#1363 XSS in ::html::textarea

[Ben Fuhrmannek]

When using ::html::textarea the application is prone to Cross-Site Scripting Attacks.

Example (within a CGI script):
puts [::html::textarea foo]

Inejction:
http://.../foo.cgi?foo=<payload>
where <payload> can be the URL-encoded value of any html, e.g. </textarea><script>alert(/xss/);</script>

Problem:
User input is reflected without proper HTML encoding.

Solution - example with html_entities:

proc ::html::textarea {name {param {}} {current {}}} {
::set value [ncgi::value $name $current]
return "<[string trimright \ "textarea name=\"$name\"\ [tagParam textarea $param]"]>[html_entities $value]</textarea>\n"
}

Affected Version:
http://core.tcl.tk/tcllib/artifact/665bf2f9e2de3630b78be8f4e73b7742c535ec41