I stumbled on the fact that text_area_tag does not HTML escape its content by default. For example:
text_area_tag "body", "</textarea><script>alert('xss');<script>"
If you try that, you'll see that the content is inserted literally. Considering the fact that the tag helpers all encode their attribute values by default, does this surprise anyone else?
I found a ticket on this issue from a couple years ago from Chris Mear but it looks like it was dropped: http://dev.rubyonrails.org/ticket/5929
It seems like there were two main arguments against encoding:
1. backwards compatibility 2. some people depend on this behavior to allow HTML in their text area boxes
#2 I don't really understand. You can allow HTML...just escape it. It's equivalent to allowing HTML in a text field tag, no? You have to either know the value is sanitized or escape it.
#1 I can understand, but that's not a show-stopper, right? There have been numerous non-backwards-compatible changes adopted by introducing them slowing, providing config options, etc.
I'm guessing there's quite a few people using text_area_tag and assuming the content is being safely escaped by default. And every one of them is an XSS problem.
It's an issue with anything that uses content_tag, of course. Try this, for example:
label_tag 'foo', "</lable><script>alert('xss2')</script>"
At the very least, are we amendable to adding a note in the FormTagHelper docs about the escaping rules?