javascript xss inside textarea

I have a span where i have this text inside:

/><textarea>

i then try to edit the span's text by replacing whats inside it with a textarea and adding inside its text.

then, when i try to cancel the edit and remove the textarea and then return the data back to the span, this appears:

/> and the textarea near it.

which is wrong.

i am trying to avoid such things due to xss attacks.

also if i try ad开发者_JS百科ding inside the span this code:

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

to test if xss is working... i will not get any error since i use htmlentities when i refresh the page...

so i use the click button, the textarea appears with this inside... all good here but when i cancel it so i can see the message back as it was inside the span.. the XSS alert popups...

any ideas on how to solve this?

---

Just use text nodes. (document.createTextNode(text here) to create it and then appendChild it like any other node)

---

i just had to replace html() which then filled the span with the text with text().