For XSS protection, do I need to escape before populating for edit

I have an infected text that I'm testing with.

In display mode, I get the data from the database and display it on the page, and I get the XSS as expected.

In edit mode, I use the same form I used for initial entry and I populate the value from开发者_如何学编程 the database into the input fields (textarea in this case), but I'm not getting the XSS. Is this normal? Are form fields data not susceptible to XSS because the text is being displayed inside the form field? so no need for the XSS protection I use in normal display?

By the way, the specific XSS I'm testing with is this. I got it from the cheat sheet for XSS on hackers, the fisrt one.

';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

No, the form fields are suspectible for XSS, so you need to escape them as well

Template sample:

<input type="text" name="foo" value="{$value}" />

Value sample:

" /><script>alert(123);</script><input attr="

Result:

<input type="text" name="foo" value="" /><script>alert(42);</script><input attr="" />

An example.

</TEXTAREA><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>