Changing to text() should avoid this behavior of XSS. Other thing avoid is
any tag of html.
I dont know if this will cause problems with wysiwyg editors working
together with your plugin.
On Thu, Nov 20, 2008 at 15:20, Rik Lomas <[EMAIL PROTECTED]> wrote:
>
> Thanks Leonardo
>
> On a different forum, it was mentioned that a user could XSS by
> entering <script type="text/javascript">alert('hello');</script> into
> a field. Should I set the default to text() instead of html() to get
> around this or should I try and filter out any script tags?
>
> Rik
>
>
> 2008/11/20 Leonardo K <[EMAIL PROTECTED]>:
> > Interesting idea. Great plugin
> >
> > On Thu, Nov 20, 2008 at 08:29, <[EMAIL PROTECTED]> wrote:
> >>
> >> Hi guys,
> >>
> >> I've just finished my new plug-in called magicpreview:
> >>
> >> http://rikrikrik.com/jquery/magicpreview/
> >>
> >> It's for use in forms and it automagically updates selected elements
> >> on your page based on your form fields. Perfect for letting your users
> >> see what they're doing when filling in forms. There's a couple of
> >> demos on my site too.
> >>
> >> I'd love to hear your feedback and comments on my plug-in.
> >>
> >> Thanks,
> >> Rik
> >
>
>
>
> --
> Rik Lomas
> http://rikrikrik.com
>
