Closed donabrams closed 7 years ago
+1
I know this is probably best practice, but isn't this more of an edge-case that would be best in docs vs. all of the examples?
Better to instill best practices into code IMO. Most people will be referencing examples as they build and might get FUD if they see unrelated XSS vulnerabilities mentioned in the documentation.
I agree with merging this, but this PR is too far behind & I've appointed new contributors.
If someone would like to merge it and isn't a contributor, ping me. I eagerly accept new owners.
Any data with a string including
</script>
when stringified may create an XSS security hole when rendering. See https://github.com/yahoo/serialize-javascript#user-content-automatic-escaping-of-html-characters.