Reputation: 67254
Using a `<textarea>` to protect against scripts
Hmm. Instead of "defanging" input or using some kind of regex to remove tags, how safe is it to dump user stuff into a <textarea>?
For example, say there's a PHP page that does the following:
echo '<textarea>';
echo $_GET['whuh_you_say'] ;
echo '</textarea>';
Normally this is vulnerable to xss attacks, but in the textarea, all script tags will just show up as <script> and they won't be executed.
Is this unsafe?
Upvotes: 3
Views: 6261
Answers (5)
Reputation: 17101
This talks about an XSS hole found in textarea's in google documents (I think the post is a little old - so google have probably secured it by now), but it deomstrates how textareas can be used as an attack vector.
ha.ckers.org discussing google docs textarea exploit
Upvotes: 0
Reputation: 180023
If your users aren't supposed to be using any HTML tags whatsoever (which if you're proposing this textarea solution, that's the case), just run it through htmlspecialchars() or htmlentities() and be done with it. Guaranteed safety.
Upvotes: 2
Reputation: 1942
Good enough for the basics:
sanitized = str_replace("<", "<", $_GET['whuh_you_say']);
sanitized = str_replace(">", ">", sanitized);
Upvotes: -2
Reputation: 268384
</textarea>
<script type="text/javascript">
alert("this safe...");
/* load malicious c0dez! */
</script>
<textarea>
Upvotes: 16
Related Questions
- safely load HTML from user into textarea
- textarea that contains pre code security
- Sanitizing Output To Textarea From XSS
- Secure URL textarea
- How to protect from XSS, with textarea to create javascript code
- HTML textarea with <script> tags in it
- whitelist for html textarea
- Stop users from entering PHP code in textarea?
- Secure inserting value of $_POST['textarea'] into <textarea> HTML tag using PHP only
- WYSIWYG textarea component security