To my knowledge, if a web page entry text box uses & lt; textarea & gt; & lt; / textarea & gt; then edit it in the middle%MINIFYHTMLf640c65bb9ba67745a6294e2e5bc98df20%
When something like that is submitted, it appears that the alert event will appear on the page, but not why?
Sorry, I just read the question description again and found that I didn’t understand the meaning of the subject.
How does textarea avoid entering the JS script ~still
After filling in JS content output to textarea, JS script is not executed.？
How to avoid entering JS scripts：
The output of the text box to escape meaning, if you use PHP, you can take a look.
P.S.If you want a textarea to deposit in a database, you can also escape it before you save the database, but I personally recommend the output when I recommend it, because you can’t be sure (of course, if you can make sure that you don’t have to see this sentence) the data will be needed before losing it.Doing other operations / operations, so I think keeping the data is original when storing the database.
After filling in JS content output to textarea, JS script is not executed.：
This is probably the case that the subject is not aware of the escape. For example, did the owner automatically filter the framework of XSS? Or is it the question that the browser’s JS is disabled? Please put the code up in detail.
That’s because of all the < in textarea; > & “‘all is escaped, that is, < in HTML; using < instead of waiting, but browsers recognize it to display it as
And that’s when you see it
<script>，The browser sees it
<script> Nature does not execute
All corner characters…
W3CThe standard for < textarea> is defined in this way:
That is, < textarea> only allowed in the label
replaceable character data。
What is this, you can see here:
must not contain any occurrences of the string “</” followed by characters that are a case-insensitive match for the tag name of the element containing the replaceable character data (for example, “</title” or “</textarea”), followed by a space character, “>”, or “/”.
So, as long as there is no content in it
</textarea>Such content, then all characters will be displayed in characters, and will not be interpreted as HTML tags.
Landlord is to prevent XSS attacks, there are two ways to avoid such attacks.
1.When the client browser submits it, the submitted data is filtered, filtered, replaced, and then stored.
2.The client browser submits nothing to do, but at the time of output, it filters and filters the output.
But most of you will take the first
1.Htmlspecialchars, like the one upstairs, can do this, but we must pay attention to specifying second parameters. Of course, htmlspecialchars is not a panacea.
2.It is suggested that the library of htmlpurity be tested by the absolute test of history and powerful for filtering input. The wall crack recommends the common usage in the study.
Is the cell phone so many words?
textareaThe contents in the browser will be automatically encoded into entity characters.
You need to jump out of the textarea label first