TextArea and XSS attacks

Source: Internet
Author: User

TEXTAREA Usage

It is generally used to receive user input, which is used to submit a comment box to the server side, such as a Web site.

If this box is also used to display the contents of server-side callbacks, there are two ways to use

Method 1 Background Direct insert

<textarea><%=serverString;%></textarea>

Method 2 using the JS DOM interface to assign values

Textareadom.value = "<%=serverString;%>"

textarea Content features

That is, the 1 feature, even if the HTML snippet is inserted into the textarea, the HTML snippet will not be executed, just as normal text display.


<body>
<textarea>

<script>alert ("AA") </script>
<div>bbb</div>

</textarea>
</body>

Paste the HTML code into the edit box for this site and click Run to see the effect.

http://www.tool.la/WebEditor02/

textarea still vulnerable to XSS attacks

Unlike other tags, such as div, whose contents are embedded in script scripts, are executed,

Although textarea does not execute script, it can still suffer from XSS attacks.

When inserting textarea content, close the label early, and then output the script, as follows

<HTML><Head> </Head> <Body><textarea>

</ textarea><script>alert ("aa")</script >

</textarea></Body></HTML>

The HTML specification requires that there should be no closed tags in the content.

Http://www.w3.org/TR/html-markup/syntax.html#contents

An end tag, the contained within the same contents as its start tag was said to be a misnested tag.

The TextArea content contents required in the specification are replaceable character data

Http://www.w3.org/TR/html-markup/textarea.html

This type of character requires that the content cannot have a tag-closed character:

Http://www.w3.org/TR/html-markup/syntax.html#replaceable-character-data

Must not contain any occurrences of the string " </ " followed by characters that is a case-insensitive match for the TA G name of the element containing the replaceable character data (for example, " </title " or " </textarea "), followed by a space cha Racter, " > ", or " / ".

textarea anti-XSS attack method

For Law 1 to implement HTML transcoding, convert </sss> to &lt;

<textarea><%=encodehtml (serverstring);%></textarea>

For Law 2 need to implement JS transcoding

Textareadom.value = "<%=encodejs (serverstring);%>"

If transcoding is not supported in your background, you can use the method 2+ajax to obtain the way:

1, the displayed data is stored as a background file (logstr.txt), for example, the contents of the file contains an attack script, so that usage 1 will constitute an XSS attack:

</textarea> <div>aa</div> <script>alert ("AA") </script>

2, use Ajax to get the contents of this file, the post-Tune Usage 2 interface to textarea assignment.

<HTML><Head>    <Scriptsrc= "./jquery.js"></Script></Head><Body>        <textareaID= "Test">        </textarea>        <Scripttype= "Text/javascript">$.get ("./logstr.txt", {Action:"Get", Name:"Lulu"}, function(data, textstatus) {document.getElementById ("Test"). Value=data;                   }); </Script></Body></HTML>

TextArea and XSS attacks

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.