Consider Refactor raw HTML adding to DOM to use createElement instead #12764

emanuelb opened this Issue Nov 30, 2016 · 2 comments


None yet

3 participants


The createElement API has 2 advantages:

  1. main advantage:
    Using createElement instead of appending HTML that contain input appended to it, such as:
    will be safe from attribute injection without using escapeHTML, such as:
    and from XSS if current method is used (in above link text instead of html) , this code pattern will decrease the chance of introducing XSS vulnerabilities.

  2. it's might be faster (probably, at least many comments on SO suggest so, but other says otherwise)

@ShreyasSinha ShreyasSinha referenced this issue Jan 20, 2017

Using CreateElement for adding HTML #12907

3 of 4 tasks complete
ShreyasSinha commented Jan 20, 2017 edited

I have made the changes in the 2 above mentioned locations #12907.
@emanuelb If there are any other location where this change is suitable please post their link here.

@nijel nijel self-assigned this Jan 20, 2017
@nijel nijel added this to the 4.7.0 milestone Jan 20, 2017
nijel commented Jan 20, 2017 edited

Fixed by #12907.

@nijel nijel closed this Jan 20, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment