javascripthtmltextareaxss

Is <textarea> .value Cross-Site Scripting (XSS) safe?


I am writing a static page for a tool: User pastes in base64 and it gets converted into plaintext. Not like it matters, but because the context is cryptographic, I want to prevent XSS.

I noticed document.getElementById("myTextarea").value allows you to change/set the content of a textarea without it appearing in the HTML code (even as an attribute), and unlike .innerHTML or attributes I couldn't do anything with .value.

So is .value actually safe? And is there a "simpler" HTML element that has similar behavior?

Maybe I am bad at Googling or just lazy, but I couldn't find anything on it. ("How do I google this?")

I know about validation and encoding, but then I can't feed the output straight into a reverse converter to get the initial base64.

Questions:

Edit: Removed (XSS does work in textarea innerHTML as asked and answered on other StackOverflow posts).


Solution

  • So for the first question, the answer is yes. When you set the .value property of a textarea, the content will be treated as plain text. Therefore, the browser will not interpret or execute the content as code.

    For a similar HTML element that also treats the input content as plain text, I only come with the input tag with attribute type="text". But as you are pasting in base64 text, which is often very long. The input tag might not be a better option than the textarea tag. Although, you could use CSS to make it look like a textarea or look better when there is a long text being fed in.

    If you want to display or update the content, using .textContent would be a better choice. According to the MDN document:

    (https://developer.mozilla.org/en-US/docs/Web/API/Node/textContent)

    Using .textContent can prevent XSS attacks.

    enter image description here