TextArea and XSS attacks

TEXTAREA Usage

It is generally used to receive user input, which is used to submit a comment box to the server side, such as a Web site.

If this box is also used to display the contents of server-side callbacks, there are two ways to use

Method 1 Background Direct insert

<textarea><%=serverString;%></textarea>

Method 2 using the JS DOM interface to assign values

Textareadom.value = "<%=serverString;%>"

textarea Content features

That is, the 1 feature, even if the HTML snippet is inserted into the textarea, the HTML snippet will not be executed, just as normal text display.

<body>
<textarea>

<script>alert ("AA") </script>
<div>bbb</div>

</textarea>
</body>

Paste the HTML code into the edit box for this site and click Run to see the effect.

http://www.tool.la/WebEditor02/

textarea still vulnerable to XSS attacks

Unlike other tags, such as div, whose contents are embedded in script scripts, are executed,

Although textarea does not execute script, it can still suffer from XSS attacks.

When inserting textarea content, close the label early, and then output the script, as follows

<HTML><Head> </Head> <Body><textarea>

</ textarea><script>alert ("aa")</script   >

</textarea></Body></HTML>

The HTML specification requires that there should be no closed tags in the content.

Http://www.w3.org/TR/html-markup/syntax.html#contents

An end tag, the contained within the same contents as its start tag was said to be a misnested tag.

The TextArea content contents required in the specification are replaceable character data

Http://www.w3.org/TR/html-markup/textarea.html

This type of character requires that the content cannot have a tag-closed character:

Http://www.w3.org/TR/html-markup/syntax.html#replaceable-character-data

Must not contain any occurrences of the string " </ " followed by characters that is a case-insensitive match for the TA G name of the element containing the replaceable character data (for example, " </title " or " </textarea "), followed by a space cha Racter, " > ", or " / ".

textarea anti-XSS attack method

For Law 1 to implement HTML transcoding, convert </sss> to &lt;

<textarea><%=encodehtml (serverstring);%></textarea>

For Law 2 need to implement JS transcoding

Textareadom.value = "<%=encodejs (serverstring);%>"

If transcoding is not supported in your background, you can use the method 2+ajax to obtain the way:

1, the displayed data is stored as a background file (logstr.txt), for example, the contents of the file contains an attack script, so that usage 1 will constitute an XSS attack:

</textarea> <div>aa</div> <script>alert ("AA") </script>

2, use Ajax to get the contents of this file, the post-Tune Usage 2 interface to textarea assignment.

<HTML><Head>    <Scriptsrc= "./jquery.js"></Script></Head><Body>        <textareaID= "Test">        </textarea>        <Scripttype= "Text/javascript">$.get ("./logstr.txt", {Action:"Get", Name:"Lulu"}, function(data, textstatus) {document.getElementById ("Test"). Value=data;                   }); </Script></Body></HTML>

TextArea and XSS attacks