Use .html instead of .text

ifad / data-confirm-modal

Makes Rails' link_to confirm: 'foo' build a Bootstrap Modal instead of calling the browser's confirm() API.

MIT License

271 stars 115 forks source link

Use .html instead of .text #51

Closed jamgregory closed 6 years ago

jamgregory commented 7 years ago

Hello,

Unless I'm mistaken, as per https://stackoverflow.com/a/18418270, it's recommended to use .html instead of .text when amending the contents of a page using jQuery (it's certainly faster to use .html over .text).

This PR changes the relevant .text entries in the JavaScript to use .html instead.

vjt commented 6 years ago

Hi, thanks for the feedback. Although faster, the .text() is there on purpose: it avoids inserting by mistake HTML where HTML should not be. The interface mandates that those options are "text", and thus we use the jQuery entity filter to escape the text. Despite really unlikely, using .text() closes the door to XSS attacks - should the modal be evaluated with options coming from untrusted sources.