167554 - Textarea has inconsistent treatment of comments (possible exploit)

Status: RESOLVED INVALID

(Core :: DOM: HTML Parser, defect)

Description

[lev]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826

A textarea containing an HTML comment will render it as plaintext (you will see
the actual tag). However a mal-formed comment tag, where the comment is open but
never closed will be interpreted as the beginning of a comment block, and never
terminating, resulting in not rendering any content following the textarea. This
is obviously a huge problem for dynamic sites where users can enter text to be
rendered in the textarea.

I was under the impression that the only html recognized in a textarea is a
closing </TEXTAREA> tag. This is supported by the fact that fully formed
comments are displayed inside of a textarea, and not suppressed. 

See the testcase URL and compare Moz behavior to IE. 

Reproducible: Always

Steps to Reproduce:
1.
2.
3.

Comment 1

[Boris Zbarsky [:bzbarsky]]

well... character entities are also allowed inside a textarea.  So its contents
_do_ need to be parsed as HTML.

It's not clear to me from the HTML spec whether comments are allowed inside
textareas, but you should be escaping '<' in any case (what's the prevent a user
from typing '</textarea>'?

Comment 2

[Christopher Hoess (gone)]

lev: The behavior you describe is closer to that of an element with CDATA
declared content, which <textarea> is not. If "<!-- comment -->" displays in a
textarea, that's a bug; it should be escaped as "&lt;!-- comment -->", markup
recognition in textareas being normal...

Comment 3

[Christopher Hoess (gone)]

Yes, this is invalid. Convert the "<" to "&lt;" in the textarea and you'll be fine.