HTML: <textarea>-Tag: How to correctly escape HTML and JavaScript content displayed in there?

Question

I have a HTML Tag $FOO and the $FOO Variable will be filled with arbitrary HTML and JavaScript Content, to be disp

Answer 1

You need to replace the special character of HTML with character references (either numerical character references or entity references), in textarea, at least &, < and >.

Answer 2

I first tought of escaping it HTML

Yes, that's right. The contents of a <textarea> are no different from the contents of any other element like a <span> or a <p>: if you want to put some text inside you must HTML-escape any < or & characters in it to < and & respectively.

Browsers do tend to give you more leeway with fault markup in <textarea>​s, in that the fallback for invalid unescaped < symbols is to render them as text instead of tags, but that doesn't make it any less wrong or dangerous (for XSS).

but this didnt work

Please post what you did that didn't work. HTML-escaping is definitely the right thing.