I tried below code for checking whether backslashes in HTML attribute value makes the character next to it escape:
<button id="b1" onclick="$('body').append('<button onclick=alert(\'something\');>')">test</button>
Here, if backslash works, then when we click over #b1 , a new button should have appended to and when we click over that new button, a new alert should have popped up. But it didn't. This means backslash escape won't work in HTML attributes. Is it correct? Then how do I escape things ?
When I tried opening that webpage with view-source: prefix, I saw code like below one:
<!DOCTYPE html>
<html lang="en">
<head>
<title>
Hi there!
</title>
<meta name="viewport" content="width=device-width">
<script src="jQuery.js"></script>
<style>
.red{color: red;}
</style>
</head>
<body>
<button id="b1" onclick="$('body').append('<button onclick=alert(+AFw'something+AFw');>test</button>')">
test
</button>
<script src="question.js"></script>
</body>
</html>
Here, backslashes are replaced to +AFW. Is it wrong ?
Also, if I try changing the onclick attribute value to doIt(); and add below code into question.js file, it works perfectly:
function doIt(){
alert("<button onclick=\"alert('hi');\"> ");
}
But as the question says, we have to find out why backslash escape not working in HTML attribute values. Also, I wants to define what will happen when button clicked, right in the attribute.
Thanks in advance for giving informations.....
