quotes in prepopulated html fields

Question

If you want to prepopulate an html text field with a string that includes a double quote ("), you need to html-encode it, as " , unfortunately, the string '"abc"' encoded as ""abc"" submitted with the form to the server, is indistinguishable by the server from the string ""abc"" entered literally.

Using ' to delimit the text field value attribute is not an available option, since the input field is being populated from javascript. Escaping the " with \ or \ \ does not work (Firefox); Javascript allows that escaping, but the html renderer just sees the \ and the " as distinct.

Is there a workaround for including " in prepopulated html fields, while allowing the input of raw strings that match html entity names?

Answer 1

Let's say you have the string ""Hello World"" and you want to place it into a HTML text input. To do this, you'll need to escape all the HTML entities. It would look like this:

<input type="text" value="&quot;&amp;quot;Hello World&amp;quot;&quot;" />

When submitted, the server-side will get the string ""Hello World""

Answer 2

If you type "abc" into a textbox, it will be submitted to the server as %22abc%22 (but whatever language/framework you're using should transparently decode it back to "abc").

If you want to pre-populate a textbox with "abc" then you'd use "abc" for the value attribute. This will also be submitted to the server as %22abc%22.

If you type "abc" into a textbox, it will be submitted to the server as %26quot%3Babc%26quot%3B (but whatever language/framework you're using should transparently decode it back to "abc").

If you want to pre-populate a textbox with "abc" then you'd use "abc" for the value attribute. This will also be submitted to the server as %26quot%3Babc%26quot%3B.