Recommended XSS protection htmlDecode() isn't actually safe

thomasdavis / backbonetutorials

As single page apps and large scale javascript applications become more prominent on the web, useful resources for those developers who are jumping the ship are crucial.

http://backbonetutorials.com

2.3k stars 1.71k forks source link

Recommended XSS protection htmlDecode() isn't actually safe #117

Open andymadge opened 9 years ago

andymadge commented 9 years ago

Even though the DIV never gets attached to the DOM, some browsers will still load images and fire events. See this comment on Stackoverflow

Using a textarea instead of e a DIV is safer, see here.

andymadge commented 9 years ago

See http://jsfiddle.net/vcm8r35a/ to demo the problem