injection via data prevention

[sashafirsov]

since data are injected into DOM as XML island, the methods like Json2Xml(obj, tag) can generate DOM nodes which in the browser could lead to insecure tags and attributes injection.

Solution is to use template tag which has own document fragment with insulated content. Even with direct script tag injected, it would be a safe embedding of data island.

[sashafirsov]

The data XML is not attached to page DOM, it is only referenced via this.xml for transformations. Hence no danger of exposing to page DOM.