MrKurt wrote:
>
> The Yahoo UI extensions (Jack Slocum rocks) have a neat Template class
> that makes this a little easier, so I went ahead and jQueryfied it.
>
> My function now looks like:
>
> $(Journals.HeadlinesContainer).appendTemplated(
> '<li class="#{ContainerFileName}"> #{Url} #{Title} </li>',
> json
> );
>
That is shorter than the DOM code, but be careful. The DOM version is
tolerant of messy input strings; the templated version could cause a script
injection exploit. Even without malicious input concerns, you've got to
escape/remove imbedded quotes and special characters, or prohibit them
upstream so they don't make it to the template parameters. Prohibited
characters change depending how and where the template parameter is used, so
there isn't a simple global solution. That is the hidden tax of innerHTML
versus DOM that doesn't get counted when people do benchmarks.
Don't get me wrong, I think that templating support is a good thing to have
in jQuery, but the documentation should make the risks clear and the
template methods should make them easy to avoid.
--
View this message in context:
http://www.nabble.com/.appendTemplated-plugin-%28my-first%21%29-tf2504428.html#a7003723
Sent from the JQuery mailing list archive at Nabble.com.
_______________________________________________
jQuery mailing list
[email protected]
http://jquery.com/discuss/
