I have a drop down on a web page which is breaking when the value string contains a quote.
The value is "asd, but in the DOM it always appears as an empty string.
I have tried every way I know to escape the string properly, but to no avail.
<option value=""asd">test</option>
<option value="\"asd">test</option>
<option value=""asd">test</option>
<option value=""asd">test</option>
How do I render this on the page so the postback message contains the correct value?
6 Answers 6
" is the correct way, the third of your tests:
<option value=""asd">test</option>
You can see this working below, or on jsFiddle.
alert($("option")[0].value);<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<select>
<option value=""asd">Test</option>
</select>Alternatively, you can delimit the attribute value with single quotes:
<option value='"asd'>test</option>
8 Comments
" maps to the same character as ", but there's no benefit of using the numeric option here because " is a defined named entity. " is also easier to remember.&quot;a (replace the & with &)Per HTML syntax, and even HTML5, the following are all valid options:
<option value=""asd">test</option>
<option value=""asd">test</option>
<option value='"asd'>test</option>
<option value='"asd'>test</option>
<option value='"asd'>test</option>
<option value="asd>test</option>
<option value="asd>test</option>
Note that if you are using XML syntax the quotes (single or double) are required.
Comments
If you are using PHP, try calling htmlentities or htmlspecialchars function.
2 Comments
<option value='<?php echo htmlentities("' onmouseover='alert(123);' foo='"); ?>' /> - make sure you use it with ENT_QUOTES, this is safe: <option value='<?php echo htmlentities("' onmouseover='alert(123);' foo='", ENT_QUOTES); ?>' /> , but in addition to ENT_QUOTES you should also add ENT_SUBSTITUTE and ENT_DISALLOWED, personally i've used this wrapper for years: function hhb_tohtml(string $str):string { return htmlentities($str, ENT_QUOTES | ENT_HTML401 | ENT_SUBSTITUTE | ENT_DISALLOWED, 'UTF-8', true); }Another option is replacing double quotes with single quotes if you don't mind whatever it is. But I don't mention this one:
<option value='"asd'>test</option>
I mention this one:
<option value="'asd">test</option>
In my case I used this solution.
2 Comments
If you are using JavaScript and Lodash, then you can use _.escape(), which escapes ", ', <, >, and &.
Comments
You really should only allow untrusted data into a whitelist of good attributes like: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class , color, cols, colspan , coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span , summary, tabindex, title , usemap, valign, value, vlink, vspace, and width.
You really want to keep untrusted data out of JavaScript handlers as well as id or name attributes (they can clobber other elements in the DOM).
Also, if you are putting untrusted data into a SRC or HREF attribute, then it’s really a untrusted URL, so you should validate the URL. Make sure it’s not a JavaScript: URL, and then HTML entity encode.
More details on all of there here: https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet
3 Comments
www.owasp.org link is broken: "404 - Not Found"
htmlentities.