This property is used to dynamically insert HTML into the UI. Unfortunately, it is easily abused because it accepts input such as <SCRIPT> tags.
There are about 150 instances of the .html() method in our UI. It turns out that in the vast majority of the uses are for text; in those cases the .text() method provides a safe replacement for .html(). For those instances where HTML is needed it is safer to use a sequence of calls to createElement(), appendChild(), and setAttribute() to construct and insert the new element into the DOM.
