I believe the textarea input is vulnerable to xss. It uses $value to between the textarea tags. We haven't escaped this value. We need to be using htmlentities($output, ENT_QUOTES, 'UTF-8') to escape any user provided output, as none of it should be able to break the html.
There are other locations, other than textarea where we should be doing this escaping. Anywhere we accept user/developer input and render it should be escaped.
I believe the textarea input is vulnerable to xss. It uses
$value
to between thetextarea
tags. We haven't escaped this value. We need to be usinghtmlentities($output, ENT_QUOTES, 'UTF-8')
to escape any user provided output, as none of it should be able to break the html.There are other locations, other than textarea where we should be doing this escaping. Anywhere we accept user/developer input and render it should be escaped.