I am writing a static page for a tool: User pastes in base64 and it gets converted into plaintext. Not like it matters, but because the context is cryptographic, I want to prevent XSS.
I noticed document.getElementById("myTextarea").value
allows you to change/set the content of a textarea without it appearing in the HTML code (even as an attribute), and unlike .innerHTML
or attributes I couldn't do anything with .value
.
So is .value
actually safe? And is there a "simpler" HTML element that has similar behavior?
Maybe I am bad at Googling or just lazy, but I couldn't find anything on it. ("How do I google this?")
I know about validation and encoding, but then I can't feed the output straight into a reverse converter to get the initial base64.
Questions:
.value
XSS safe?Edit: Removed (XSS does work in textarea innerHTML as asked and answered on other StackOverflow posts).
So for the first question, the answer is yes. When you set the .value
property of a textarea, the content will be treated as plain text. Therefore, the browser will not interpret or execute the content as code.
For a similar HTML element that also treats the input content as plain text, I only come with the input
tag with attribute type="text"
. But as you are pasting in base64 text, which is often very long. The input
tag might not be a better option than the textarea
tag. Although, you could use CSS to make it look like a textarea
or look better when there is a long text being fed in.
If you want to display or update the content, using .textContent
would be a better choice. According to the MDN document:
(https://developer.mozilla.org/en-US/docs/Web/API/Node/textContent)
Using .textContent
can prevent XSS attacks.