Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
how to prevent xss in textarea tag?
Posted by: joel
Date: April 11, 2012 10:01PM

I have google for this topic, but I can't found any solution.

http://ha.ckers.org/blog/20070617/another-google-xss-in-google-documents/

in this blog, RSnake Says:
June 18th, 2007 at 3:03 pm
<comment> <!ā€“ ā€“> within iframe tags, noscript tags, and Iā€™m sure there are several others.

I am not understand how to do.

If I filter the <,>,'," use htmlspecialchars() in PHP, the content output in the html would be:
<textarea>
&lt;
&gt;
&quot;
&#39;
</textarea>

But if do not filter these, there would be XSS, such as:
<textarea> ---system generate
</textarea> ---user input
<img src="javascript:alert('XSS')" ---user input
<textarea> ---user input

</textarea> ---system generate

Even if I filter the </textarea> tag, </tex</textarea>tarea> will bypass it.



Edited 1 time(s). Last edit at 04/11/2012 10:02PM by joel.

Options: ReplyQuote
Re: how to prevent xss in textarea tag?
Posted by: Gareth Heyes
Date: April 17, 2012 09:36AM

The textarea should be generated with by encoding the contents with < and &lt; and > to &gt; the values passed when the form is submitted is their literal value not the encoded one, so it's perfectly fine to encode them in the textarea. I don't get your point about "the system" generating textareas they should be outside user input and should not be encoded each time.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.