what characters are allowed in the value attribute of form's input

Question

I know that some characters are not allowed in the value attribute of form's input. For instance, if I enclose this attribute in single close, I can not safely use single quotes in it. Are there any other characters that I can't use in this attribute?

Answer 1

Some other characters such as ', ", and & should be escaped.

The character with the code value "0" will lead to problems when used in a value field - as it will if used anywhere inside a html document. There may be other control characters with problems (as Ctrl-Z), but I don't know.

Answer 2

User can write in browser's input any value, js will auto-escape quotes too, when you put unsafe string in value of input. But if you printing value using php like this:

<input type='text' value='<?php echo $_POST['someField']; ?>' name='someField'>

You will have xss security exception (if you pass '>alert('some'); into input and submit it, you will have js alert) You can use php function htmlspecialchars($_POST['someField'], ENT_QUOTES)

Answer 3

HTML 5

Except where otherwise specified, attributes on HTML elements may have any string value, including the empty string. Except where explicitly stated, there is no restriction on what text can be specified in such attributes.

HTML 5

The value content attribute gives the default value of the input element. When the value content attribute is added, set, or removed, if the control's dirty value flag is false, the user agent must set the value of the element to the value of the value content attribute, if there is one, or the empty string otherwise, and then run the current value sanitization algorithm, if one is defined.

So there are no restrictions but the value might get altered by the value sanitization algorithm.

---

For instance, if I enclose this attribute in single close, I can not safely use single quotes in it.

You can. You just can't use literal single quotes. You have to use character references.