search

wenzhixin / multiple-select

A jQuery plugin to select multiple elements with checkboxes :)
http://multiple-select.wenzhixin.net.cn
MIT License
1.91k stars 651 forks source link

Avoid `innerHTML` #529

Open brettz9 opened 4 years ago

brettz9 commented 4 years ago

No plans currently to work on this, but just wanted to suggest avoiding innerHTML (or jQuery html().

  1. Reduces the chance for XSS attacks (there may be no holes currently, but it is easier to avoid them by avoiding innerHTML et al. altogether)
  2. Besides preventing any XSS, it avoids the need for developers to check whether html(), etc. are used safely.
  3. Plugins like https://github.com/mozilla/eslint-plugin-no-unsanitized check for this.
  4. Mozilla's Addons give warnings (sent to add-on reviewers) for use of innerHTML (such linting is how I came across this).