On 10/10/13 10:15 AM, Glenn Maynard wrote:
When I'm doing this I just make sure that the strings don't need
escaping in the first place. Many of these look like they do that
(probably most "ID" cases are things like random numbers or alphanumerics).
Let's take a look at Simon's examples from actual web pages:
.querySelectorAll("#"+M+" "+m)
.querySelectorAll('.'+classes[i])
If M is a random number, it needs escaping. Similar if classes[i] is a
random number. In particular, ID and class selectors cannot start with
a digit.
FWIW, I rarely use IDs at all: I use classes, even if there will
probably only be one of something.
Classes have the same syntax as IDs in CSS (both are identifiers), so
it's the same issue.
-Boris
