Document escaping HTML, side-effects of scripts injected via .html()

[addyosmani]

From Dave:

The pages for APIs like .html() don't mention this problem, in fact we don't even mention that scripts injected via .html() are executed so I'm adding a needsdocs here. (Of course, just about any API that accepts HTML strings does this but it might surprise some devs.)

More info on this thread: http://bugs.jquery.com/ticket/11773

[kswedberg]

Also applies to append, appendTo, prepend, prependTo, after, insertAfter, before, insertBefore, etc.

[dmethvin]

How about this as a new reusable note that we put in all of those entries:

By design, any jQuery constructor or method that accepts an HTML string (jQuery(), .append(), .after(), etc.) can potentially execute code. This can occur by injection of script tags or use of HTML attributes that execute code, e.g., img onload. Do not use these methods to insert strings obtained from untrusted sources such as URL query parameters, cookies, or form inputs. Doing so can introduce cross-site-scripting (XSS) vulnerabilities. Remove or escape any user input before adding it to the document.

Linking, formatting to be done.

[kswedberg]

Looks great, @dmethvin! I'm adding the note now