I'm trying to render an escaped string into an a HTML attribute (using Twitter Bootstrap to render a popover of the escaped code used to generate what the user is looking at):
Something like:
<a class="btn" href="#" data-content='<pre>$escaped_code</pre>' rel="popover" data-orginal-title="$title">some cool looking thing</a>
The problem is that the browser will parse and unescape the escape code potentially allowing for unpleasantness.
The answer is to of course manually escape it twice.