How to stop an html TEXTAREA from decoding html entities

html decoding html-entities
Rami Dabain picture Rami Dabain · Dec 15, 2011 · Viewed 35.9k times · Source

I have a strange problem:

In the database, I have a literal ampersand lt semicolon: 

<div

whenever its printed into a html textarea tag, the source code of the page shows the > as >.

How do I stop this decoding?

Answer

Quentin picture Quentin · Dec 15, 2011

You can't stop entities being decoded in a textarea[1] since the content of a textarea is not (unlike a script or style element) intrinsic CDATA, even though error recovery may sometimes give the impression that it is.

The definition of the textarea element is:

<!ELEMENT TEXTAREA - - (#PCDATA)       -- multi-line text field -->

i.e. it contains PCDATA which is described as:

Document text (indicated by the SGML construct "#PCDATA"). Text may contain character references. Recall that these begin with & and end with a semicolon (e.g., Herg&eacute;'s adventures of Tintin contains the character entity reference for the e acute character).

This means that when you type (the invalid HTML of) "start of tag" (<) the browser corrects it to "less than sign" (&lt;) but when you type "start of entity" (&), which is allowed, no error correction takes place.

You need to write what you mean. If you want to include some HTML as data then you must convert any character with special meaning to its respective character reference.

If the data is:

&lt;div

Then the HTML must be:

<textarea>&amp;lt;div</textarea>

You can use the standard functions for converting this (e.g. PHP's htmlspecialchars or Perl's HTML::Entities module).

NB 1: If you were using XHTML[2] (and really using it, it doesn't count if you serve it as text/html) then you could use an explicit CDATA block:

<textarea><![CDATA[&lt;div]]></textarea>

NB 2: Or if browsers implemented HTML 4 correctly

Ok , but the question is . why it decodes them anyway ? assuming i've added & , save the textarea , ti will be saved &lt; , but displayed as < , saving it again will convert it back to < (but it will remain < in the database) , saving again will save it a < in the database , why the textarea decodes it ?

  • The server sends (to the browser) data encoded as HTML.
  • The browser sends (to the server) data encoded as application/x-www-form-urlencoded (or multipart/form-data).

Since the browser is not sending the data as HTML, the characters are not represented as HTML entities.

If you take the data received from the client and then put it into an HTML document, then you must encode it as HTML first.

Related questions

Decoding URL parameters with JavaScript

This should be a simple task, but I can't seem to find a solution. I have a basic string that is being passed through as a query string parameter like this one: This+is+a+message+with+spaces. I would …

Read More
How to create an HTML button that acts like a link?

I would like to create an HTML button that acts like a link. So, when you click the button, it redirects to a page. I would like it to be as accessible as possible. I would also like it so …

Read More
How do I check whether a checkbox is checked in jQuery?

I need to check the checked property of a checkbox and perform an action based on the checked property using jQuery. For example, if the age checkbox is checked, then I need to show a textbox to enter age, else …

Read More