Why is it running when I show JavaScript in TextArea?

Question

Why is it running when I show JavaScript in TextArea?

If there are <script> tags as the value of the Textarea, it runs the script.

Is there any way to prevent this?

+4

javascript html

Shamoon May 25 '11 at 19:54

source share

2 answers

Since TextArea ( <textarea>...</textarea> ) is a node that can have internal nodes in it. Internal nodes are still valid, so the browser interprets the script node and runs the code.

This is a really good reason why you should always check that the user enters and sends to the server. If you print this input later, it can run just as you would like to insert a script tag yourself.

To stop it, you need to encode the tags < = < and > = > < = < and > = >

A similar concept has nodes that are not valid html, for example <myInvalidTag><script></script></myInvalidTag> . The browser will still execute code inside it.

+5

kemiller2002 May 25, '11 at 19:57

source share

dtbarne · Accepted Answer · 2011-05-25T19:58:12+0000

You need to code the tags:

 <textarea> &lt;script type=&quot;text/javascript&quot;&gt;&lt/script&gt; </textarea>

In PHP you can do this with htmlentities() .

Why is it running when I show JavaScript in TextArea?

More articles: