How should you encode a textarea's contents

Question

If I have a text area that can display user entered input. How should I encode it to prevent any security issues?

For instance suppose I have this:

<!DOCTYPE html>
<html>
<head>
<title>Title</title>
</head>
<body>
    <form>
        <textarea></textarea><script>alert('Hello');</script></textarea>
    </form>
</body>
</html>

How should I encode the contents of the textarea so that it shows the </textarea><script> as text rather than running it?

I'm using ASP.Net, but I'm really after a general answer for HTML.

This is different to "Rendering HTML inside textarea" as I don't want to render HTML inside the textarea where as with that question they did.

Possible duplicate of [Rendering HTML inside textarea](https://stackoverflow.com/questions/4705848/rendering-html-inside-textarea) — hardkoded, Oct 03 '17 at 10:42
@kblok this is a different question. I DON'T want to render html inside the textarea. — Martin Brown, Oct 03 '17 at 10:45

score 2 · Answer 1 · answered Oct 03 '17 at 11:05

2

You use HTMLEncode.

<textarea><%= Server.HtmlEncode("</textarea><script>alert('Hello');</script>") %></textarea>

Or

TextBox1.Text = Server.HtmlEncode(myString);

answered Oct 03 '17 at 11:05

VDWWD

33,993
20
58
76

This is what I thought, but was a bit concerned this might encode things that it shouldn't. – Martin Brown Oct 03 '17 at 11:18

score 0 · Answer 2 · answered Oct 03 '17 at 11:31

If you want to post <script>the tag will be picked up.
Displaying a tag as text type < and > they will be displayed as < > Link

So the html would look like:

<textarea> &lt;/textarea&gt; &lt;script&gt;alert('Hello');&lt;/script&gt; </textarea>

but @VDWWD answer is a better solution for asp.net development.

How should you encode a textarea's contents

2 Answers2