4
The HTML 'id' has historically only allowed [A-Za-z0-9-_:.], and the string must start with [A-Za-z] and not be empty. In other words a '/', space or accented chars, etc. are not valid for an id attribute. For HTML5 the only requirement is that it can't be empty and can't contain a space.
Any code that uses a var for the HTML4 id should sanitize it first...
Maybe something like:
$idAttrib = preg_replace('/^[A-Za-z]+([A-Za-z\d-_:.])*?$/', '_', $id);
$idAttrib = !empty($idAttrib) ?? 'A' . (string)rand(1,32767); // create a random ID if it's currently empty
For HTML5 just make sure that it's not empty and replace any spaces with an underscore. So something as simple as:
$idAttrib = str_replace(' ', '_', $id);
$idAttrib = !empty($idAttrib) ?? 'A' . (string)rand(1,32767); // create a random ID if it's currently empty
