Board Thread:Code Review/@comment-24728531-20151119154617/@comment-24473195-20151230122858

Kopcap94 wrote: You can't set something like 'onclick', 'onload', 'onsomething' via .attr. That's why I've used this instead of $(' ').append('');

Moreover, getting data via .val will give me a string that can't do anything bad. BUT .attr can be dangerous if we're using it for 'href'. So I've solve this problem via mw.config.get('wgServer') + '/wiki/' + MedalSettings.module_info See :


 * http://security.stackexchange.com/questions/52447/is-jquery-val-enough-to-prevent-xss.


 * https://coderwall.com/p/h5lqla/safe-vs-unsafe-jquery-methods

Well, that's true for the input but not the output. Basically you validate the input and escape the output. From a brief look at your script it seems that the attr and prop are being used to espace. But they are all over the place, it might make more sense to use a function for that purpose especially considering that you're extracting text from an external source, and one small overlooked mistake may allow an exploit.

You might consider using this library for those purposes.