tags:

views:

539

answers:

5
+1  Q: 

Using a `<textarea>` to protect against scripts

Hmm. Instead of "defanging" input or using some kind of regex to remove tags, how safe is it to dump user stuff into a <textarea>?

For example, say there's a PHP page that does the following:

echo '<textarea>';
echo $_GET['whuh_you_say'] ;
echo '</textarea>';

Normally this is vulnerable to xss attacks, but in the textarea, all script tags will just show up as <script> and they won't be executed.

Is this unsafe?

+15  A:  
</textarea>
  <script type="text/javascript">
    alert("this safe...");
    /* load malicious c0dez! */
  </script>
<textarea>
Jonathan Sampson  2009-07-14 00:40:39
yea i just thought of that. ho ho ho. thanks
bobobobo  2009-07-14 00:41:27
if you were always going to use textarea...you could develop a simple regex pattern to ONLY remove textarea etc from the string to prevent the above attack...and let the textarea itself take care of the rest
davidsleeps  2009-07-14 00:47:42
+1 beat me to it - @davidsleeps - while that may be true, the *best* way to deal with this is whitelisting only the tags you need, and making sure you are sanitizing any output generated by a user's input
John Rasch  2009-07-14 00:50:29
It wouldn't necessarily be simple. What if I put`</text</textarea>area>`. It still needs to be thought through.
Ian Elliott  2009-07-14 00:50:54
You should be using htmlspecialshars() anyway, even if you're putting it inside a <textarea>
Josh  2009-07-14 13:02:01
@Josh: Won't the entities show up in the textarea then?
Svish  2010-01-12 09:52:23
@Svish — no. `<textarea>` elements do not contain CDATA.
David Dorward  2010-01-12 09:55:36
@David: Aha. :)
Svish  2010-01-12 10:00:33
+1  A: 

strip_tags(string);

Is wonderful! Honest!

asperous.us  2009-07-14 00:49:56
It was broken in some versions of PHP, though. http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-07/0149.html
ceejayoz  2009-07-14 02:50:53
+1 for the honesty!
Shoan  2009-07-14 10:29:57
Don't use it on text - you'll get invalid entities. Use htmlspecialchars() instead (as a bonus, it won't destroy innocent text like "1<2")
porneL  2009-07-14 19:02:12
A: 

Good enough for the basics:

sanitized = str_replace("<", "&lt;", $_GET['whuh_you_say']);
sanitized = str_replace(">", "&gt;", sanitized);
nilamo  2009-07-14 00:56:04
Or you could just use htmlentities().
Frank Farmer  2009-07-14 02:07:11
+1  A: 

If your users aren't supposed to be using any HTML tags whatsoever (which if you're proposing this textarea solution, that's the case), just run it through htmlspecialchars() or htmlentities() and be done with it. Guaranteed safety.

ceejayoz  2009-07-14 02:52:34
A: 

This talks about an XSS hole found in textarea's in google documents (I think the post is a little old - so google have probably secured it by now), but it deomstrates how textareas can be used as an attack vector.

ha.ckers.org discussing google docs textarea exploit

Alex Key  2010-01-12 09:49:17

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases