What's the best practice to set html attribute via PHP?

Solution 1:

You always want to HTML-encode things inside HTML attributes, which you can do with htmlspecialchars:

<span title="<?php echo htmlspecialchars($variable); ?>">

You probably want to set the second parameter ($quote_style) to ENT_QUOTES.

The only potential risk is that $variable may already be encoded, so you may want to set the last parameter ($double_encode) to false.

Solution 2:

Well, before you output any text into HTML you should escape it using htmlspecialchars(). So just make sure (double) quote is correctly changed.

Pay attention to the second parameter of that function.