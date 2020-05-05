Using single quotes in an HTML attribute?

#1

I have a set of items stored in a database, each with their own unique name.

On one of my HTML pages, I create a list of buttons that display the name of each item, and when they are clicked, I call a function that passes the name of the item as a parameter.

<div class="large professional-button" onclick="doStuff("itemName", "param2")">itemName</div>

The issue is, these item names are user-generated, so they can be whatever a person wants. This means they have the potential to have single quotes in them, for example: name'with'quotes. I have found that my HTML construction runs into an error when it tries to construct the buttons for any items with quotes in the name. They end up looking something like this:

<div class="large professional-button" onclick="doStuff("name" with'quotes",="" "param2")'="">name'with'quotes</div>

As soon as it hits the first single quotes in the name, it seems to turn them into a space and double-quotes ( ") and then everything else after that becomes a garbled mess. Any double quotes seem to get converted to &quot;.

What should I do so that I can allow single quotes in an item name, and then use that name in an HTML attribute later? I already am using encodeuricomponent() when taking the names in and out of the database, but that function doesn’t affect single quotes.

#2

Maybe use the escape character ( / ) to prevent JavaScript from interpreting a quote as the end of the string, or the same in PHP somewhere in your syntax. Sorry that is the best I can do.

#3

Unfortunately, seems like that doesn’t work. Here’s when I use decodedName.replace(/'/g, "\\'"); to add escape characters before all of the quotes and log the string being inserted into the HTML:

image

#4

Please supply more details about the database.

If and only if the database is PHP driven then there are numerous PHP functions available to convert the source before storing. On retrieval the data should render without any problems.

PHP functions to investigate:

Htmlspecialchars(…)
htmlentities(…)
strip_tags(…)

