Paid Advertising is
ha.ckers sla.cking
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
how to prevent xss in textarea tag?
Posted by: joel
Date: April 11, 2012 10:01PM

I have google for this topic, but I can't found any solution.

in this blog, RSnake Says:
June 18th, 2007 at 3:03 pm
<comment> <!ā€“ ā€“> within iframe tags, noscript tags, and Iā€™m sure there are several others.

I am not understand how to do.

If I filter the <,>,'," use htmlspecialchars() in PHP, the content output in the html would be:

But if do not filter these, there would be XSS, such as:
<textarea> ---system generate
</textarea> ---user input
<img src="javascript:alert('XSS')" ---user input
<textarea> ---user input

</textarea> ---system generate

Even if I filter the </textarea> tag, </tex</textarea>tarea> will bypass it.

Edited 1 time(s). Last edit at 04/11/2012 10:02PM by joel.

Options: ReplyQuote
Re: how to prevent xss in textarea tag?
Posted by: Gareth Heyes
Date: April 17, 2012 09:36AM

The textarea should be generated with by encoding the contents with < and &lt; and > to &gt; the values passed when the form is submitted is their literal value not the encoded one, so it's perfectly fine to encode them in the textarea. I don't get your point about "the system" generating textareas they should be outside user input and should not be encoded each time.

"People who say it cannot be done should not interrupt those who are doing it.";
labs : []
blog : []
Hackvertor : []

Options: ReplyQuote

Sorry, only registered users may post in this forum.