Member Avatar for skinbug

Do you need to validate a textarea against XSS injections?

I have a textarea on a reg form and have tried entering data wrapped in h1 tags for a test, but when I look at the output in the admin area, the textarea displays <h1>test words</h1>

I would have expected it to display a REALLY big 'test words' if it was vulnerable, as the h1 tags would get parsed and would also dissapear...I kind of don't know what to look for.

Any ideas?

Recommended Answers

All 2 Replies

yes it does need to be checked.

i use htmlpurify. its a pretty nice php application that will strip out bad information.

Do you need to validate a textarea against XSS injections?

I have a textarea on a reg form and have tried entering data wrapped in h1 tags for a test, but when I look at the output in the admin area, the textarea displays <h1>test words</h1>

I would have expected it to display a REALLY big 'test words' if it was vulnerable, as the h1 tags would get parsed and would also dissapear...I kind of don't know what to look for.

Any ideas?

Whats the PHP script you're using?

It looks like its already encoding html entities in the data from the textarea.

Normally, all you need to do is use htmlentities(). It is also important to consider the encoding of the input data when applying string functions to them. htmlentities() has to know the encoding of the input data correctly in order to prevent XSS - something which is easily overlooked.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.