Enumerate and test against all jQuery XSS sinks

for((i)in(jQuery.fn)){try{$('body')[i]('<svg onload="alert(\''+i+'\')">')}catch(e){}}

This fairly trivial snippet, once run on jquery.com or any other "jQueryfied" website, shows a good overview on easy to find, active XSS sinks.

We should protect against all of these. Further, additional sinks need to be identified (passive, 2nd and nth arguments, function-only argument, wrapped object arguments).

cure53 / jPurify

Enumerate and test against all jQuery XSS sinks #1