Can you open a bug on this.
On Apr 17, 2014, at 1:06 AM, Demetrius Tsitrelis <demetrius.tsitre...@citrix.com> wrote: > This property is used to dynamically insert HTML into the UI. Unfortunately, > it is easily abused because it accepts input such as <SCRIPT> tags. > > There are about 150 instances of the .html() method in our UI. It turns out > that in the vast majority of the uses are for text; in those cases the > .text() method provides a safe replacement for .html(). > > For those instances where HTML is needed it is safer to use a sequence of > calls to createElement(), appendChild(), and setAttribute() to construct and > insert the new element into the DOM.
