Consider Refactor raw HTML adding to DOM to use createElement instead #12764

Closed
emanuelb opened this Issue Nov 30, 2016 · 2 comments

Projects

None yet

3 participants

@emanuelb

The createElement API has 2 advantages:

  1. main advantage:
    Using createElement instead of appending HTML that contain input appended to it, such as:
    https://github.com/phpmyadmin/phpmyadmin/blob/master/js/functions.js#L526
    https://github.com/phpmyadmin/phpmyadmin/blob/master/js/functions.js#L540
    will be safe from attribute injection without using escapeHTML, such as:
    http://stackoverflow.com/questions/2202269/best-way-to-add-dom-elements-with-jquery/2203063#2203063
    and from XSS if current method is used (in above link text instead of html) , this code pattern will decrease the chance of introducing XSS vulnerabilities.

  2. it's might be faster (probably, at least many comments on SO suggest so, but other says otherwise)

@ShreyasSinha ShreyasSinha referenced this issue Jan 20, 2017
Merged

Using CreateElement for adding HTML #12907

3 of 4 tasks complete
@ShreyasSinha
Contributor
ShreyasSinha commented Jan 20, 2017 edited

I have made the changes in the 2 above mentioned locations #12907.
@emanuelb If there are any other location where this change is suitable please post their link here.

@nijel nijel self-assigned this Jan 20, 2017
@nijel nijel added this to the 4.7.0 milestone Jan 20, 2017
@nijel
Member
nijel commented Jan 20, 2017 edited

Fixed by #12907.

@nijel nijel closed this Jan 20, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment