HTML:Use quotes within quotes within quotes
To represent a "
character inside an HTML attribute delimited by "
characters, use the entity "
I'd recommend attaching event listeners using JavaScript rather then using intrinsic event attributes though. It simplifies things greatly.
Note however, that browsers will not execute JavaScript added to the document with innerHTML
. If you want to add a script programatically, the use createElement
/ appendChild
et al.
<body onload='document.body.innerHTML="<script>alert(\"hi\")</script>"'>
or
<body onload="document.body.innerHTML='<script>alert(\'hi\')</script>'">
It does work, but the script doesn't get executed because it is added after the browser parsed your code.
Note that if you wanted quotes within quotes within quotes within quotes you would have done: <body onload="document.body.innerHTML='<script>alert(\'\\\'hi\\\'\')</script>'" >
What is really impossible (i think) without "
is putting "
and '
in the alert.