1 # Escaping HTML Attributes
3 Escaping data in **HTML Attribute** contexts is most often done incorrectly, if
4 not overlooked completely by developers. Regular [HTML
5 escaping](escaping-html.md) can be used for escaping HTML attributes *only* if
6 the attribute value can be **guaranteed as being properly quoted**! To avoid
7 confusion, we recommend always using the HTML Attribute escaper method when
8 dealing with HTTP attributes specifically.
10 To escape data for an HTML Attribute, use `Zend\Escaper\Escaper`'s
11 `escapeHtmlAttr()` method. Internally it will convert the data to UTF-8, check
12 for its validity, and use an extended set of characters to escape that are not
13 covered by `htmlspecialchars()` to cover the cases where an attribute might be
14 unquoted or quoted illegally.
16 ## Examples of Bad HTML Attribute Escaping
18 An example of incorrect HTML attribute escaping:
21 <?php header('Content-Type: text/html; charset=UTF-8'); ?>
25 ' onmouseover='alert(/ZF2!/);
29 * NOTE: This is equivalent to using htmlspecialchars($input, ENT_COMPAT)
31 $output = htmlspecialchars($input);
35 <title>Single Quoted Attribute</title>
36 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
41 // the span tag will look like:
42 // <span title='' onmouseover='alert(/ZF2!/);'>
44 <span title='<?= $output ?>'>
45 What framework are you using?
52 In the above example, the default `ENT_COMPAT` flag is being used, which does
53 not escape single quotes, thus resulting in an alert box popping up when the
54 `onmouseover` event happens on the `span` element.
56 Another example of incorrect HTML attribute escaping can happen when unquoted
57 attributes are used (which is, by the way, perfectly valid HTML5):
60 <?php header('Content-Type: text/html; charset=UTF-8'); ?>
64 faketitle onmouseover=alert(/ZF2!/);
67 // Tough luck using proper flags when the title attribute is unquoted!
68 $output = htmlspecialchars($input, ENT_QUOTES);
72 <title>Quoteless Attribute</title>
73 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
78 // the span tag will look like:
79 // <span title=faketitle onmouseover=alert(/ZF2!/);>
81 <span title=<?= $output ?>>
82 What framework are you using?
89 The above example shows how it is easy to break out from unquoted attributes in
92 ## Example of Good HTML Attribute Escaping
94 Both of the previous examples can be avoided by simply using the
95 `escapeHtmlAttr()` method:
98 <?php header('Content-Type: text/html; charset=UTF-8'); ?>
102 faketitle onmouseover=alert(/ZF2!/);
105 $escaper = new Zend\Escaper\Escaper('utf-8');
106 $output = $escaper->escapeHtmlAttr($input);
110 <title>Quoteless Attribute</title>
111 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
116 // the span tag will look like:
117 // <span title=faketitle onmouseover=alert(/ZF2!/);>
119 <span title=<?= $output ?>>
120 What framework are you using?
127 In the above example, the malicious input from the attacker becomes completely
128 harmless as we used proper HTML attribute escaping!