HTML: <textarea>-Tag: How to correctly escape HTML and JavaScript content displayed in there?

Question

I have a HTML Tag <textarea>$FOO</textarea> and the $FOO Variable will be filled with arbitrary HTML and JavaScript Content, to be displayed and edited within the textarea. What kind of "escaping" do I neet to apply to $FOO?

I first tought of escaping it HTML but this didnt work (as I will then get shown not the original HTML Code of $FOO but rather the escaped content. This is of course not what I want: I want to be displayed the unescaped HTML/JS Content of the variable...

Is it impossible to display HTML Content within a <textarea> tag and also allow it to be editable as full HTML?

thanks jens

Answer 1

You need to replace the special character of HTML with character references (either numerical character references or entity references), in textarea, at least &, < and >.

Answer 2

I first tought of escaping it HTML

Yes, that's right. The contents of a <textarea> are no different from the contents of any other element like a <span> or a <p>: if you want to put some text inside you must HTML-escape any < or & characters in it to < and & respectively.

Browsers do tend to give you more leeway with fault markup in <textarea>​s, in that the fallback for invalid unescaped < symbols is to render them as text instead of tags, but that doesn't make it any less wrong or dangerous (for XSS).

but this didnt work

Please post what you did that didn't work. HTML-escaping is definitely the right thing.