Put quote into a value attribute html [duplicate]

Question

This question already has answers here:

How do I properly escape quotes inside HTML attributes? (6 answers)

Closed 7 years ago.

Given a form input field for example <input type="text" value="xxxxx" name="something"> Given a string let's say Hello I said "Your my friend" isn't that nice?

How do I safely enter the given string as the value where 'xxxxx' is in the input tag above?

Doing a straight substitution would cause this: <input type="text" value="Hello I said "Your my friend" isn't that nice?"> As you can see the end result is not coherent. The value is now Hello I said there is a bunch of improper text, than another string, not good.

How do you safely enter strings of unknown or potentially unsafe characters into these kinds of HTML attributes?

Answer 1

Use HTML entities

<input type="text" value="Hello I said &quot;Your my friend&quot; isn't that nice?">

Answer 2

There are couple solutions and you can choose the one you like:

Hack: 1. You can simply use the ' character for the outer quotes and safely use the " character for the text inside. <input type="text" value='this "should work"' name="something">

Proper way: 2. Encode the character according to HTML character references HERE

"<input type="text" value="this &quot;should work&quot;" name="something"> or <input type="text" value="this &#34;should work&#34;" name="something">