0

I am writing a static page for a tool: User pastes in base64 and it gets converted into plaintext. Not like it matters, but because the context is cryptographic, I want to prevent XSS.

I noticed document.getElementById("myTextarea").value allows you to change/set the content of a textarea without it appearing in the HTML code (even as an attribute), and unlike .innerHTML or attributes I couldn't do anything with .value.

So is .value actually safe? And is there a "simpler" HTML element that has similar behavior?

Maybe I am bad at Googling or just lazy, but I couldn't find anything on it. ("How do I google this?")

I know about validation and encoding, but then I can't feed the output straight into a reverse converter to get the initial base64.

Questions:

  • Is .value XSS safe?
  • Is there a "simpler" HTML element that has similar behavior?

Edit: Removed (XSS does work in textarea innerHTML as asked and answered on other StackOverflow posts).

Improve this question
2
  • Permitted content for textarea is text - so, are you sure "XSS does work in textarea innerHTML"? Can you link to the other StackOverflow posts you refer to in your question. Commented Jul 19, 2024 at 4:04
  • Yeah, that's on me. There are none. textarea's .innerHTML behaves like .textContent. I must have somehow found an old post about a library that made it possible for whatever reason. Commented Jul 19, 2024 at 13:18

1 Answer 1

Reset to default
0

So for the first question, the answer is yes. When you set the .value property of a textarea, the content will be treated as plain text. Therefore, the browser will not interpret or execute the content as code.

For a similar HTML element that also treats the input content as plain text, I only come with the input tag with attribute type="text". But as you are pasting in base64 text, which is often very long. The input tag might not be a better option than the textarea tag. Although, you could use CSS to make it look like a textarea or look better when there is a long text being fed in.

If you want to display or update the content, using .textContent would be a better choice. According to the MDN document:

(https://developer.mozilla.org/en-US/docs/Web/API/Node/textContent)

Using .textContent can prevent XSS attacks.

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks. I did some testing .textContent automatically encodes all suspicious characters with HTML encoding (eg. < will appear as &lt; in the sourcecode). It was hard to figure out because the Dev Tools show both encoded and not encoded the same way. So .textContent is XSS secure and part of its intended design.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.