fixup! Cope with test names containing angle brackets

webodf · Sep 18, 2014 · 416e0e5 · 416e0e5
1 parent ccfc93a
commit 416e0e5
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/webodf/lib/core/UnitTester.js b/webodf/lib/core/UnitTester.js
@@ -568,6 +568,11 @@ core.UnitTester = function UnitTester() {
      * @return {!string}
      **/
     function link(text, code) {
+        // NASTY HACK, DO NOT RE-USE. String concatenation with uncontrolled user input is a bad idea for building DOM
+        // fragments everyone. If you feel tempted to extract the HTML escape thing from here, please force yourself to
+        // visit http://shebang.brandonmintern.com/foolproof-html-escaping-in-javascript/ first, and learn a better
+        // approach to take.
+
         return "<span style='color:blue;cursor:pointer' onclick='" + code + "'>"
             + text.replace(/</g, "&lt;") + "</span>";
     }