[thelist] Escaping quotes in a hidden input's value
Andrew Clover
and-evolt at doxdesk.com
Sat Jun 5 01:30:45 CDT 2004
Tab Alleman <Tab.Alleman at MetroGuide.com> wrote:
> I didn't want to replace quotes with html entities, because then how
> will I know whether the original value was "Hi!" or "Hi!" ?
You seem to have misunderstood the level at which quoting occurs in HTML.
All attribute values are decoded when the HTML page is loaded. So given:
<div title="I'm upset">
<div title='I'm upset'>
The 'title' of both these elements is completely equal. (And, BTW, it's
perfectly valid to use single or double quotes in both XHTML and
plain-old-HTML.)
So given:
<input name="x" value="I'm "upset&tired"" />
<input name="y" value='I'm "upset&tired"' />
the 'x' and 'y' inputs both have exactly the same value. When you read
them from JavaScript:
javascript:alert(document.forms[0].elements['x'].value)
or from ASP:
x= Request.Form('x')
you *won't* see the entity-encoding, because the page has long been
decoded at this point.
If you are using a GET form then it is indeed possible that characters
like '&' and '"' may be encoded with % symbols when they are submitted
to your ASP (or CGI etc.) script, but this happens behind your back and
you don't need to worry about it. There is no reason at all to add an
extra layer of encoding on top of what the browser and server
environment will do automatically.
If the real value you want to write to the hidden field when you create
the HTML is actually ""Hi!"", you'll have to output:
<input name="x" value="&quot;Hi!&quot;">
Usually you won't care about that because you'll be using
Server.HTMLEncode to take care of it all automatically. (If you aren't,
and are just allowing arbitrary strings to be added to the page without
HTML-encoding them, you very likely have nasty cross-site-scripting
security problems.)
--
Andrew Clover
mailto:and at doxdesk.com
http://www.doxdesk.com/
More information about the thelist
mailing list