Posted by Jukka K. Korpela on 03/29/07 16:12

Scripsit DennBen:

> Hey guys, thanks for the input. I did try switching single quotes with
> double quotes for kicks - it didn't work, but had it worked it
> wouldn't have solved my solution anyway because the users of the site
> actually create that variable, I'm just passing the values to a second
> screen and the users have the ability to use single quotes as well as
> double quotes.
> I really want to understand why and how using double quotes in a
> variable string can cause a hidden field to display!

It sounds like you are very confused, and others can't see the situation
clearly either. But apparently you have something (invisible to us)
server-side that gets user input and turns it into hidden fields, _without_
checking for quotation marks in input.

Naturally, before putting anything into the attribute value of an HTML
attribute, you must check whether it contains an ampersand or a quotation
mark and turn such characters into entity or character references.

--
Jukka K. Korpela ("Yucca")
http://www.cs.tut.fi/~jkorpela/

[Back to original message]