[xwiki-users] Using <textarea> with xwiki: nightmare??

Hello, i'd like some informations on how to get xwiki + velocity to render properly a form containing a prefilled <textarea>. I have tried several way and, in the end, i ended up using a groovy script, which requires developper priviledge. All other options i tried had issues. Could someone tell me if there is a way to get it to work with. I have a variable X, i want content of X to be html escaped (eg <b> becomes &ltg;b&gt;) and output in the final document between <textarea> </textarea> tags. So far, i attempted the following {{velocity}} #set($test = "**hello**<b>test</b>") {{html clean="false" xwiki="false"}} <textarea cols="75" rows="2" name="description">$test</textarea> {{/html}} {{/velocity}} {{velocity xwiki="false"}} #set($test2 = "**hello2**<b>test</b>") {{/velocity}} {{html clean="false" xwiki="false"}}<textarea cols="75" rows="2" name="description">{{/html}}{{velocity xwiki="false"}}${test2}{{/velocity}}{{html clean="false" xwiki="false"}}</textarea>{{/html}} {{velocity xwiki="false"}} #set($test3 = "**hello3**<b>test</b>") {{/velocity}} {{html clean="false" xwiki="false"}}<textarea cols="75" rows="2" name="description">{{/html}}{{velocity xwiki="false"}}${test3}{{/velocity}}{{html clean="false" xwiki="false"}}</textarea>{{/html}} {{groovy}} test4 = org.apache.commons.lang.StringEscapeUtils.escapeHtml("**hello4**<b>test</b>"); {{/groovy}} {{velocity xwiki="false"}}{{html clean="false" xwiki="false"}}<textarea cols="75" rows="2" name="description">${test4}</textarea>{{/html}}{{/velocity}} And got the following renders (html sources) < textarea cols = "75" rows = "2" name = "description" >**hello**<b>test</b></ textarea > < textarea cols = "75" rows = "2" name = "description" ><strong>hello2</strong>&lt;b&gt;test&lt;/b&gt;</ textarea > < textarea cols = "75" rows = "2" name = "description" ><strong>hello3</strong>&lt;b&gt;test&lt;/b&gt;</ textarea > < textarea cols = "75" rows = "2" name = "description" >**hello4**&lt;b&gt;test&lt;/b&gt;</ textarea > As you can see: option 1 left <b></b> tags as is, which can lead to html injection vulnerability of my form. option 2 and 3 replaced ** with <strong> which mean we alter user input :/ option 4 works but requires developper priviledges. :/ David Delbecq