Comments (3)
Also applies to append, appendTo, prepend, prependTo, after, insertAfter, before, insertBefore, etc.
from api.jquery.com.
How about this as a new reusable note that we put in all of those entries:
By design, any jQuery constructor or method that accepts an HTML string (jQuery(), .append(), .after(), etc.) can potentially execute code. This can occur by injection of script tags or use of HTML attributes that execute code, e.g., img onload. Do not use these methods to insert strings obtained from untrusted sources such as URL query parameters, cookies, or form inputs. Doing so can introduce cross-site-scripting (XSS) vulnerabilities. Remove or escape any user input before adding it to the document.
Linking, formatting to be done.
from api.jquery.com.
Looks great, @dmethvin! I'm adding the note now
from api.jquery.com.
Related Issues (20)
- scrollLeft() does not always return an Integer
- Contradiction about outerWidth on window between API documentation and migration guide
- Document jQuery.fx.interval removal from jQuery 4.0.0
- typo in demo answers HOT 1
- Document deprecation of event shorthands like jQuery.fn.click() HOT 1
- $.ajax() documentation should be fixed in a case where script isn't necessarily executed yet HOT 13
- :contains()'s page should have the "… is a jQuery extension" note
- Please improve documentation: ajaxComplete is called before or after success/error callbacks? HOT 2
- Document binary data support for 4.0
- Document jQuery.Deferred.getErrorHook & jQuery.Deferred.getStackHook
- Usability Error - Links HOT 2
- Add Sizzle wiki as API page HOT 3
- Typo in .removeAttr() example HOT 6
- Typo in .animate() reference documentation HOT 2
- Documentation for ajax does not mention FormData HOT 4
- Add GitHub action workflow for running lint on commit
- position offset HOT 2
- Mention of ‘timestamp’ in documentation for ‘cache’ parameter of ‘ajax’ is misleading HOT 2
- Document changes in boolean attributes treatment HOT 1
- Documentation error for text() HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from api.jquery.com.