0

Do you need to validate a textarea against XSS injections?

I have a textarea on a reg form and have tried entering data wrapped in h1 tags for a test, but when I look at the output in the admin area, the textarea displays <h1>test words</h1>

I would have expected it to display a REALLY big 'test words' if it was vulnerable, as the h1 tags would get parsed and would also dissapear...I kind of don't know what to look for.

Any ideas?

3
Contributors
2
Replies
3
Views
8 Years
Discussion Span
Last Post by digital-ether
0

yes it does need to be checked.

i use htmlpurify. its a pretty nice php application that will strip out bad information.

0

Do you need to validate a textarea against XSS injections?

I have a textarea on a reg form and have tried entering data wrapped in h1 tags for a test, but when I look at the output in the admin area, the textarea displays <h1>test words</h1>

I would have expected it to display a REALLY big 'test words' if it was vulnerable, as the h1 tags would get parsed and would also dissapear...I kind of don't know what to look for.

Any ideas?

Whats the PHP script you're using?

It looks like its already encoding html entities in the data from the textarea.

Normally, all you need to do is use htmlentities(). It is also important to consider the encoding of the input data when applying string functions to them. htmlentities() has to know the encoding of the input data correctly in order to prevent XSS - something which is easily overlooked.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.