What if there is <script> in the data-caption?
Noitidart opened this issue · 2 comments
Noitidart commented
If I put <script>
into my data-caption
field, will jQuery.html
dangerously evaluate it here:
SlipHover/src/jquery.sliphover.js
Lines 137 to 167 in dc4dd2e
Thanks sir for your great work.
Noitidart commented
Is it save if I do .parseHTML
instead of the .html
?
wayou commented
i think there's no reason for someone who put script into it to hack himself.
what's more, the html is needed for customizing the look.