TEXTAREA Usage
It is generally used to receive user input, which is used to submit a comment box to the server side, such as a Web site.
If this box is also used to display the contents of server-side callbacks, there are two ways to use
Method 1 Background Direct insert
<textarea><%=serverString;%></textarea>
Method 2 using the JS DOM interface to assign values
Textareadom.value = "<%=serverString;%>"
textarea Content features
That is, the 1 feature, even if the HTML snippet is inserted into the textarea, the HTML snippet will not be executed, just as normal text display.
<body>
<textarea>
<script>alert ("AA") </script>
<div>bbb</div>
</textarea>
</body>
Paste the HTML code into the edit box for this site and click Run to see the effect.
http://www.tool.la/WebEditor02/
textarea still vulnerable to XSS attacks
Unlike other tags, such as div, whose contents are embedded in script scripts, are executed,
Although textarea does not execute script, it can still suffer from XSS attacks.
When inserting textarea content, close the label early, and then output the script, as follows
<HTML><Head> </Head> <Body><textarea>
</ textarea><script>alert ("aa")</script >
</textarea></Body></HTML>
The HTML specification requires that there should be no closed tags in the content.
Http://www.w3.org/TR/html-markup/syntax.html#contents
An end tag, the contained within the same contents as its start tag was said to be a misnested tag.
The TextArea content contents required in the specification are replaceable character data
Http://www.w3.org/TR/html-markup/textarea.html
This type of character requires that the content cannot have a tag-closed character:
Http://www.w3.org/TR/html-markup/syntax.html#replaceable-character-data
Must not contain any occurrences of the string " </
" followed by characters that is a case-insensitive match for the TA G name of the element containing the replaceable character data (for example, " </title
" or " </textarea
"), followed by a space cha Racter, " >
", or " /
".
textarea anti-XSS attack method
For Law 1 to implement HTML transcoding, convert </sss> to <
<textarea><%=encodehtml (serverstring);%></textarea>
For Law 2 need to implement JS transcoding
Textareadom.value = "<%=encodejs (serverstring);%>"
If transcoding is not supported in your background, you can use the method 2+ajax to obtain the way:
1, the displayed data is stored as a background file (logstr.txt), for example, the contents of the file contains an attack script, so that usage 1 will constitute an XSS attack:
</textarea> <div>aa</div> <script>alert ("AA") </script>
2, use Ajax to get the contents of this file, the post-Tune Usage 2 interface to textarea assignment.
<HTML><Head> <Scriptsrc= "./jquery.js"></Script></Head><Body> <textareaID= "Test"> </textarea> <Scripttype= "Text/javascript">$.get ("./logstr.txt", {Action:"Get", Name:"Lulu"}, function(data, textstatus) {document.getElementById ("Test"). Value=data; }); </Script></Body></HTML>
TextArea and XSS attacks