You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Demetrius Tsitrelis <De...@citrix.com> on 2014/04/17 01:06:55 UTC
Best practice: Do not use innerHtml() property or it's equivalent
jQuery .html() method
This property is used to dynamically insert HTML into the UI. Unfortunately, it is easily abused because it accepts input such as <SCRIPT> tags.
There are about 150 instances of the .html() method in our UI. It turns out that in the vast majority of the uses are for text; in those cases the .text() method provides a safe replacement for .html().
For those instances where HTML is needed it is safer to use a sequence of calls to createElement(), appendChild(), and setAttribute() to construct and insert the new element into the DOM.
RE: Best practice: Do not use innerHtml() property or it's
equivalent jQuery .html() method
Posted by Brian Federle <Br...@citrix.com>.
Yes, though the ASF security team is responsible for committing and reviewing the code, so it probably won't make it in for a while.
This is probably a general announcement to other UI devs on the list.
________________________________________
From: Stephen Turner
Sent: Thursday, April 17, 2014 2:16 AM
To: dev@cloudstack.apache.org
Cc: Brian Federle
Subject: RE: Best practice: Do not use innerHtml() property or it's equivalent jQuery .html() method
Brian, didn't you fix most of these already?
--
Stephen Turner
-----Original Message-----
From: Demetrius Tsitrelis [mailto:Demetrius.Tsitrelis@citrix.com]
Sent: 17 April 2014 00:07
To: dev@cloudstack.apache.org
Subject: Best practice: Do not use innerHtml() property or it's equivalent jQuery .html() method
This property is used to dynamically insert HTML into the UI. Unfortunately, it is easily abused because it accepts input such as <SCRIPT> tags.
There are about 150 instances of the .html() method in our UI. It turns out that in the vast majority of the uses are for text; in those cases the .text() method provides a safe replacement for .html().
For those instances where HTML is needed it is safer to use a sequence of calls to createElement(), appendChild(), and setAttribute() to construct and insert the new element into the DOM.
RE: Best practice: Do not use innerHtml() property or it's
equivalent jQuery .html() method
Posted by Stephen Turner <St...@citrix.com>.
Brian, didn't you fix most of these already?
--
Stephen Turner
-----Original Message-----
From: Demetrius Tsitrelis [mailto:Demetrius.Tsitrelis@citrix.com]
Sent: 17 April 2014 00:07
To: dev@cloudstack.apache.org
Subject: Best practice: Do not use innerHtml() property or it's equivalent jQuery .html() method
This property is used to dynamically insert HTML into the UI. Unfortunately, it is easily abused because it accepts input such as <SCRIPT> tags.
There are about 150 instances of the .html() method in our UI. It turns out that in the vast majority of the uses are for text; in those cases the .text() method provides a safe replacement for .html().
For those instances where HTML is needed it is safer to use a sequence of calls to createElement(), appendChild(), and setAttribute() to construct and insert the new element into the DOM.
Re: Best practice: Do not use innerHtml() property or it's equivalent jQuery .html() method
Posted by sebgoa <ru...@gmail.com>.
Can you open a bug on this.
On Apr 17, 2014, at 1:06 AM, Demetrius Tsitrelis <De...@citrix.com> wrote:
> This property is used to dynamically insert HTML into the UI. Unfortunately, it is easily abused because it accepts input such as <SCRIPT> tags.
>
> There are about 150 instances of the .html() method in our UI. It turns out that in the vast majority of the uses are for text; in those cases the .text() method provides a safe replacement for .html().
>
> For those instances where HTML is needed it is safer to use a sequence of calls to createElement(), appendChild(), and setAttribute() to construct and insert the new element into the DOM.