I've always used single quotes when writing my HTML by hand. I work with a lot of rendered HTML which always uses double quotes. This allows me to determine if the HTML was written by hand or generated. Is this a good idea?
What is the difference between the two? I know they both work and are supported by all modern browsers but is there a real difference where one is actually better than the other in different situations?
The w3 org said:
By default, SGML requires that all attribute values be delimited using either double quotation marks (ASCII decimal 34) or single quotation marks (ASCII decimal 39). Single quote marks can be included within the attribute value when the value is delimited by double quote marks, and vice versa. Authors may also use numeric character references to represent double quotes (") and single quotes ('). For double quotes authors can also use the character entity reference ".
So... seems to be no difference. Only depends on your style.
I use " as a top-tier and ' as a second tier, as I imagine most people do. For example
Click Me!
In that example, you must use both, it is unavoidable.
Quoting Conventions for Web Developers
The Short Answer
In HTML the use of single quotes (') and double quotes (") are interchangeable, there is no difference.
But consistency is recommended, therefore we must pick a syntax convention and use it regularly.
The Long Answer
Web Development often consists of many programming languages. HTML, JS, CSS, PHP, ASP, RoR, Python, etc. Because of this we have many syntax conventions for different programming languages. Often habits from one language will follow us to other languages, even if it is not considered "proper" i.e. commenting conventions. Quoting conventions also falls into this category for me.
But I tend to use HTML tightly in conjunction with PHP. And in PHP there is a major difference between single quotes and double quotes. In PHP with double quotes "you can insert variables directly within the text of the string". (scriptingok.com) And when using single quotes "the text appears as it is". (scriptingok.com)
PHP takes longer to process double quoted strings. Since the PHP parser has to read the whole string in advance to detect any variable inside—and concatenate it—it takes longer to process than a single quoted string. (scriptingok.com)
Single quotes are easier on the server. Since PHP does not need to read the whole string in advance, the server can work faster and happier. (scriptingok.com)
Other things to consider
Frequency of double quotes within string. I find that I need to use double quotes (") within my strings more often than I need to use single quotes (') within strings. To reduce the number of character escapes needed I favor single quote delimiters.
It's easier to make a single quote. This is fairly self explanatory but to clarify, why press the SHIFT key more times than you have to.
My Convention
With this understanding of PHP I have set the convention (for myself and the rest of my company) that strings are to be represented as single quotes by default for server optimization. Double quotes are used within the string if a quotes are required such as JavaScript within an attribute, for example:
<button onClick='func("param");'>Press Me</button>
Of course if we are in PHP and want the parser to handle PHP variables within the string we should intentionally use double quotes. $a='Awesome'; $b = "Not $a";
Sources
Single quotes vs Double quotes in PHP. (n.d.). Retrieved November 26, 2014, from http://www.scriptingok.com/tutorial/Single-quotes-vs-double-quotes-in-PHP
If it's all the same, perhaps using single-quotes is better since it doesn't require holding down the shift key. Fewer keystrokes == less chance of repetitive strain injury.
Actually, the best way is the way Google recommends. Double quotes:
https://google.github.io/styleguide/htmlcssguide.xml?showone=HTML_Quotation_Marks#HTML_Quotation_Marks
See https://google.github.io/styleguide/htmlcssguide.xml?showone=HTML_Validity#HTML_Validity
Quoted Advice from Google: "Using valid HTML is a measurable baseline quality attribute that contributes to learning about technical requirements and constraints, and that ensures proper HTML usage."
In HTML I don't believe it matters whether you use " or ', but it should be used consistently throughout the document.
My own usage prefers that attributes/html use ", whereas all javascript uses ' instead.
This makes it slightly easier, for me, to read and check. If your use makes more sense for you than mine would, there's no need for change. But, to me, your code would feel messy. It's personal is all.
Using double quotes for HTML
i.e.
<div class="colorFont"></div>
Using single quotes for JavaScript
i.e.
$('#container').addClass('colorFont');
$('<div class="colorFont2></div>');
I know LOTS of people wouldn't agree, but this is what I do and I really enjoy such a coding style: I actually don't use any quote in HTML unless it is absolutely necessary.
