I am writing a static page for a tool: User pastes in base64 and it gets converted into plaintext. Not like it matters, but because the context is cryptographic, I want to prevent XSS.
I noticed document.getElementById("myTextarea").value allows you to change/set the content of a textarea without it appearing in the HTML code (even as an attribute), and unlike .innerHTML or attributes I couldn't do anything with .value.
So is .value actually safe? And is there a "simpler" HTML element that has similar behavior?
Maybe I am bad at Googling or just lazy, but I couldn't find anything on it. ("How do I google this?")
I know about validation and encoding, but then I can't feed the output straight into a reverse converter to get the initial base64.
Questions:
.value XSS safe?Edit: Removed (XSS does work in textarea innerHTML as asked and answered on other StackOverflow posts).
So for the first question, the answer is yes. When you set the .value property of a textarea, the content will be treated as plain text. Therefore, the browser will not interpret or execute the content as code.
For a similar HTML element that also treats the input content as plain text, I only come with the input tag with attribute type="text". But as you are pasting in base64 text, which is often very long. The input tag might not be a better option than the textarea tag. Although, you could use CSS to make it look like a textarea or look better when there is a long text being fed in.
If you want to display or update the content, using .textContent would be a better choice. According to the MDN document:
(https://developer.mozilla.org/en-US/docs/Web/API/Node/textContent)
Using .textContent can prevent XSS attacks.
