tags:

views:

924

answers:

2
+1  Q: 

HTML: <textarea>-Tag: How to correctly escape HTML and JavaScript content displayed in there?

Hello,

I have a HTML Tag <textarea>$FOO</textarea> and the $FOO Variable will be filled with arbitrary HTML and JavaScript Content, to be displayed and edited within the textarea. What kind of "escaping" do I neet to apply to $FOO?

I first tought of escaping it HTML but this didnt work (as I will then get shown not the original HTML Code of $FOO but rather the escaped content. This is of course not what I want: I want to be displayed the unescaped HTML/JS Content of the variable...

Is it impossible to display HTML Content within a <textarea> tag and also allow it to be editable as full HTML?

thanks jens

+1  A: 

You need to replace the special character of HTML with character references (either numerical character references of entity references), in textarea at least &, < and >.

Gumbo  2010-03-23 18:02:46
hello Gumbo, Thanks for your help!!! It seems the problem then must be that the escaping libraries do not correctly work as they should. thanks.
jens  2010-03-23 18:19:14
A: 

I first tought of escaping it HTML

Yes, that's right. The contents of a <textarea> are no different from the contents of any other element like a <span> or a <p>: if you want to put some text inside you must HTML-escape any < or & characters in it to &lt; and &amp; respectively.

Browsers do tend to give you more leeway with fault markup in <textarea>​s, in that the fallback for invalid unescaped < symbols is to render them as text instead of tags, but that doesn't make it any less wrong or dangerous (for XSS).

but this didnt work

Please post what you did that didn't work. HTML-escaping is definitely the right thing.

bobince  2010-03-23 18:12:36
Thanks for your answer. I use "Commons Velocity" that internally uses some other Apache's StringUtils library for HTML Encoding. I have to dig deeper it seems that somewhere theres then something going wrong: <!-- test --> gives me <!-- test --> This means theres something double escaped. Thanks for your answer then I know I have to resarch further how to escape it.
jens  2010-03-23 18:17:36
Maybe check to see if an `EscapeHtmlReference` ReferenceInsertionEventHandler has been set up in Velocity. If so, you wouldn't need to do any more escaping.
bobince  2010-03-23 18:45:25

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?