` can be used for escaping HTML attributes, *but*
only if the attribute value can be **guaranteed as being properly quoted**! To avoid confusion, we recommend always
using the HTML Attribute escaper method in the HTML Attribute context.
To escape data in the HTML Attribute, use ``Zend\Escaper\Escaper``'s ``escapeHtmlAttr`` method. Internally it will
convert the data to UTF-8, check for it's validity, and use an extended set of characters to escape that are not
covered by ``htmlspecialchars`` to cover the cases where an attribute might be unquoted or quoted illegaly.
.. _zend.escaper.escaping-html-attributes.bad-examples:
Examples of Bad HTML Attribute Escaping
---------------------------------------
An example of incorrect HTML attribute escaping:
.. code-block:: php
:linenos:
Single Quoted Attribute
?>
What framework are you using?
In the above example, the default ``ENT_COMPAT`` flag is being used, which does not escape single quotes, thus
resulting in an alert box popping up when the ``onmouseover`` event happens on the ``span`` element.
Another example of incorrect HTML attribue escaping can happen when unquoted attributes are used, which is, by the
way, perfectly valid HTML5:
.. code-block:: php
:linenos:
Quoteless Attribute
?>
>
What framework are you using?
The above example shows how it is easy to break out from unquoted attributes in HTML5.
.. _zend.escaper.escaping-html-attributes.good-examples:
Examples of Good HTML Attribute Escaping
----------------------------------------
Both of the previous examples can be avoided by simply using the ``escapeHtmlAttr`` method:
.. code-block:: php
:linenos:
escapeHtmlAttr($input);
?>
Quoteless Attribute
?>
>
What framework are you using?
In the above example, the malicious input from the attacker becomes completely harmless as we used proper HTML
attribute escaping!