11

I need to post multi-line data via a hidden field. The data will be viewed in a textarea after post. How can I post a newline/carriage return in the html form?

I've tried \r\n but that just posts the actual "\r\n" data

<input type="hidden" name="multiline_data" value="line one\r\nline two" />

Is there a way to do this?

4 Answers4

13

Instead of using

<input type="hidden">

Try using

<textarea style="visibility:hidden;position:absolute;">

orinetz
  • 131
  • 1
  • 2
  • 1
    `style="display:none;"` is probably more succint – daiscog Jul 03 '14 at 09:56
  • 3
    @daiscog Form elements set to `display:none` [aren't always submitted](http://stackoverflow.com/a/8318442/526741). I'm not sure which browsers do and don't submit `display:none` fields, but according to the comments under that answer, IE8 does *not*. – 0b10011 Aug 04 '14 at 21:04
9

While new lines (Carriage Return & Line Feed) are technically allowed in <input>'s hidden state, they should be escaped for compatibility with older browsers. You can do this by replacing all Carriage Returns (\u000D or \r) and all Line Feeds (\u000A or \n) with proprietary strings that are recognized by your application to be a Carriage Return or New Line (and also escaped, if present in the original string).

Simply character entities don't work here, due to non-conforming browsers possibly knowing &#10; and &#13; are new lines and stripping them from the value.

Example

For example, in PHP, if you were to echo the passed value to a textarea, you would include the newlines (and unescaped string).

<textarea>Some text with a \ included
and a new line with \r\n as submitted value</textarea>

However, in PHP, if you were to echo the value to the value attribute of an <input> tag, you would escape the new lines with your proprietary strings (e.g. \r and \n), and escape any instances of your proprietary strings in the submitted value.

<input type="hidden" value="Some text with a \\ included\r\nand a new line\\r\\n as submitted value">

Then, before using the value elsewhere (inserting into a database, emailing, etc), be sure to unescape the submitted value, if necessary.

Reassurance

As further reassurance, I asked the WHATWG, and Ian Hickson, editor of the HTML spec currently, replied:

bfrohs Question about <input type=hidden> -- Are Line Feeds and Carriage Returns allowed in the value? They are specifically disallowed in Text state and Search state, but no mention is made for Hidden state. And, if not, is there an acceptable HTML solution for storing form data from a textarea?

Hixie yes, they are allowed // iirc // for legacy reasons you may wish to escape them though as some browsers normalise them away // i forget if we fixed that or not // in the spec

Source

Community
  • 1
  • 1
0b10011
  • 18,397
  • 4
  • 65
  • 86
5

Depends on the character set really but &#10; should be linefeed and &#13; should be carriage return. You should be able to use those in the value attribute.

Shea
  • 11,085
  • 2
  • 19
  • 21
  • If a browser supports form submission, it will most likely also realize that ` ` and ` ` are new lines, and if it incorrectly removes new lines, it will also remove all occurrences of ` ` and ` `. – 0b10011 Nov 17 '11 at 22:47
2

You don't say what this is for or what technology you're using, but you need to be aware that you can't trust the hidden field to remain with value="line one line two", because a hostile user can tamper with it before it gets sent back in the POST. Since you're putting the value in a <textarea> later, you will definitely be subject to, for example, cross site scripting attacks unless you verify and/or sanitize your "multiline_data" field contents before you write it back out.

When writing a value into a hidden field and reading it back, it's usually better to just keep it on the server, as an attribute of the session, or pageflow, or whatever your environment provides to do this kind of thing.

Stephen P
  • 14,422
  • 2
  • 43
  • 67