HTML Tags and Potentially Dangerous Characters

[Fred]

I appreciate the potential danger vis-a-vis Cross-Site Scripting in allowing
user input to get to a Response.Write.

Suppose, however, that user input is assigned ONLY to the innerText
attribute of a textarea artifact. If this were the case, would there be any
potential of mischief?

(The reason I'm asking is that I want to allow user input to include
characters that are potentially dangerous ('<', '>', '#', etc.).

Thanks, in advance.

 

[Guest]

I appreciate the potential danger vis-a-vis Cross-Site Scripting in allowing
user input to get to a Response.Write.

Suppose, however, that user input is assigned ONLY to the innerText
attribute of a textarea artifact.  If this were the case, would there be any
potential of mischief?

(The reason I'm asking is that I want to allow user input to include
characters that are potentially dangerous ('<', '>', '#', etc.).

Thanks, in advance.

This depends on how you would use that text later. Assume you would
display it on another page. So, type "<script>alert('hi')</script>,
save an see what happens. If you don't validated or encoded it, you
will see what people called "cross-site scripting (XSS) attack".

See more details here http://tldp.org/HOWTO/Secure-Programs-HOWTO/cross-site-malicious-content.html
or google for "ASP.NET XSS"

Hope this helps.