Jasinski Technical Wiki

Navigation

Home Page
Index
All Pages

Quick Search
»
Advanced Search »

Contributor Links

Create a new Page
Administration
File Management
Login/Logout
Your Profile

Other Wiki Sections

Software

PoweredBy

Page History: Apostrophes - Correct Usage in HyperLinks

Compare Page Revisions



« Older Revision - Back to Page History - Current Revision


Page Revision: Thu, Oct 22, 2009, 10:53 AM


Best Practices

When HTML or JavaScript is generated in code, care must be taken in the usage of apostrophes.

HREF Attributes

  • Ideally, HREF attributes should not contain an apostrophe, as this can cause an XSS-prevention error when the link is clicked: "Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags." In this situation, the configuration of the web site needs to be changed to handle this.

  • In the event that you have control over the HREF attributes (e.g., when they refer to uploaded files), the ideal situation is to either remove the apostrophes before uploading, or to replace them with another character (e.g., ASCII 146).

  • For cases where a HREF attributes of <A> tags may contain an apostrophe, the HREF attributes should be enclosed in double quotes instead of single quotes. For example, ...

 ACCEPTABLE:<A HREF="http://www.google.com">Google</a>
 NOT ACCEPTABLE: <A HREF='http://www.google.com'>Google</a>

  • All HREF attributes should be encoded via Server.UrlEncode().

JavaScript String Literals

  • For cases where JavaScript is included in an HREF attribute (e.g., href="javascript:alert('Hello, world');", all JavaScript string literals should be delimited with double quotes, not single quotes. For example, ...

 ACCEPTABLE:alert("Hello world");
 NOT ACCEPTABLE: alert('Hello world');

  • For proper JavaScript syntax, all single quotes in JavaScript string literals should be escaped with a backslash. For example, ...

 ACCEPTABLE:alert('We\'re number one!');
 NOT ACCEPTABLE: alert('We're number one!');

ScrewTurn Wiki version 3.0.1.400. Some of the icons created by FamFamFam. Except where noted, all contents Copyright © 1999-2024, Patrick Jasinski.