Unable to validate html due to missing quotation for = string

Question

I am getting this error "Error: = in an unquoted attribute value. Probable causes: Attributes running together or a URL query string in an unquoted attribute value." when i try to validate my document.

This is my code:

print("<a href=" . $_SERVER["PHP_SELF"] . '?id=' . $student->hentId() . ">" . $student->hentNavn() . "</a><br/>\n");

The HTML output looks like this:

<a href=/StudentDatabase/StudentRegister.php?id=1>Petter Andersen</a><br/>

How can I properly add quotation?

Answer 1

Is not safe use $_SERVER["PHP_SELF"] directly in links. Depending on your code, the web-site could be vulnerable to XSS and unwanted JavaScript could end injected just visiting page/url/%22%3E%3Cscript%3Ealert('xss')%3C /script%3E%3Cfoo%22. The same for student id or student name, if this records are not sanitized the html could end broken or be vulnerable to XSS.

Is recommended use functions rawurlencode, urlencode, htmlspecialchars to sanitize the link generated.

<?php
$url = rawurlencode($_SERVER["PHP_SELF"]) . "?id=" . urlencode($student->hentId());
?>

<a href="<?php echo htmlspecialchars($url); ?>">
<?php echo htmlspecialchars($student->hentNavn()); ?>
</a>

Answer 2

add quotes by escaping them with \

do you want the id=1 to be in the url? My guess it that is the attribute it thinks is missing quotes

print("<a href=\" . $_SERVER["PHP_SELF"] . '?id=' . $student->hentId() . \">" . $student->hentNavn() . "</a><br/>\n");