Maluku - 2009-02-08

The problem is rather with the whole onclick handlers, the best solution would be a double escape of HTML and JS:

<span onclick="alert(&#39foo&amp;#39;bar&#39);">Test</span>
This becomes aparent when you have double quotes in your value:

onclick="alert('<TMPL_VAR NAME ESCAPE=JS>')"

This will become: (Name = Peter "PK" Miller)

onclick="alert('Peter \"PK\" Miller')", but the browser will only parse

onclick="alert('Peter \" and that won't work.

The best solution would be:

<TMPL_VAR ESCAPE=JS ESCAPE=HTML>, but the regex denies that.