Recommended XSS protection htmlDecode() isn't actually safe
Opened this issue · 1 comments
andymadge commented
Even though the DIV never gets attached to the DOM, some browsers will still load images and fire events. See this comment on Stackoverflow
Using a textarea instead of e a DIV is safer, see here.
andymadge commented
See http://jsfiddle.net/vcm8r35a/ to demo the problem