jQuery ajax and htmlentities, using .val() on a textfield

Question

i'm using a jQuery ajax call to set the value of a textarea.

If I use php's htmlentities() and then use jquerys $(textarea).val() it doesn't display the characters but the entities.

Without htmlentities() everything looks fine. No XSS while using val() but off course vulnerable if the script is accessed without jquery.

What happens?

.load() works but I can't use it. load() just breaks after I use the BBcodefunctions ( DOM does not update the textarea, in Firebug everything looks like it should)

After using val(), html() breaks.

Why?

Jquery code:

$.ajax({ 
  type: 'GET', 
  encoding:"UTF-8", 
  dataType:"html",  
  contentType: "text/plain; 
  charset=UTF-8", 
  url: "/quote.php?id=1",
  context: document.body 
}).done(function(data) { $('textarea').val(data); }); 

PHP code:

htmlentities($nonEncodedRawText, ENT_QUOTES, 'UTF-8')

Result in textbox:

</textarea><script type="text/javascript">

Result on direct access:

</textarea><script type="text/javascript">

Answer 1

Have you tried htmlspecialchars() instead of htmlentities?

Here's another page with a similar problem: Escaping output safely for both html and input fields

Answer 2

Now, it looks like there is no easy way to display > < while using val() or value =.

.html() would work but as soon as .val() or value = gets called .html() breaks.

The only solution I was able to find is to replace the whole textarea with:

$('textarea').replaceWith('<textarea>'+data+'</textarea>')

Rewriting the bbcode function won't work too because .html().length seems to differ from .val().length. While .val().length counts > as its entity & g t ; .html().length counts only > which results in wrong tag placements etc.