Home/ Questions/Q 6599335
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T18:28:41+00:00

I save two versions of user input in the following sequence: Untrusted user enters

  • 0

I save two versions of user input in the following sequence:

  1. Untrusted user enters raw markdown.
  2. Raw markdown is stored in one table.
  3. A copy of the raw markdown is converted into HTML.
  4. HTML is sanitized and persisted, and is displayed upon request.
  5. The raw markdown version is only displayed when users edit a entry; it’s loaded into a textarea of a form.

Is there any risk in loading raw markdown (which could potentially contain unsafe HTML) into a textarea? It would never be displayed outside of a textarea.

I can’t sanitize the markdown because it would result in inconsistencies between the markdown and HTML versions I’m saving.

FYI: I always sanitize SQL, regardless of what I’m saving to the DB.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It depends how you’re “loading” it into the textarea. If you’re doing it server-side through simple string concatenation, e.g. in php,

    $output = '<textarea>' + $markdown + '</textarea>';

    …then there is absolutely a risk, because that markdown could very easily close out the textarea and embed whatever else it wants. If you’re using some sort of a component framework (e.g., ASP.NET), then you should be protected as long as you use a safe API method, such as MyTextArea.Value = markdown;.

    If you’re doing it client-side, it also depends on how you’re doing this. You would be safe if you used something like jQuery’s .val() setter, but could still expose yourself to XSS vulnerabilities through other approaches.

    In short, the general answer is yes, depending on how you’re actually creating and populating the textarea.

    • 0