沉冰浮水

沉冰浮水

做最终到的事,成为最终成为的人!
github
bilibili
mastodon
zhihu
douban
Home作品集Archives

"Water hole" textarea outputs HTML escape issues

#GesF-Force#折腾#备忘#HTML159
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article discusses the issue of escaping HTML entities when using the <input> and <textarea> tags to display editable content. It is recommended to use the htmlspecialchars function to escape the entities to prevent potential security issues. The article provides examples of both escaped and unescaped text in a <textarea> tag and recommends using the escaped version to avoid potential JavaScript execution. The article also includes a link to a resource on HTML character entities.

title: "Escaping HTML Output in 'textarea' Tag"
date: 2021-06-30 15:25:45
tags:

  • GesF-Force
  • Experiment
  • Memo
  • HTML
    categories:
  • Computer Networking
    id: 3121
    alias: 20210630871

Usually, when displaying editable content in <input type="text" /> or <textarea></textarea>, the HTML entities within them are escaped.

<input type="text" value="<?php echo htmlspecialchars($strText); ?>" />

<textarea><?php echo htmlspecialchars($strLongText); ?></textarea>

For the former, since it is output as an attribute value, it must be escaped.

As for the latter, using the code below as an example, both text boxes can be correctly rendered by the browser. However, in the case of not escaping, if <script>alert("aaaa");</script> is inserted before </textarea>, the JS code will be executed.

Therefore, it is recommended to use the escaping method.

<!-- Not escaped -->
<textarea name="text1" id="text1" cols="35" rows="10">
  <b>3333</b>
  ---
  <script>alert("aaaa");</script>
</textarea>
<!-- Escaping method -->
<textarea name="text2" id="text2" cols="35" rows="10">
  &lt;b&gt3333&lt;/b&gt
  ---
  &lt;script&gt;alert(&quot;aaa&quot;);&lt;/script&gt;
</textarea>

HTML character entities:

https://www.w3school.com.cn/html/html_entities.asp

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.