Textarea has inconsistent treatment of comments (possible exploit)

RESOLVED INVALID

Status

()

defect
--
major
RESOLVED INVALID
17 years ago
6 years ago

People

(Reporter: levik, Assigned: harishd)

Tracking

({compat})

Trunk
x86
Windows 2000
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

()

Reporter

Description

17 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826

A textarea containing an HTML comment will render it as plaintext (you will see
the actual tag). However a mal-formed comment tag, where the comment is open but
never closed will be interpreted as the beginning of a comment block, and never
terminating, resulting in not rendering any content following the textarea. This
is obviously a huge problem for dynamic sites where users can enter text to be
rendered in the textarea.

I was under the impression that the only html recognized in a textarea is a
closing </TEXTAREA> tag. This is supported by the fact that fully formed
comments are displayed inside of a textarea, and not suppressed. 

See the testcase URL and compare Moz behavior to IE. 

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
well... character entities are also allowed inside a textarea.  So its contents
_do_ need to be parsed as HTML.

It's not clear to me from the HTML spec whether comments are allowed inside
textareas, but you should be escaping '<' in any case (what's the prevent a user
from typing '</textarea>'?
Assignee: jkeiser → harishd
Component: HTML Form Controls → Parser
QA Contact: tpreston → moied
Whiteboard: DUPEME
lev: The behavior you describe is closer to that of an element with CDATA
declared content, which <textarea> is not. If "<!-- comment -->" displays in a
textarea, that's a bug; it should be escaped as "&lt;!-- comment -->", markup
recognition in textareas being normal...
Yes, this is invalid. Convert the "<" to "&lt;" in the textarea and you'll be fine.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Keywords: compat
Resolution: --- → INVALID

Updated

6 years ago
Whiteboard: DUPEME
You need to log in before you can comment on or make changes to this bug.