Do I need to escape quotes inside of an html attribute value? What characters are allowed?
Is this valid?
<span title="This is a 'good' title.">Hi</span>
-
Check out the title attribute on the most recent HTML5 spec: dev.w3.org/html5/spec/Overview.html#the-title-attribute I believe the title attribute uses the CDATA type which is defined here: w3.org/TR/html401/types.html#type-cdataBryan Downing– Bryan Downing2011-03-16 02:01:51 +00:00Commented Mar 16, 2011 at 2:01
-
Asks about ampersand only: stackoverflow.com/questions/3705591/… (came before unfortunately, so no dupe...)Ciro Santilli OurBigBook.com– Ciro Santilli OurBigBook.com2014-02-13 11:37:44 +00:00Commented Feb 13, 2014 at 11:37
Add a comment
|
6 Answers
If your attribute value is quoted (starts and ends with double quotes "), then any characters except for double quotes and ampersands are allowed, which must be quoted as " and & respectively (or the equivalent numeric entity references, " and &)
You can also use single quotes around an attribute value. If you do this, you may use literal double quotes within the attribute: <span title='This is a "good" title.'>...</span>. In order to escape single quotes within such an attribute value, you must use the numeric entity reference ' since some browsers don't support the named entity, ' (which was not defined in HTML 4.01).
Furthermore, you can also create attributes with no quotes, but that restricts the set of characters you can have within it much further, disallowing the use of spaces, =, ', ", <, >, ` in the attribute.
See the HTML5 spec for more details.
5 Comments
Ciro Santilli OurBigBook.com
What is the rationale for requiring to escape the ampersands
&? What can it stand for?Ciro Santilli OurBigBook.com
Ah, ok, its because the ampersand itself would be parsed as an entity otherwise.
Semra
Ampersand is a valid character in an attribute value. The spec forbids "ambiguous ampersand" which is combnation of (ampersand + alphanumeric characters + semicolon) where it doesn't match any of named references.
<a title="foo & bar"> - valid <a title="&foo;"> - invalid
Codemonkey
What about fancy quotes, e.g. ” - is it ok to put those inside regular-quoted attributes? I tried it and it seems to work (in Chrome at least) and passes the w3c validator. Feels a bit dirty, admittedly!
Brian Campbell
@Codemonkey Curly quotes are fine. The only ones that have special meaning in HTML are the straight quotes. Feel free to use curly quotes within attribute values with either type of straight quotes as delimiters.
That is valid. However, if you had to put double quotes inside, you would have to escape with " like this:
<span title="This is a "good" title.">Hi</span>
Comments
The value can be anything, but you should escape quotes (", '), tag delimiters (<, >) and ampersands (&).
2 Comments
Christophe
This doesn't look right (cf. link to the specs in the other answers).
arviman
it doesn't seem to disallow <, >, etc. The spec only disallows ampersands.
No, you do not need to escape single quotes inside of double quotes.
This page specifies valid attributes of a span tag:
http://www.w3.org/TR/html401/struct/global.html#edef-SPAN
This page specifies valid characters allowed in the title attribute:
Comments
Yes that's fine. The problem would be when you try and put a double Quote inside an attribute. like this:
<span title="This is a "bad" title.">Hi</span>
You can get around this by using HTML entities like so:
<span title="This is a "good" title">Hi</span>
Comments
Here is a validation function using a Regular expression based on Brian Campbell's answer, for worst case of an unquoted attribute.
validator: function (val) {
if (!val || val.search(/['"=<>`]+|(&\s)+/) === -1) return true;
return 'Disallowed characters in HTML attributes: \' " = < > ` &.';
},
answered Oct 13, 2014 at 15:34
What Would Be Cool
7,0066 gold badges50 silver badges44 bronze badges