" title.">Hi</span>
You can get around this by using HTML entities like so:
<span title="This is a "good" title">Hi</span>
Emmanuel
- 4,933
- 5
- 46
- 71
0
Here is a validation function using a Regular expression based on Brian Campbell's answer, for worst case of an unquoted attribute.
validator: function (val) {
if (!val || val.search(/['"=<>`]+|(&\s)+/) === -1) return true;
return 'Disallowed characters in HTML attributes: \' " = < > ` &.';
},
What Would Be Cool
- 6,204
- 5
- 45
- 42