Try using HTML entity references:

<input type="text" value="&lt;a href=&quot;http://www.site.tld/&quot;&gt;Billy&#8217;s Site&lt;/a&gt;" />

Also, IIRC the contents of an input should not be parsed, so you could also try using single quotes (but you will still have to use an entity reference for the apostophe):

<input type='text' value='<a href="http://www.site.tld/">Billy&#8217;s Site</a>' />

I can't believe I didn't think of that! Thanks, it makes so much sense.

May I ask what IIRC is? I couldn't find anything in a web search?

I've been curious to know when one would use single quotes over double quotes. When would I know when to use one over the other? I thought it was just a matter of preference. Does the IIRC mention a standard, and would it be the same for PHP code as well?

Thanks

IIRC = If I Remember Correctly ;)

As for single-quotes versus double-quotes in HTML, both are valid and you can use them as required (the above situation is a good example). In PHP, I believe there is a slight difference between the two, but in general it is the same situation as with HTML.

PHP will parse string [php.net] variables in double quotes, but not single quotes. In perl we call it interpolation.

A little more info relevant to this issue.

I'm presuming you are allowing the HTML to be entered because at some point it needs to come back out as HTML for display.

While you can store <a href="http://www.site.tld/">Billy’s Site</a>

in a database it's not very helpful if someone does a search for

Billy's

So your options are a complex select that adds ’ every time it sees a ' in a search - multiplied by every time you need to use an entity - or you substitute them when they go in the database and replace them when they come out for editing.

Additionally, when first adding HTML into a form, it's not very user friendly to ask users to use entities instead of HTML.

I've found this kind of problem can be solved, for the most part, by a)setting your HTML coding to a standard of double quotes only, and b) substituting the entities &lt, &gt, and " out for regular carats and quotes prior to storing the data. That is, when you initially enter the text,

<input type="text" value="<a href="wysiwyg.html">wysiwyg</a>">

is fine. Go ahead and store it that way, but make sure entities are subb'ed out before you store it.

Now when you go to edit, the quotes and carats need to be subb'ed with entities,

<input type="text" value="&lt;a href=&quot;wysiwyg.html&quot;&gt;wysiwyg&lt;/a&gt;">

Which will appear as normally formed HTML when it's displayed in a form field. If it's not edited in any way, now you're submitting entities for storage - snap those into regular html:

$value =~ s/&lt\;/\</g;
(etc.)

This way everything stored in your database is directly displayable.

A last warning here is to allow ONLY non-harmful HTML. Always remember Selena Sol's mantra (paraphr.):

Every user input is a potential hack.

The best approach is to not "guess" what you DON'T want - just allow what you consider acceptable. I do this by maintaining a list of HTML elements that are allowed in the input - if an element like <script> is found (since it's not in my list), the entire snippet is removed.