Hacker News new | past | comments | ask | show | jobs | submit login

Then, I think it should be documented.



Agreed. In fact, to build on 'Erwin's example, jquery makes note of the potential for XSS when calling .html(), .append(), .after(), etc.[1]

> Do not use these methods to insert strings obtained from untrusted sources such as URL query parameters, cookies, or form inputs. Doing so can introduce cross-site-scripting (XSS) vulnerabilities. Remove or escape any user input before adding content to the document.

[1] http://api.jquery.com/html/


Why doesn't jquery have taint-checking/tagging, at least for data brought in through jquery's methods that read from URLs, etc.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: