Brian, didn't you fix most of these already? -- Stephen Turner
-----Original Message----- From: Demetrius Tsitrelis [mailto:demetrius.tsitre...@citrix.com] Sent: 17 April 2014 00:07 To: dev@cloudstack.apache.org Subject: Best practice: Do not use innerHtml() property or it's equivalent jQuery .html() method This property is used to dynamically insert HTML into the UI. Unfortunately, it is easily abused because it accepts input such as <SCRIPT> tags. There are about 150 instances of the .html() method in our UI. It turns out that in the vast majority of the uses are for text; in those cases the .text() method provides a safe replacement for .html(). For those instances where HTML is needed it is safer to use a sequence of calls to createElement(), appendChild(), and setAttribute() to construct and insert the new element into the DOM.
