On Mon, Jan 16, 2012 at 7:22 PM, Jeroen De Dauw <jeroendedauw(a)gmail.com> wrote:
Do we trust that messages do not have evil (XSS) stuff in them? The reason
why I ask is that I was just using .msg from mediawiki.jqueryMsg, and
realized that things in the message do not get escaped. Since the function
can take in HTML elements, this seems to be pretty inherent.
jQueryMsg doesn't really do this very well just yet, that's an issue