Example:
<form method=post action=#>
<fieldset>
<legend>Register here: </legend>
<label for=account>Account: </label>
<input id=account type=text name=account required><br>
<label for=password>Password: </label>
<input id=password type=password name=password required><br>
...
Double quotes are used only when there are spaces in the attribute values or whatever:
<form class="val1 val2 val3" method=post action=#>
...
</form>
I had an issue with Bootstrap where I had to use double quotes as single quotes didn't work.
class='row-fluid' made the last <span> fall below the other <span>s, rather than sitting nicely beside them on the far right. class="row-fluid" worked.
It makes no difference to the html but if you are generating html dynamically with another programming language then one way may be easier than another.
For example in Java the double quote is used to indicate the start and end of a String, so if you want to include a doublequote within the String you have to escape it with a backslash.
String s = "a Link"
You don't have such a problem with the single quote, therefore use of the single quote makes for more readable code in Java.
String s = "<a href='link'>a Link</a>"
Especially if you have to write html elements with many attributes.(Note I usually use a library such as jhtml to write html in Java, but not always practical to do so)
if you are writing asp.net then occasionally you have to use double quotes in Eval statements and single quotes for delimiting the values - this is mainly so that the C# inline code knows its using a string in the eval container rather than a character. Personally I'd only use one or the other as a standard and not mix them, it looks messy thats all.
Using " instead of ' when:
<input value="user"/> //Standard html
<input value="user's choice"/> //Need to use single quote
<input onclick="alert('hi')"/> //When giving string as parameter for javascript function
Using ' instead of " when:
<input value='"User"'/> //Need to use double quote
var html = "<input name='username'/>" //When assigning html content to a javascript variable
I'm newbie here but I use single quote mark only when I use double quote mark inside the first one. If I'm not clear I show You example:
<p align="center" title='One quote mark at the beginning so now I can
"cite".'> ... </p>
I hope I helped.
Lots of great insightful replies here! More than enough for anyone to make a clear and personal decision.
I would simply like to point out one thing that's always mattered to me.
And take this with a grain of salt!
Double quotes apply to strings that have more than a single phase such as "one two" rather than single quotes for 'one' or 'two'. This can be traced as far back as C and C++.
(reference here or do your own online search).
And that's truly the difference.
With this principle (this different), parsing became possible such as "{{'a','b'},{'x','y'}} or "/[^\r\n]*[\r\n]" (which needed to be space independent because it's expressional) or more famously for HTML specific title = "Hello HTML!" or style = "font-family:arial; color:#FF0000;"
The funny thing here is that HTML (coming from XML itself) commonly adopted double quotes due to expressional features even if it is a single character (e.g. number) or single phase string.
As NibblyPig pointed out quite well and straightforward:
" as a top-tier and ' as a second tier since "'a string here'" is valid and expected by W3 standards (which is for the web) and will most likely never change.
And for consistency, double quotes is wisely used, but only fully correct by preference.
In PHP using double quotes causes a slight decrease in performance because variable names are evaluated, so in practice, I always use single quotes when writing code:
echo "This will print you the value of $this_variable!";
echo 'This will literally say $this_variable with no evaluation.';
So you can write this instead;
echo 'This will show ' . $this_variable . '!';
I believe Javascript functions similarly, so a very tiny improvement in performance, if that matters to you.
Additionally, if you look all the way down to HTML spec 2.0, all the tags listed here;
W3 HTML DTD Reference
(Use doublequotes.) Consistency is important no matter which you tend to use more often.
Double quotes are used for strings (i.e., "this is a string") and single quotes are used for a character (i.e., 'a', 'b' or 'c'). Depending on the programming language and context, you can get away with using double quotes for a character but not single quotes for a string.
HTML doesn't care about which one you use. However, if you're writing HTML inside a PHP script, you should stick with double quotes as you will need to escape them (i.e., \"whatever\") to avoid confusing yourself and PHP.
