Comment #15 on issue 2217 by [email protected]: HTML extensions to String.prototype shouldn’t escape ', < and > in argument values; only "
http://code.google.com/p/v8/issues/detail?id=2217
Even if you can't protect against everything, it seems foolhardy to output potentially dangerous punctuation when there is an equivalent form that can't be mis-interpreted in the face of trivial manipulations.
-- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
