Yes, though the ASF security team is responsible for committing and reviewing the code, so it probably won't make it in for a while.
This is probably a general announcement to other UI devs on the list. ________________________________________ From: Stephen Turner Sent: Thursday, April 17, 2014 2:16 AM To: [email protected] Cc: Brian Federle Subject: RE: Best practice: Do not use innerHtml() property or it's equivalent jQuery .html() method Brian, didn't you fix most of these already? -- Stephen Turner -----Original Message----- From: Demetrius Tsitrelis [mailto:[email protected]] Sent: 17 April 2014 00:07 To: [email protected] Subject: Best practice: Do not use innerHtml() property or it's equivalent jQuery .html() method This property is used to dynamically insert HTML into the UI. Unfortunately, it is easily abused because it accepts input such as <SCRIPT> tags. There are about 150 instances of the .html() method in our UI. It turns out that in the vast majority of the uses are for text; in those cases the .text() method provides a safe replacement for .html(). For those instances where HTML is needed it is safer to use a sequence of calls to createElement(), appendChild(), and setAttribute() to construct and insert the new element into the DOM.
