Tei schrieb:
People on the internet suggest something like $("<div/>").text( "<script>alert('lets do evil!')</script>" ).html();
Please don't use that. We have mw.html.escape(), which does the task fine.
As Neil already pointed out, there are 2 concerns:
1 - security of original message string
Not a js problem, I'd say. When there are unsafe messages, the whole site has a problem
2 - security of parameters you add to messages
Just mw.html.escape them. And if someone should really need to add dom parameters, we may accept DOM-nodes/jQuery-objects. And we won't have to escape them, because when there are already malicious elements in the page the problem is not in mw.message.
So not taking html strings as parameters is the easiest, best and imho only solution.
Bergi