Reputation: 6394
Must I escape strings before I set them as the value of a textarea?
In the following scenario:
var evil_string = "...";
$('#mytextarea').val(evil_string);
Do I have to escape an untrusted string before using it as the value of a textarea element?
I understand that I will have to handle the string with care if I want to do anything with it later on, but is the act of putting the string in a textarea without escaping inherently dangerous?
I have done some basic testing and the usual special characters &'"< seem to be successfully added to the textarea without interpretation.
Upvotes: 1
Views: 175
Answers (2)
Reputation: 22421
No, you don't need to do that. When you assign directly to property of DOM element (which jQuery's .val does under the hood), the data is interpreted verbatim. You only need to quote text with methods that explicitly treat input as HTML - i.e. outer/innerHTML and like.
Upvotes: 2
Reputation: 805
Putting unescaped strings as values of textboxes or textareas is fine. You only need to worry about it when you are putting strings in your HTML that could potentially be interpreted as other HTML. Generally speaking, this means you should escape the strings when the text could be a child of some HTML DOM Element. This could be done on the server (as lolka_bolka suggested), or on the client before adding the potentially dangerous string to the DOM.
Upvotes: 0
Related Questions
- Do I need to escape string if I use .html() in jQuery?
- How to escape special characters from textarea using jQuery?
- How to avoid escape character while retrieving from textbox/textarea through jquery?
- Escape HTML tag in <textarea>
- Javascript won't escape Html string
- jQuery Escaping HTML from a Textarea
- HTML: <textarea>-Tag: How to correctly escape HTML and JavaScript content displayed in there?
- html encode <textarea> value
- html strings in textarea
- Escaping html entities in textarea