Is there risk to having unsanitized user input display in a textarea?

I save two versions of user input in the following sequence:

1. Untrusted user enters raw markdown.
2. Raw markdown is stored in one table.
3. A copy of the raw markdown is converted into HTML.
4. HTML is sanitized and persisted, and is displayed upon request.
5. The raw markdown version is only displayed when users edit a entry; it's loaded into a textarea of a form.

Is there any risk in loading raw markdown (which could potentially contain unsafe HTML) into a textarea? It would never be displayed outside of a textarea.

I can't sanitize the markdown because it would result in i开发者_运维技巧nconsistencies between the markdown and HTML versions I'm saving.

FYI: I always sanitize SQL, regardless of what I'm saving to the DB.

You don't have to sanitize it there, just take care of correctly escaping HTML special characters such as < and >.

For instance, Stackoverflow allows you to post HTML code in your posts, it does not remove anything. This is achieved by encoding, not sanitizing.

It depends how you're "loading" it into the textarea. If you're doing it server-side through simple string concatenation, e.g. in php,

$output = '<textarea>' + $markdown + '</textarea>';

...then there is absolutely a risk, because that markdown could very easily close out the textarea and embed whatever else it wants. If you're using some sort of a component framework (e.g., ASP.NET), then you should be protected as long as you use a safe API method, such as MyTextArea.Value = markdown;.

If you're doing it client-side, it also depends on how you're doing this. You would be safe if you used something like jQuery's .val() setter, but could still expose yourself to XSS vulnerabilities through other approaches.

In short, the general answer is yes, depending on how you're actually creating and populating the textarea.

Are you at least doing SQL sanitation? When you INSERT or UPDATE the data, are you using some type of DAO that escapes the SQL or, if using Java, using a Prepared Statement where you set the arguments?

You must always sanitize things before they go into the DB. Otherwise people could add a stray

'); --Malicious procedure here.  

..into a request.

There are some security risks to leaving unsanitized input in the text box; mainly if the user is infected with something that's injecting Javascript, it will show up for him or her each time.

Why even save that? Then you're giving your user a totally inconsistent view from what they enter to what is displayed? They won't match up. It's best to clean the input so when they user views it again he or she can clearly see that the offending HTML was removed for security.