I have a HTML Tag <textarea>$FOO</textarea> and the $FOO Variable will be filled with arbitrary HTML and JavaScript Content, to be displayed and edited within the textarea. What kind of “escaping” do I neet to apply to $FOO?
I first tought of escaping it HTML but this didnt work (as I will then get shown not the original HTML Code of $FOO but rather the escaped content. This is of course not what I want: I want to be displayed the unescaped HTML/JS Content of the variable…
Is it impossible to display HTML Content within a <textarea> tag and also allow it to be editable as full HTML?
thanks
jens
Yes, that’s right. The contents of a
<textarea>are no different from the contents of any other element like a<span>or a<p>: if you want to put some text inside you must HTML-escape any<or&characters in it to<and&respectively.Browsers do tend to give you more leeway with fault markup in
<textarea>s, in that the fallback for invalid unescaped<symbols is to render them as text instead of tags, but that doesn’t make it any less wrong or dangerous (for XSS).Please post what you did that didn’t work. HTML-escaping is definitely the right thing.