Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Are single-quotes allowed in the spec?

There is an explicit call out for "double quote == bad", but single quotes are also valid property delimeters in HTML.



If your property string is enclosed in a double quote, then a single quote in the payload is fine. (Otherwise, a lot of inline JS in onclick etc. attributes would break. JS allows both types of quotes on string literals for exactly this reason.)

Still, single quotes are somewhat asking for trouble.


Base-122 encoded strings may contain single quotes but not double quotes. The choice between the two was arbitrary.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: