Yeah, I'm having a hard time seeing this as having an XSS vulnerability in and o... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		d23 on March 1, 2015 \| parent \| context \| favorite \| on: Timesheet.js Yeah, I'm having a hard time seeing this as having an XSS vulnerability in and of itself. If you're not escaping user input onto the page, it doesn't matter if some library is taking that data and wrapping it in a span. You're done far before you add a third-party javascript library.

iso8859-1 on March 2, 2015 [–]

When I call that library, I shouldn't have to worry about the fact that it uses HTML. It is a leaky abstraction since a field that is, intuitively, supposed to be text for the label, is actually just treated as HTML for plain insertion into the page.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact