backbonetutorials icon indicating copy to clipboard operation
backbonetutorials copied to clipboard

Published 20 hours ago verified publisher icon thomasdavis

Recommended XSS protection htmlDecode() isn't actually safe

Open andymadge opened this issue 10 years ago • 1 comments

Even though the DIV never gets attached to the DOM, some browsers will still load images and fire events. See this comment on Stackoverflow

Using a textarea instead of e a DIV is safer, see here.

andymadge avatar Nov 07 '14 17:11 andymadge

See http://jsfiddle.net/vcm8r35a/ to demo the problem

andymadge avatar Nov 07 '14 17:11 andymadge