Related
For my output HTML file, I have to produce a div element with an id attribute, but the value of the attribute shouldn't stand in quotes, just like in this example: <div id=myID>...</div>. Everything what I want to have, works perfectly when I use quotes, like here: <div class="myClass" id="{$myIdVariable}">...</div>. Is it possible to tell Oxygen or Saxon to ignore such cases? But at the end I'm using the java javax.xml.transform package, where I'm not aware of, if I can tell my classes I use to ignore things like that. I would be very glad, if someone has a good solution for this problem, or even could tell me, that this is not possible by using XSLT...
I believe your title should read without quotes, "", not without parenthesis, ().
No, XSLT is not going to help you create XML that's not well-formed. (You could stand on your head and output text rather than XML to achieve such a effect, but don't do that.) Attribute values must have single, ', or double quote, ", delimiters for the markup to be XML. Even the HTML output option is not going to serialize attribute values without quote delimiters.
In comments, #Ole asks:
In principle you are right, but I thought that in HTML5, also attributes without quotes are allowed?
Yes, in HTML5, unquoted attribute values are allowed, but you'll be better off using the single-quoted and double-quoted attribute value syntaxes that are also supported in HTML5, especially if you want to be able to leverage XML tools.
I am having trouble understanding how escaping works inside html tag attribute values that are javascript.
I was lead to believe that you should always escape & ' " < > . So for javascript as an attribute value I tried:
It doesn't work. However:
and
does work in all browsers!
Now I am totally confused. If all my attribute values are enclosed in double quotes, does this mean I do not have to escape single quotes? Or is apos and ascii 39 technically different characters? Such that javascript requires ascii 39, but not apos?
There are two types of “escapes” involved here, HTML and JavaScript. When interpreting an HTML document, the HTML escapes are parsed first.
As far as HTML is considered, the rules within an attribute value are the same as elsewhere plus one additional rule:
The less-than character < should be escaped. Usually < is used for this. Technically, depending on HTML version, escaping is not always required, but it has always been good practice.
The ampersand & should be escaped. Usually & is used for this. This, too, is not always obligatory, but it is simpler to do it always than to learn and remember when it is required.
The character that is used as delimiters around the attribute value must be escaped inside it. If you use the Ascii quotation mark " as delimiter, it is customary to escape its occurrences using " whereas for the Ascii apostrophe, the entity reference ' is defined in some HTML versions only, so it it safest to use the numeric reference ' (or ').
You can escape > (or any other data character) if you like, but it is never needed.
On the JavaScript side, there are some escape mechanisms (with \) in string literals. But these are a different issue, and not relevant in your case.
In your example, on a browser that conforms to current specifications, the JavaScript interpreter sees exactly the same code alert('Hello');. The browser has “unescaped” ' or ' to '. I was somewhat surprised to hear that ' is not universally supported these days, but it’s not an issue: there is seldom any need to escape the Ascii apostrophe in HTML (escaping is only needed within attribute values and only if you use the Ascii apostrophe as its delimiter), and when there is, you can use the ' reference.
' is not a valid HTML reference entity. You should escape using '
I know the spec allows both ' and " as delimiters for attribute values, and I also know it's a good practice to always quote.
However I consider " being the cleaner way, maybe it's just me having grown up with C and C++' syntax.
What is the cleanest way of quoting attribute values and why? Please no subjective answers.
Both are fine, but Double quotes are better (IMHO) as you reduce the risk of dynamic values causing errors. e.g.
<input value='${lastName}'/>
<input value='O'Graddy'/>
^^^^^^^
vs.
<input value="${lastName}"/>
<input value="O'Graddy"/>
There’s a lot of rules to remember if you want to omit quotes around attribute values. It’s probably easiest to just use quotes consistently; it avoids all kinds of problems.
If you’re interested, I did some research on unquoted attribute values in HTML, CSS and JavaScript a while ago, and wrote about it here: http://mathiasbynens.be/notes/unquoted-attribute-values
I’ve also created a tool that will tell you if a value you enter is a valid unquoted attribute value or not: http://mothereffingunquotedattributes.com/#foo%7Cbar
Either is good, as long as you use it. " is more popular.
