The script code is embedded in an HTML attribute value. Therefore it's HTML's rules you have to obey with the string as a whole. You escape double quotes as
&#34;) in HTML, and single quotes as
\\') won't do, because they're not recognised by the HTML parser. If you write
foo="abc \\"def\\" ghi"
the HTML parser will see a
foo attribute with the value
followed by a bunch of invalid characters.