I'd say String.replace needs to be there: http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html http://www.thespanner.co.uk/2010/09/27/string-replace-javascript-bad-design/
Also the fact that no built in html encode/decode exists.
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