Say we have a form where the user types in various info. We validate the info, and find that something is wrong. A field is missing, invalid email, et cetera.
When displaying the form to the user again I of course don't want him to have to type in everything again so I want to populate the input fields. Is it safe to do this without sanitization? If not, what is the minimum sanitization that should be done first?
And to clearify: It would of course be sanitized before being for example added to a database or displayed elsewhere on the site.
No it isn't. The user might be directed to the form from a third party site, or simply enter data (innocently) that would break the HTML.
Convert any character with special meaning to its HTML entity.
i.e. & to &, < to <, > to > and " to " (assuming you delimit your attribute values using " and not '.
In Perl use HTML::Entities, in TT use the html filter, in PHP use htmlspecialchars. Otherwise look for something similar in the language you are using.
It is not safe, because, if someone can force the user to submit specific data to your form, you will output it and it will be "executed" by the browser. For instance, if the user is forced to submit '/><meta http-equiv="refresh" content="0;http://verybadsite.org" />, as a result an unwanted redirection will occur.
You cannot insert user-provided data into an HTML document without encoding it first. Your goal is to ensure that the structure of the document cannot be changed and that the data is always treated as data-values and never as HTML markup or Javascript code. Attacks against this mechanism are commonly known as "cross-site scripting", or simply "XSS".
If inserting into an HTML attribute value, then you must ensure that the string cannot cause the attribute value to end prematurely. You must also,of course, ensure that the tag itself cannot be ended. You can acheive this by HTML-encoding any chars that are not guaranteed to be safe.
If you write HTML so that the value of the tag's attribute appears inside a pair of double-quote or single-quote characters then you only need to ensure that you html-encode the quote character you chose to use. If you are not correctly quoting your attributes as described above, then you need to worry about many more characters including whitespace, symbols, punctuation and other ascii control chars. Although, to be honest, its arguably safest to encode these non-alphanumeric chars anyway.
Remember that an HTML attribute value may appear in 3 different syntactical contexts:
Double-quoted attribute value
<input type="text" value="**insert-here**" />
You only need to encode the double quote character to a suitable HTML-safe value such as "
Single-quoted attribute value
<input type='text' value='**insert-here**' />
You only need to encode the single quote character to a suitable HTML-safe value such as
Unquoted attribute value
<input type='text' value=**insert-here** />
You shouldn't ever have an html tag attribute value without quotes, but sometimes this is out of your control. In this case, we really need to worry about whitespace, punctuation and other control characters, as these will break us out of the attribute value.
Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the &#xHH; format (or a named entity if available) to prevent switching out of the attribute. Unquoted attributes can be broken out of with many characters, including [space] % * + , - / ; < = > ^ and | (and more). [para lifted from OWASP]
Please remember that the above rules only apply to control injection when inserting into an HTML attribute value. Within other areas of the page, other rules apply.
Please see the XSS prevention cheat sheet at OWASP for more information
Yes, it's safe, provided of course that you encode the value properly.
A value that is placed inside an attribute in an HTML needs to be HTML encoded. The server side platform that you are using should have methods for this. In ASP.NET for example there is a Server.HtmlEncode method, and the TextBox control will automatically HTML encode the value that you put in the Text property.
Seemingly simple, but I cannot find anything relevant on the web.
What is the correct HTML code for an apostrophe? Is it ’?
If you are looking for straight apostrophe ' (U+00027), it is
' or ' (latest is HTLM 5 only)
If you are looking for the curly apostrophe ’ (U+02019), then yes, it is
’ or ’
As of to know which one to use, there are great answers in the Graphic Design community: What’s the right character for an apostrophe?.
A List Apart has a nice reference on characters and typography in HTML. According to that article, the correct HTML entity for the apostrophe is ’. Example use: ’ .
It's '.
As noted by msanders, this is actually XML and XHTML but not defined in HTML4, so I guess use the ' in that case. I stand corrected.
