You always want to HTML-encode things inside HTML attributes, which you can do with htmlspecialchars:

您总是希望对 HTML 属性中的内容进行 HTML 编码，您可以使用以下方法htmlspecialchars：

<span title="<?php echo htmlspecialchars($variable); ?>">

You probably want to set the second parameter ($quote_style) to ENT_QUOTES.

您可能希望将第二个参数 ( $quote_style) 设置为ENT_QUOTES。

The only potential risk is that $variablemay already be encoded, so you maywant to set the last parameter ($double_encode) to false.

唯一的潜在风险是它$variable可能已经被编码，因此您可能需要将最后一个参数 ( $double_encode) 设置为false。

Well, before you output any text into HTML you should escape it using htmlspecialchars(). So just make sure (double) quote is correctly changed.

好吧，在将任何文本输出到 HTML 之前，您应该使用htmlspecialchars()对其进行转义。所以只需确保（双）引号正确更改。

Pay attention to the second parameter of that function.

注意该函数的第二个参数。

To address your edit [Edit:that you have removed meanwhile]: When you place dynamically JavaScript onto your site, you should beforeknow quite well, what it would look like. Else you open the door widely for XSS attacks. That doesn't mean you have to know every quotation mark, but you should know enough to decide how to embed it at the line where you finally output it in the HTML file.

为了解决您的编辑[编辑：您已删除与此同时]：当您将动态的JavaScript到你的网站，你应该之前一清二楚，它会是什么样子。否则你就会为 XSS 攻击打开大门。这并不意味着您必须知道每个引号，但您应该知道如何将其嵌入到最终将其输出到 HTML 文件的行中。

Beyond that,

除此之外，

<a onclick="func(&apos;l&apos;)">

works exactly like

完全一样

<a onclick="func('l')">

The Bat tool has a StringTool::htmlAttributes ( $arrayOfAttributes ) method that does the job too.

Bat 工具有一个 StringTool::htmlAttributes ( $arrayOfAttributes ) 方法也可以完成这项工作。

https://github.com/lingtalfi/Bat/blob/master/StringTool.php

https://github.com/lingtalfi/Bat/blob/master/StringTool.php