Following my last question ...
This code can be used if an attacker has access to encodedText :
return $('<div/>').html(encodedText).text();
eg. $("<div/>").html('<img src="X" onerror="alert(\'hi\');" />').text() displays a warning.
This answer recommends using textarea instead to avoid the XSS vulnerability:
return $('<textarea/>').html(encodedText).text();
This allowed us to safely handle the previous exploit.
However, this answer indicates that when using textarea , XSS vulnerabilities still exist:
I suggest using a safer, more optimized function
do not use jQuery.html (). text () to decode html objects as it is unsafe because user input should never have access to the DOM
My question is: is there a way in any browser to use $('<textarea/>').html(encodedText); to run XSS, assuming the attacker has access to encodedText ?
source share