Recommended XSS protection htmlDecode() isn't actually safe

[andymadge]

Even though the DIV never gets attached to the DOM, some browsers will still load images and fire events. See this comment on Stackoverflow

Using a textarea instead of e a DIV is safer, see here.

[andymadge]

See http://jsfiddle.net/vcm8r35a/ to demo the problem