A standard-compliant, easy-to-remember set of html quotes, starting with the right single-quote which is normally used as an apostrophe:
right single-quote — ’ — ’
left single-quote — ‘ — ‘
right double-quote — ” — ”
left double-quote — “ — “
Depends on which apostrophe you are talking about: there’s ', ‘, ’ and probably numerous other ones, depending on the context and the language you’re intending to write. And with a declared character encoding of e.g. UTF-8 you can also write them directly into your HTML: ', ‘, ’.
Firstly, it would appear that ' should be avoided -
The curse of '
Secondly, if there is ever any chance that you're going to generate markup to be returned via AJAX calls, you should avoid the entity names (As not all of the HTML entities are valid in XML) and use the &#XXXX; syntax instead.
Failure to do so may result in the markup being considered as invalid XML.
The entity that is most likely to be affected by this is , which should be replaced by
Here is a great reference for HTML Ascii codes:
http://www.ascii.cl/htmlcodes.htm
The code you are looking for is: '
Note that ' IS defined in HTML5, so for modern websites, I would advise using ' as it is much more readable than '
Check: http://www.w3.org/TR/html5/syntax.html#named-character-references
Even though ' reads nicer than ' and it's a shame not to use it, as a fail-safe, use '.
' is a valid HTML 5 entity, however it is not a valid HTML 4 entity.
Unless <!DOCTYPE html> is at the top of your HTML document, use '
Sorry if this offends anyone, but there is a reasonable article on Ted Clancy's blog that argues against the Unicode committee's recommendation to use ’ (RIGHT SINGLE QUOTATION MARK) and proposes using U+02BC (MODIFIER LETTER APOSTROPHE) (aka ʼ or ʼ) instead.
In a nutshell, the article argues that:
A punctuation mark (such as a quotation mark) normally separates words and phrases, while the sides of a contraction really can't be separated and still make sense.
Using a modifier allows one to select a contraction with the regular expression \w+
It's easier to parse quotes embedded in text if there aren't quotation marks also appearing in contractions
' in decimal.
%27 in hex.
Although the ' entity may be supported in HTML5, it looks like a typewriter apostrophe. It looks nothing like a real curly apostrophe—which looks identical to an ending quotation mark: ’.
Just look when I write them after each other:
1: right single quotation mark entity, 2: apostrophe entity: ’ '.
I tried to find a proper entity or alt command specifically for a normal looking apostrophe (which again, looks ‘identical’ to a closing right single quotation mark), but I haven’t found one. I always need to insert a right single quotation mark in order to get the visually correct apostrophe.
If you use just ’ (ALT + 0146) or autoformat typewriter apostrophes and quotation marks as curly in a word processor like Word 2013, do use <meta charset="UTF-8">.
I've found FileFormat.info's Unicode Character Search to be most helpful in finding exact character codes.
Entering simply ' (the character to the left of the return key on my US Mac keyboard) into their search yields several results of various curls and languages.
I would presume the original question was asking for the typographically correct U+02BC ʼ, rather than the typewriter fascimile U+0027 '.
The W3C recommends hex codes for HTML entities (see below). For U+02BC that would be ʼ, rather than ' for U+0027.
http://www.w3.org/International/questions/qa-escapes
Using character escapes in markup and CSS
Hex vs. decimal. Typically when the Unicode Standard refers to or lists characters it does so using a hexadecimal value. … Given the prevalence of this convention, it is often useful, though not required, to use hexadecimal numeric values in escapes rather than decimal values…
http://www.w3.org/TR/html4/charset.html
5 HTML Document Representation … 5.4 Undisplayable characters
…If missing characters are presented using their numeric representation, use the hexadecimal (not decimal) form, since this is the form used in character set standards.
Just a one more link with a nicely maintained collection Html Entities (archived), and its current (2023-01-22) status Named Character References.
As far as I know it is ' but it seems yours works as well
See http://w3schools.com/tags/ref_ascii.asp
Use ' for a straight apostrophe. This tends to be more readable than the numeric ' (if others are ever likely to read the HTML directly).
Edit: msanders points out that ' isn't valid HTML4, which I didn't know, so follow most other answers and use '.
You can try ' as seen in http://unicodinator.com/#0027