Full URL inside HTML attribute
Scenario: You want to insert a dynamic URL into an attribute that will understand the URL, such as a link or iframe.
Getting it right: First, ensure that the attribute is properly quoted. For more details, see the HTML attribute section.
Next, ensure that the URL is not something that needs to be restricted to a server you control, like an object tag for a flash file or a script tag.
So with that in mind, we apply our asURL function and an HTML escaper: