Stack Exchange
Stack Overflow
Questions
Tags
Users
About
Stack Overflow
Public
Questions
Tags
Users
About
Can a user break out of
tag maliciously?</a></h1> </div> <div class="grid fw-wrap pb8 mb16 bb bc-black-075"> <div class="grid--cell ws-nowrap mr16 mb8" title="2016-01-12 19:07:53Z"> <span class="fc-light mr2">Asked</span> <time itemprop="dateCreated" datetime="2014-10-11T12:16:54.980" class="fromnow">Oct 11 '14 at 12:16</time> </div> <div class="grid--cell ws-nowrap mr16 mb8"> <span class="fc-light mr2">Active</span> <time class="fromnow" title="2014-10-11T12:16:54.980" datetime="2014-10-11T12:16:54.980">Oct 11 '14 at 12:16</a> </div> <div class="grid--cell ws-nowrap mb8" title="Viewed 41 times"> <span class="fc-light mr2">Viewed</span> 41 times </div> </div> <div id="mainbar" role="main" aria-label="questions and answers"> <div id="question" class="question" data-questionid="26314568" data-ownerid="" data-score="1"> <div class="post-layout"> <div class="votecell post-layout--left"> <div class="js-voting-container grid jc-center fd-column ai-stretch gs4 fc-black-200" data-post-id="26314568"> <button class="js-vote-up-btn grid--cell s-btn s-btn__unset c-pointer"><svg aria-hidden="true" class="m0 svg-icon iconArrowUpLg" width="36" height="36" viewBox="0 0 36 36"><path d="M2 26h32L18 10 2 26z"></path></svg></button> <div class="js-vote-count grid--cell fc-black-500 fs-title grid fd-column ai-center" itemprop="upvoteCount" data-value="1">1</div> <button class="js-bookmark-btn s-btn s-btn__unset c-pointer py4"> <svg aria-hidden="true" class="svg-icon iconBookmark" width="18" height="18" viewBox="0 0 18 18"><path d="M6 1a2 2 0 00-2 2v14l5-4 5 4V3a2 2 0 00-2-2H6zm3.9 3.83h2.9l-2.35 1.7.9 2.77L9 7.59l-2.35 1.7.9-2.76-2.35-1.7h2.9L9 2.06l.9 2.77z"></path></svg> <div class="js-bookmark-count mt4" data-value=""></div> </button> </div> </div> <div class="postcell post-layout--right"> <div class="s-prose js-post-body" itemprop="text"><p>Can a user break out of <code><textarea></code> tag maliciously?</p> <p>For example:</p> <p><code>post form contains:</code></p> <pre><code> <form action='post.php' method='post'> <textarea name='content'></textarea> <input type='submit' value='submit'> </form> </code></pre> <p><code>post.php</code> stores <code>htmlentities($content)</code> in the database.</p> <p>Now the user wants to edit his post, he clicks 'edit' and retrieves the edit form except this time the code is decoded and injected in, for editing purposes.</p> <p><code>edit form contains:</code></p> <pre><code> <form action='edit.php' method='post'> <textarea name='content'><?=html_entity_decode($content);?></textarea> <input type='submit' value='submit'> </form> </code></pre> <p>is it possible for the user to break out of the textarea tags, seeing as the content has now been decoded back into normal html. Also should one store <code>htmlentities($content)</code> in the database or simply raw html, then, encode on the display page - what are the SQL dangers of that technique?</p> <p>I have tried <code></textarea></code>, <code><!-- --></></code>. To be honest I'm not to familiar with XSS attacks but I usually know how to prevent from them. </p> <p>In this case can someone break out of the <code><textarea></textarea></code> tags?</p></div> <div class="mt24 mb12"> <div class="post-taglist grid gs4 gsy fd-column"> <div class="grid ps-relative"> <a href="../../questions/tagged/php" class="post-tag js-gps-track" title="show questions tagged 'php'" rel="tag">php</a> <a href="../../questions/tagged/textarea" class="post-tag js-gps-track" title="show questions tagged 'textarea'" rel="tag">textarea</a> <a href="../../questions/tagged/xss" class="post-tag js-gps-track" title="show questions tagged 'xss'" rel="tag">xss</a> <a href="../../questions/tagged/code-injection" class="post-tag js-gps-track" title="show questions tagged 'code-injection'" rel="tag">code-injection</a> </div> </div> </div> <div class="mb0"> <div class="mt16 grid gs8 gsy fw-wrap jc-end ai-start pt4 mb16"> <div class="grid--cell mr16 fl1 w96"></div> <div class="post-signature owner grid--cell"> <div class="s-user-card s-user-card__deleted"> <time class="s-user-card--time" datetime="asked Oct 11 '14 at 12:16">asked Oct 11 '14 at 12:16</time> <div class="s-avatar s-avatar__32 s-user-card--avatar"> </div> <div class="s-user-card--info"></div> </div> </div> </div> </div> </div> <div class="post-layout--right js-post-comments-component"> <div id="comments-26314568" class="comments js-comments-container bt bc-black-075 mt12 " data-post-id="26314568" data-min-length="15"> <ul class="comments-list js-comments-list" data-remaining-comments-count="0" data-canpost="false" data-cansee="true" data-comments-unavailable="false" data-addlink-disabled="true"> <li id="comment-41295212" class="comment js-comment " data-comment-id="41295212" data-comment-owner-id="2176428" data-comment-score="1"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> <span title="number of 'useful comment' votes received" class="warm">1</span> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment41295212_26314568"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">Yes, with your current code he can break out of the textarea and inject whatever HTML he wants to because when producing the output, you're decoding the entities.</span> – <a href="../../users/2176428/ali" title="3,479 reputation" class="comment-user ">Ali</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/26314568/can-a-user-break-out-of-textarea-tag-maliciously#comment41295212_26314568"><span title="2014-10-11T12:25:24.727 License: CC BY-SA 3.0" class="relativetime-clean">Oct 11 '14 at 12:25</span></a></span> </div> </div> </li> <li id="comment-41295235" class="comment js-comment " data-comment-id="41295235" data-comment-owner-id="367456" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment41295235_26314568"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">also where to en-code and decode should have been answered already on stackoverflow. please use the search for all your interrelated questions first.</span> – <a href="../../users/367456/hakre" title="193,403 reputation" class="comment-user ">hakre</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/26314568/can-a-user-break-out-of-textarea-tag-maliciously#comment41295235_26314568"><span title="2014-10-11T12:26:35.610 License: CC BY-SA 3.0" class="relativetime-clean">Oct 11 '14 at 12:26</span></a></span> </div> </div> </li> <li id="comment-41295297" class="comment js-comment " data-comment-id="41295297" data-comment-owner-id="367456" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment41295297_26314568"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">Are you looking for material like this probably? [Will HTML Encoding prevent all kinds of XSS attacks?](http://stackoverflow.com/q/53728/367456)</span> – <a href="../../users/367456/hakre" title="193,403 reputation" class="comment-user ">hakre</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/26314568/can-a-user-break-out-of-textarea-tag-maliciously#comment41295297_26314568"><span title="2014-10-11T12:30:19.613 License: CC BY-SA 3.0" class="relativetime-clean">Oct 11 '14 at 12:30</span></a></span> </div> </div> </li> <li id="comment-41295665" class="comment js-comment " data-comment-id="41295665" data-comment-owner-id="" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment41295665_26314568"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">Turns out when storing the information in htmlentities and retrieving into the textarea is A okay.</span> – <a class="comment-user owner"></a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/26314568/can-a-user-break-out-of-textarea-tag-maliciously#comment41295665_26314568"><span title="2014-10-11T12:50:18.617 License: CC BY-SA 3.0" class="relativetime-clean">Oct 11 '14 at 12:50</span></a></span> </div> </div> </li> </ul> </div> </div> </div> </div> <div id="answers"> <a name="tab-top"></a> <div id="answers-header"> <div class="answers-subheader grid ai-center mb8"> <div class="grid--cell fl1"> <h2 class="mb0" data-answercount="9">0 Answers<span style="display:none;" itemprop="answerCount">0</span></h2> </div> </div> </div> </div> </div> </div> </div> <script src="../../static/js/stack-icons.js"></script> <script src="../../static/js/fromnow.js"></script> </body> </html>