do I even need `htmlspecialchars()` for textarea's value

Question

I have staff.php page which contains staff's name,position and detail.When user would need to edit staff info,they would be send to edit.php page.edit.php page show name and title on text field and detail on a textarea

My question is,do I even need htmlspecialchars in edit.php page.I am not printing anything to users page,only on that fields.But I'm using htmlspecialchars on staff.php before printing to user.

Is it still open to XSS Attack?

Code

part from staff.php

$staff.="<div id='sob'>".htmlspecialchars($title)."<br>".htmlspecialchars($sub_title)."<div><a href='edit.php?pid=".htmlspecialchars($pro_id)."'><input type='submit' id='editx' name='editx' value='Edit'></a></div><div id=''><br>".htmlspecialchars($detail)."</div><hr id='h'></div>";

part from edit.php

if(isset($_GET["pid"])){
  $name4=$title;            //
  $sub_title4=$sub_title;   //using prepared statement  
  $detail4=$detail;         //
  }

  HTML part at edit.php

 <input type='text' id='staff_name' name='staff_name' value="<?php echo $name4;?>" required>
 </br><input type='text' id='staff_pos' name='staff_pos' value="<?php echo $sub_title4;?>" required>
 </br><textarea id='staff_detail' name='staff_detail' cols='30' rows='6'  required><?php echo $detail4;?></textarea></br>

Answer 1

Protection against XSS isn't just necessary when variables are to be displayed on the screen; it is needed whenever user-generated values are used to build HTML markup, whatever the context.

It is necessary to call htmlspecialchars() on a PHP variable placed inside a <textarea>. Consider the following:

<?php
    // Unsafe text in the variable
    $detail4 = '</textarea><script>alert("XSS!");</script>';
?>

<textarea><?php echo $detail4; ?></textarea>

This results in a closed </textarea> followed by an unsafe injected script (and another closing </textarea> the browser will probably ignore).

It is also necessary to call htmlspecialchars() on the variables placed into value="" attributes, choosing the appropriate constant to ensure internal quotes in the variables are correctly encoded to prevent the attribute being prematurely ended with a quote. If you consistently use double quotes on the attributes, you can accept the default of ENT_COMPAT, but if you sometimes quote attributes with single quotes, use ENT_QUOTE.

<input type='text' name='staff_pos' value="<?php echo htmlspecialchars($sub_title4, ENT_QUOTES);?>" ...>