--- Comment #1 from Prateek Saxena <> ---
Instances of `.html()` - 

1. In the `createBox` method I do something like:

    $el.html( $el.html() );

Its to refresh the DOM and display the SVG elements (see comments in the
method)  that were added in the `createThumbnail` method. The elements created
there follow [1] and thus are escaped.

2. To create the SVG element that masks the popup to create the triangle I do:

    $svg.html( '<svg width="0" height="0">...</svg>' );

Making this through jQuery methods was becoming to verbose. This a plain string
with no concatenation from anywhere so I guess its safe.

3. There is an i18n string if the page redirects, it needs to read like
"redirects to OtherPage". As in certain languages it could be "OtherPageā€¦" and
not "ā€¦OtherPage", Mark suggested that I add a $1 to it [2]. As I need those
elements to be styled a certain way, the i18n strings will end up having an
<h3> and thus my code looks something like this

    $( '<div>' ).html( mw.message( 'popups-redirects', redirects[ 0 ].to
).text() );

I am not sure if this is safe.


You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to