Yes, tripped me up a few times. Then I remember to use a regular expression with a /g flag as the first argument. I wouldn’t consider it a major pitfall, but it is definitely a pitfall.
On Dec 30, 2012, at 23:06 , gaz Heyes <[email protected]> wrote: > I'd say String.replace needs to be there: > http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html > http://www.thespanner.co.uk/2010/09/27/string-replace-javascript-bad-design/ > > Also the fact that no built in html encode/decode exists. -- Dr. Axel Rauschmayer [email protected] home: rauschma.de twitter: twitter.com/rauschma blog: 2ality.com
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
