You always want to HTML-encode things inside HTML attributes, which you can do with htmlspecialchars
:
<span title="<?php echo htmlspecialchars($variable); ?>">
You probably want to set the second parameter ($quote_style
) to ENT_QUOTES
.
The only potential risk is that $variable
may already be encoded, so you may want to set the last parameter ($double_encode
) to false
.